Today I’m going to talk about a trick that might be useful for BugHunters.
While I was looking for a few things about BugBounty, I found a report where the author talked about an SSRF which he had found in Bing’s Webmaster Central, and reported to Microsoft. In the Bug it describes that it was able to list internal ports and the services of that application.
Seeing this I thought “What if I try a new bypass on this fix?”, I like challenges, so I opened my browser and started testing.
First I tried a list of payloads that resolved to
127.0.0.1, but their filter
did not allow those addresses.
As they were blocking access via the address
127.0.0.1, and also registering
ip addresses, I used the
.nip.io domain to be able to bypass that first
check along with the ip
It was enough to deduce that I had been able to access their local address.
Note that with
127.127.127.127 it does a redirect to
After that I tried to access a nonexistent directory, to check the server responses.
Setting up a domain to resolve the address
127.127.127.127 I was able to
bypass the old fix, list internal ports and directories in the local address of
Bing Webmaster, sometimes many administrative panels are configured to be
accessed only locally, which could be found by scanning directories through this
Follow me :D http://twitter.com/elber333
Bug Bounty Hunter, CTF player, Pentester freelance.