Pingback Exploit Technology

0x00 Nonsense

In the process of internal scanning, some POC with no echo recognition function, the vulnerability scan when the payload will be inserted into the callback address anywhere in the HTTP message to send a detection vulnerability, a long time, Found back in the background there are a lot of unintelligible DNS or HTTP log, encountered this situation is not good to troubleshoot, often nothing. But now this situation in-depth analysis is a risk of vulnerability, I would call it a pingback loophole. Here are some summaries of BH2017 related topics. 0x01 Clear Attack Target

The attack is mainly for the front-end load balancing, and the backend has some analysis equipment services, such as some DNS monitoring devices, security Web identification devices, user behavior analysis equipment and so on.
Pingback attack is to send some self-constructed payload,payload to carry our own echo URL, once the back-end device actively access our echo address, then we know that the target behind this suspect device, so you can drill down, of course, The easiest thing to think about is the ssrf loophole, but there are other things.
The general principle is as follows:
0x02 Trigger Method

The trigger means that the echo address can be inserted into a location that may be pingback, such as HOST,XFF,X-CLIENT-IP and other HTTP extension headers. There are roughly the following poses:
(1) Use invalid host field

get/http/1.1
host:payload-site.net
connection:close

When the packet is sent to the normal address port, but the host field in the HTTP protocol is inserted into our payload.
In Nginx configuration, if the server name mismatch is an error, here use the wrong host to raise an error, guess the back end some error log analysis system will automatically detect the payload, so as to discover the vulnerability.
(2) Fuzz Host Header

GET http://internalwebsite.mil/HTTP/1.1
Host:xxxxxxx.mil
connection:close

At the time of the contract, the host field fills in a normal value, but the path after get fills in the complete URL, overwriting the host header, causing some exceptions to the backend device, and requesting the wrong address.
or use @ To further confuse:

get/http/1.1
host:incapsulaclient.net:80@burpcollaborator.net
connection:close

Here with the @ symbol to jump, very familiar with the trick.
(3) Fuzz path section
When the package is contracted, the @ symbol is applied to the path section, which resembles this:

GET @burpcollaborator. net/http/1.1
Host:newrelic.com
connection:close

Or add our payload address directly in path:

GET xyz.burpcollaborator.net:80/bar http/1.1
Host:demo.globaleaks.org
connection:close

(4) Fuzz some HTTP headers
These headers are provided in the native Protocol, and more of the expansion head at the beginning of X, feeling that the author of this issue was digging into Facebook or Yahoo's loophole, because I've seen these extensions before:
For example: X-forwarded-for, True-client-ip, Referer, X-wap-profile. In addition, I also found some from the Shodan, these head features is the value part of the direct fill is the URL, if the backend device is only used to log log is OK to say, but requires the client to pass a URL, itself is a daydream unlimited. It's also like via, forwarded, contact, from and so on. 0x03 Exploit

This pingback loophole, the nature and the non-echo ssrf difference is not big, so the use is more difficult. Relative to the direct excavation of the ssrf, at least can also be based on the delay or error information to determine whether the port is open, thus opening the attack surface, but pingback in many cases can not do this. So the issue authors here suggest that you can "attack clients remotely". What do you mean. This means that some backend Pingback function programs are likely to use some of the rendering programs such as PHANTOMJS, and we can construct a malicious page to trigger rce vulnerabilities.
If there is echo, it is better to judge the back end of the anti-generation or program behavior, to correct the attack ideas can be. Reference

Blackhat 2017, "Exploiting-https-hidden-attack-surface":
https://www.blackhat.com/us-17/briefings/schedule/#cracking-the-lens-targeting-https-hidden-attack-surface-6387