pikachu--SSRF

Others 2020-04-10 16:04:30 views: null

SSRF (Server-Side Request Forgery: Server-Side Request Forgery) is a security vulnerability constructed by an attacker to form a request initiated by the server. In general, the target of SSRF attacks is internal systems that cannot be accessed from the external network. (It is because it is initiated by the server, so it can request the internal system connected to it and isolated from the external network.) The reason for the formation of SSRF is mostly because the server provides the function of obtaining data from other server applications and there is no Filter and restrict the destination address. For example, get the webpage text content from the specified URL address, load the image at the specified address, download and so on.

Next, we will further study through the SSRF example in the pikachu platform.

1. SSRF (curl) First of all, let's take a look at what the curl function is used for in PHP. curl is a library that allows you to communicate with many different kinds of servers via URL, and also supports many protocols. curl can support https authentication, http post, ftp upload, proxy, cookies, simple password authentication and so on.

Let's take a look at the code in this part of pikachu:

From the previous code, we can see that the client can use the GET method to submit the url parameters and content. The next paragraph is to return the URL submitted by the user to the client for execution. Here we assume that the submission is this: here we submit the url parameters and content, the server executes it with the function curl_exec (), and displays the result with echo $ RES.

So we can use curl_exec () function to perform some malicious operations. For example, our machine is also equipped with sqli-lab, we assume that no external access is required. And here we can construct such a url to access: localhost / pikachu / vul / ssrf / ssrf_curl.php? Url = http: //127.0.0.1/sqli/

Second, SSRF (file_get_content) The function of file_get_content () function is to read local and remote files. Let's take a look at the code in this part of pikachu: here we can see that a file can be read. If it is a local direct path, the remote name needs to be added to the domain name.

Here is a demonstration of local reading. We now create a file 1.txt under the D drive, the content is as follows

Then enter in the client browser: localhost / pikachu / vul / ssrf / ssrf_fgc.php? File = file: /// D: //1.txt Here we can see that the content of the local file is read. If you read the server information in the intranet, as long as the Web server has permission, it is very likely to read it.

Guess you like

Origin www.cnblogs.com/tangjf10/p/12673947.html
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com