hacktricks/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md

# PHP SSRF

<details>

<summary><strong>Aprende a hackear AWS desde cero hasta convertirte en un experto con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Otras formas de apoyar a HackTricks:

* Si quieres ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Obtén el [**oficial PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Comparte tus trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.

</details>

**Try Hard Security Group**

<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

***

### Funciones PHP de SSRF

Algunas funciones como **file\_get\_contents(), fopen(), file(), md5\_file()** aceptan URLs como entrada que seguirán haciendo que existan **vulnerabilidades SSRF posibles** si el usuario puede controlar los datos:
```php
file_get_contents("http://127.0.0.1:8081");
fopen("http://127.0.0.1:8081", "r");
file("http://127.0.0.1:8081");
md5_file("http://127.0.0.1:8081");
```
### CRLF

Además, en algunos casos, incluso podría ser posible enviar encabezados arbitrarios a través de "vulnerabilidades" CRLF en las funciones anteriores:
```php
# The following will create a header called from with value Hi and
# an extra header "Injected: I HAVE IT"
ini_set("from", "Hi\r\nInjected: I HAVE IT");
file_get_contents("http://127.0.0.1:8081");

GET / HTTP/1.1
From: Hi
Injected: I HAVE IT
Host: 127.0.0.1:8081
Connection: close

# Any of the previously mentioned functions will send those headers
```
{% hint style="warning" %}
Para obtener más información sobre esa vulnerabilidad de CRLF, consulta este error [https://bugs.php.net/bug.php?id=81680\&edit=1](https://bugs.php.net/bug.php?id=81680\&edit=1)
{% endhint %}

Ten en cuenta que estas funciones podrían tener otros métodos para establecer encabezados arbitrarios en las solicitudes, como:
```php
$url = "";

$options = array(
'http'=>array(
'method'=>"GET",
'header'=>"Accept-language: en\r\n" .
"Cookie: foo=bar\r\n" .  // check function.stream-context-create on php.net
"User-Agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.102011-10-16 20:23:10\r\n" // i.e. An iPad
)
);

$context = stream_context_create($options);
$file = file_get_contents($url, false, $context);
```
**Grupo de Seguridad Try Hard**

<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}


<details>

<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Otras formas de apoyar a HackTricks:

* Si deseas ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Obtén el [**oficial PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Comparte tus trucos de hacking enviando PRs a los repositorios de** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
f 2023-06-05 18:33:24 +00:00			`# PHP SSRF`

			`<details>`

Translated ['a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer 2024-02-08 22:25:00 +00:00			`<summary><strong>Aprende a hackear AWS desde cero hasta convertirte en un experto con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
f 2023-06-05 18:33:24 +00:00
Translated ['a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer 2024-02-08 22:25:00 +00:00			`Otras formas de apoyar a HackTricks:`

Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:33:18 +00:00			`* Si quieres ver tu empresa anunciada en HackTricks o descargar HackTricks en PDF Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Obtén el [oficial PEASS & HackTricks swag](https://peass.creator-spring.com)`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:33:18 +00:00			`* Descubre [The PEASS Family](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:18 +00:00			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:33:18 +00:00			`* Comparte tus trucos de hacking enviando PRs a los [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.`
f 2023-06-05 18:33:24 +00:00
			`</details>`

Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:33:18 +00:00			`Try Hard Security Group`

			`<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>`

			`{% embed url="https://discord.gg/tryhardsecurity" %}`

			`***`

			`### Funciones PHP de SSRF`
f 2023-06-05 18:33:24 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:33:18 +00:00			`Algunas funciones como file\_get\_contents(), fopen(), file(), md5\_file() aceptan URLs como entrada que seguirán haciendo que existan vulnerabilidades SSRF posibles si el usuario puede controlar los datos:`
f 2023-06-05 18:33:24 +00:00			```php
			`file_get_contents("http://127.0.0.1:8081");`
			`fopen("http://127.0.0.1:8081", "r");`
			`file("http://127.0.0.1:8081");`
			`md5_file("http://127.0.0.1:8081");`
			```
			`### CRLF`

Translated ['a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer 2024-02-08 22:25:00 +00:00			`Además, en algunos casos, incluso podría ser posible enviar encabezados arbitrarios a través de "vulnerabilidades" CRLF en las funciones anteriores:`
f 2023-06-05 18:33:24 +00:00			```php
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2023-09-03 01:16:15 +00:00			`# The following will create a header called from with value Hi and`
f 2023-06-05 18:33:24 +00:00			`# an extra header "Injected: I HAVE IT"`
			`ini_set("from", "Hi\r\nInjected: I HAVE IT");`
			`file_get_contents("http://127.0.0.1:8081");`

			`GET / HTTP/1.1`
			`From: Hi`
			`Injected: I HAVE IT`
			`Host: 127.0.0.1:8081`
			`Connection: close`

			`# Any of the previously mentioned functions will send those headers`
			```
			`{% hint style="warning" %}`
Translated ['a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer 2024-02-08 22:25:00 +00:00			`Para obtener más información sobre esa vulnerabilidad de CRLF, consulta este error [https://bugs.php.net/bug.php?id=81680\&edit=1](https://bugs.php.net/bug.php?id=81680\&edit=1)`
f 2023-06-05 18:33:24 +00:00			`{% endhint %}`

Translated ['a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer 2024-02-08 22:25:00 +00:00			`Ten en cuenta que estas funciones podrían tener otros métodos para establecer encabezados arbitrarios en las solicitudes, como:`
f 2023-06-05 18:33:24 +00:00			```php
			`$url = "";`

			`$options = array(`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2023-09-03 01:16:15 +00:00			`'http'=>array(`
			`'method'=>"GET",`
			`'header'=>"Accept-language: en\r\n" .`
			`"Cookie: foo=bar\r\n" . // check function.stream-context-create on php.net`
			`"User-Agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.102011-10-16 20:23:10\r\n" // i.e. An iPad`
			`)`
f 2023-06-05 18:33:24 +00:00			`);`

			`$context = stream_context_create($options);`
			`$file = file_get_contents($url, false, $context);`
			```
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:33:18 +00:00			`Grupo de Seguridad Try Hard`

			`<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>`

			`{% embed url="https://discord.gg/tryhardsecurity" %}`


f 2023-06-05 18:33:24 +00:00			`<details>`

Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:33:18 +00:00			`<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Translated ['a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer 2024-02-08 22:25:00 +00:00
			`Otras formas de apoyar a HackTricks:`
f 2023-06-05 18:33:24 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:33:18 +00:00			`* Si deseas ver tu empresa anunciada en HackTricks o descargar HackTricks en PDF Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
Translated ['a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer 2024-02-08 22:25:00 +00:00			`* Obtén el [oficial PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Descubre [The PEASS Family](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:18 +00:00			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:33:18 +00:00			`* Comparte tus trucos de hacking enviando PRs a los repositorios de [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
f 2023-06-05 18:33:24 +00:00
			`</details>`