Principles and search methods

Introduction

SSRF (Server-Side Request Forgery)
is a security vulnerability that is constructed by an attacker to form a request initiated by the server. In general, SSRF
is the internal system of the target website. (Because he is accessed from an internal system, all internal systems that can be accessed by the external network can be attacked through it, that is, the target website is used as a middleman)

SSRF formation reasons

The reason for the formation of SSRF is mostly because the server provides the function of obtaining data from other server applications, and does not filter and restrict the target address. For example, get the webpage text content from the specified URL address, load the image, document, etc. at the specified address.

First of all, we need to understand the architecture of the target website. For example: Website A is an external website that everyone can access, and Website B is an internal website. Our ordinary users can only visit website a, not website b. But we can use the a website as a middleman and visit the b website to meet the needs of attacking the b website

Therefore, the general attack chooses a vulnerable external server that can be accessed by us (as a springboard)

The process for a normal user to access a website is to
enter the URL of the A website-> send a request-> the A server accepts the request (no filtering) and processes-> returns the user response

		假设请求是 www.baidu,com/xxx.php?image=URL

So where is the SSRF vulnerability? Just after the secure website should receive the request,
the reason for the legitimacy of the request is detected : the server-side verification does not strictly filter and restrict the parameter (image =) of the request to obtain the image, resulting in the A site from Get data from other servers

For example: www.oldboyedu.com/xxx.php?image=www.luffycity.com/1.jpg
What happens if we change www.luffycity.com/1.jpg to the address of the intranet server connected to the server What?
If the intranet address exists, it will return a status code of 1xx 2xx or the like, and if it does not exist, it will return another status code.

summary

The SSRF vulnerability is to tamper with the request to obtain resources and send it to the server, but the server does not detect whether the request is legal, and then the server uses his identity to access the resources of other servers.
There are five main types of attacks that SSRF attackers can use ssrf
1. Can scan ports on the external network, the intranet where the server is located, and local to obtain banner information for some services;
2. Attacks run on internal or local applications ( For example, overflow);
3. Fingerprint identification of intranet web applications by accessing the default file;
4. Attacks of intranet and extranet web applications, mainly attacks that can be achieved using get parameters (such as struts2, sqli, etc.);
5. Use the file protocol to read local files, etc.

The location of the SSRF vulnerability

All parameters for adjusting external resources are likely to have ssrf vulnerabilities,

1) Sharing: sharing webpage content via URL address
2) Transcoding service
3) Online translation
4) Image loading and downloading:
loading or downloading image via URL address
5) Picture and article collection function
6) Unpublished API implementation and other calls The function of URL
7) Find from URL keywords,
share, wap, url, link, src, source, target, u, 3g, display, sourceURl, imageURL, domain,

Ways of identifying

	burpsuite抓包分析
	右键打开图片

Bypass

Change IP address writing

		一些开发者会通过对传过来的 URL 参数进行正则匹配的方式来过滤掉内网 IP，如采用如下正则表达式：

			^10(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){3}$
			^172\.([1][6-9]|[2]\d|3[01])(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){2}$
			^192\.168(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){2}$

For this kind of filtering, we can use the way of adapting IP to bypass, for example, the IP address 192.168.0.1
can be rewritten as:
(1), octal format: 0300.0250.0.1
(2), hexadecimal format: 0xC0.0xA8.0.1
(3), decimal integer format: 3232235521
(4), hexadecimal integer format: 0xC0A80001 using the problem of parsing the URL In some cases, the back-end program may perform the URL access Resolve, filter the resolved host address. At this time, URL parameters may not be parsed properly, which may cause filtering to be bypassed.
http: //[email protected]/arbitrary
address + attack address When the back-end program passes an incorrect regular expression (such as the character content after http to com, which is www.baidu.com, When it is considered to be the host address of the access request) When parsing the content of the above URL, it is likely that the host accessing the URL is www.baidu.com, but in fact the content requested by this URL is 192.168.0.1 Content.

SSRF commonly used back-end implementation

ssrf 攻击可能存在任何语言编写的应用，代码审计中要注意以下函数

file_get_contents

Get the picture from the URL specified by the user, then save it on the hard disk with a random file name and show it to the user

fsockopen()

To obtain the data (file or html) of the user-defined URL. This function will use a socket to establish a tcp connection with the server and transfer the original data