SMTP Based SSRF: A Practical Guide with Burp Collaborator

By /

Listen to this Post

In this article, we explore how to exploit SMTP-based SSRF (Server-Side Request Forgery) using Burp Collaborator. The technique involves using Burp Collaborator’s link as an email provider when the web application lacks proper email validation. This can lead to discovering internal services, admin email addresses, and SMTP server interactions.

Steps to Reproduce:

  1. Identify Weak Email Validation: Find a web application that does not validate email addresses properly.
  2. Use Burp Collaborator: Replace the email field with a Burp Collaborator link.
  3. Trigger Password Reset: Initiate a password reset to force the application to interact with the Burp Collaborator link.
  4. Analyze Pingbacks: Monitor DNS and SMTP pingbacks in Burp Collaborator to gather information about internal services and email interactions.

Example Commands:

  • Burp Suite Command: Start Burp Suite and configure Burp Collaborator. 
    java -jar burpsuite_pro.jar
  • DNS Pingback Analysis: Use `dig` to analyze DNS interactions. 
    dig @<DNS_SERVER> <BURP_COLLABORATOR_LINK>
  • SMTP Interaction: Use `telnet` to simulate SMTP interactions. 
    telnet <SMTP_SERVER> 25

Escalation Attempts:

  • Email Spoofing: Attempt to spoof the admin email address. 
    swaks --to <TARGET_EMAIL> --from <SPOOFED_EMAIL> --server <SMTP_SERVER> --body "Test Email"
  • SPF Bypass: Check if SPF (Sender Policy Framework) is enforced. 
    dig TXT <DOMAIN>

What Undercode Say:

In the realm of cybersecurity, understanding and exploiting vulnerabilities like SMTP-based SSRF is crucial. This article demonstrates how weak email validation can lead to significant information disclosure. By leveraging tools like Burp Collaborator, security researchers can uncover internal services and potential attack vectors.

To further enhance your skills, consider practicing with the following commands:
– Linux Network Commands:

nmap -sV <TARGET_IP>
tcpdump -i eth0 port 25

– Windows Network Commands:
[cmd]
nslookup
telnet 25
[/cmd]
– Python Script for SMTP Testing:

import smtplib
server = smtplib.SMTP('<SMTP_SERVER>', 25)
server.sendmail('<FROM_EMAIL>', '<TO_EMAIL>', 'Test Email')
server.quit()

For more advanced techniques, refer to the following resources:
Burp Suite Documentation
OWASP SSRF Guide
SPF Record Checker

By mastering these tools and techniques, you can significantly improve your ability to detect and exploit SSRF vulnerabilities, contributing to a more secure digital environment.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: