IP conversion tricks

Posted on

Occasionally I need to bypass some dodgy filter to perform Server Side Request Forgery (SSRF). This could be useful in these instances. Example below is how you may be able to use this trick to bypass filters for the “magic cloud url” to get metadata of the server. Try curl http://2852039166/latest on an ec2 instance and see for yourself.

And yes, in case you have not tried, you can even mix them up and shorten it by ignore 0, eg try ping 192.0x2a.012 will ping 191.42.0.10 ip address :)

Note: For a more elaborate tool, XIP can do a lot more transformations.

IPv4 Dec
Dotted Hex
Dotted Octal
Hexadecimal
Decimal
Octal

April 2020 Update: Thought i would quickly update this post since i have been dealing with a few SSRF issues :)

Another things to consider: Protocol smuggling

An interesting endpoint for aws beside metadata endpoint is lambda runtime. Usually at http://127.0.0.1:9001/2018-06-01/runtime/invocation/next

Other potential bypasses: - Simple A record - A record with multiple ip addresses listed - IPV6 - 3xx redirect - DNSRebinding - With the rise of chromeheadless, we can now try redirecting it using meta-refresh or javascript

<meta http-equiv="refresh" content="0;url=http://169.254.169.254/latest" />
<script>
  window.location.replace("http://169.254.169.254");
</script>