How could this URL possibly be working?

Question

I have inherited a system I am trying to reverse engineer to make modifications.

There is a program that generates a URL to listen to recordings. It looks like this:

http://recordings.myserver.com/archive/http://127.0.0.1/completed/MP3/2019-12-23/recording_file_name.mp3

The URL works and I can listen to the recordings, I just don't understand HOW it works. It looks like a URL within a URL. As far as I can tell, "archive" is not a link or alias on recordings.myserver.com. There certainly is no "http://127.0.0.1" directory on the server.

This link also works:

http://recordings.myserver.com/completed/MP3/2019-12-23/recording_file_name.mp3

It also makes more sense, just not what the existing program write into the table.

There is in .htaccess:

RewriteEngine On
RewriteCond %{HTTPS}  !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

But note the URL is HTTP and stays that way after any rewrite. The page that contains the link clicked on to listen to the recording just has

How can a link like the first one work when there is no archive link or folder? Does the http://127.0.0.1 within the first URL make it work?

Answer 1

There are different ways to achieve this. One is with HTTP Rewrite as you've surmised - it would rewrite /archive/* to, say, /archive/redirect.php which then reads the rest of the URL and makes a reverse proxy request.

Another way to do it would be to manipulate the applications 404 handling. On the event of a 404 being raised the web server intercepts it before sending it to the client, and then does the reverse proxy request, forwarding the result to the client.

Either way it looks like it's an excellent exploit for accessing resources that are internal to the company network from outside it. I'd bet that if you replaced that http://127.0.0.1/ URL with literally anything else it would return the contents of that url.