webPromedium

Lab 89 — PingRadar — SSRF via DNS Rebinding (TOCTOU)

hackadvisor

Task: PingRadar monitoring platform validates monitor URLs by resolving hostnames and checking against IP blocklist at creation time, but re-resolves DNS at check time (TOCTOU). Built-in DNS server supports round-robin A records with TTL=0. Solution: create a DNS zone with round-robin A record alternating between public IP (8.8.8.8) and 127.0.0.1, create monitor targeting http://ssrf.rebind.zone:3001/internal/flag — validation passes when DNS returns public IP, check execution hits localhost when DNS returns 127.0.0.1.

ssrf toctou nodejs dns_rebinding express internal_service url_validation blocklist_bypass axios dns_round_robin dns2

url_validation_bypassinternal_service_enumerationdns_rebinding_toctouround_robin_dns_ssrftime_of_check_time_of_use

$ ls tags/ techniques/

ssrf toctou nodejs dns_rebinding express internal_service url_validation blocklist_bypass axios dns_round_robin dns2

url_validation_bypassinternal_service_enumerationdns_rebinding_toctouround_robin_dns_ssrftime_of_check_time_of_use

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups