Article Directory
0x01 basic knowledge
1. Introduction to SSRF vulnerabilities:
The full name of SSRF: Server-Side Request Forgery, that is, server-side request forgery, is a security vulnerability that is executed on the target server by an attacker constructing a request. An attacker can use this vulnerability to make the server send a request to any domain constructed by the attacker. The target is usually an internal system that cannot be accessed from the external network. Simply put, it is to use server vulnerabilities to send a structured request to the server's intranet to attack as the server.
2. Main attack methods:
When an attacker wants to access the service on server B, but the attacker cannot directly access it due to a firewall or because server B belongs to an intranet host. If there is an SSRF vulnerability in server A, the attacker can use server A to initiate an SSRF attack and initiate a request to host B through server A to achieve the purpose of attacking the intranet.
Example:
Vulnerability scenario: A website has an online loading function that can load specified remote articles locally, the link is as follows:
http://www.xxx.com/article.php?url=https://blog.csdn.net/qq_43531669/article/details/112498646
If the system does not perform any checks on the url parameters, other requests can be constructed, for example:
http://www.xxx.com/article.php?url=http://127.0.0.1:22
http://www.xxx.com/article.php?url=file:///etc/passwd
http://www.xxx.com/article.php?url=dict://127.0.0.1:22/data:data2 (dict可以向服务端口请求data data2)
http://www.xxx.com/article.php?url=gopher://127.0.0.1:2233/_test (向2233端口发送数据test,同样可以发送POST请求)
...
3. The principle of loophole formation:
Many websites provide the function of obtaining data from other servers. Through the specified URL, the website can obtain pictures from other places, download files, read file contents, etc. The essence of SSRF is to use flawed Web sites as agents to attack remote and local servers.
The reason for the formation of SSRF vulnerabilities is mostly because the server provides the function of obtaining data from other servers but does not filter and restrict the target address. The attacker can use the vulnerability to obtain some information of the internal system (because it is initiated by the server, it can request the internal network system connected to it but isolated from the external network).
4. The harm of loopholes:
-
Perform port scanning on the external network, the internal network where the server is located, and the local
-
Send payload to any port of any internal host to attack intranet services
-
DOS attack (request large files, always keep the connection Keep-Alive Always)
-
Attack web applications on the intranet, such as direct SQL injection, XSS attacks, etc.
-
Use file, gopher, and dict protocols to read local files, execute commands, etc.
-
Can ignore the website CDN
Intranet service defense is generally weaker than external network services, and even some intranet services do not have access to the intranet set to verify the access permissions for the convenience of operation and maintenance. Therefore, when SSRF exists, it usually causes greater harm.
0x02 vulnerability detection
1. Vulnerability verification:
Because the SSRF vulnerability is a security vulnerability that constructs the server to send a request, we can determine whether there is an SSRF vulnerability by analyzing whether the request sent is sent by the server.
Find the address of the accessed resource in the source code of the page. If the type of the resource address is, http://www.xxx.com/a.php?image=地址there may be an SSRF vulnerability.
2. The possible points of vulnerability:
(1) Sharing function: share articles, etc. through URL addresses, such as the following addresses:
http://share.xxx.com/index.php?url=http://www.xxx.com
By obtaining the url parameter, you can jump to the specified shared article when you click on the link. If there is no filtering and restriction on the range of the target address in this function, there is an SSRF vulnerability.
(2) Picture loading/downloading: load or download pictures through URL address:
http://image.xxx.com/image.php?image=http://www.xxx.com
Picture loading exists in many editors. The editor uploads the picture and loads the set picture address on the remote server. If there is no restriction on the loaded parameters, it may cause SSRF.
(3) Picture/article collection function:
http://title.xxx.com/title?title=http://title.xxx.com/xxx
For example, the title parameter is the title address of the article, which represents the address link of an article. If the collection function uses this form to save the article, there may be SSRF in the form of no restriction parameter.
(4) Transcoding service: tune the content of the original webpage through the URL address to make it suitable for mobile phone screen browsing.
(5) Online translation: translate the content of the corresponding webpage to the website.
(6) Mail system: For example, the address of the receiving mail server.
(7) Search using keywords in the parameters:
Keywords:
share、wap、url、link、src、source、target、u、3g、display、sourceURl、imageURL、domain...
In general, websites that need to request resources from remote servers may have SSRF vulnerabilities.
0x03 Bypass method:
Some vulnerabilities or SSRF may be generated in the whitelist or blacklist processing to prevent attacks and access to intranet services and resources. Therefore, to achieve SSRF attacks, you need to bypass the requested parameter address. The common bypass methods are as follows:
1. Bypass the restriction to a certain domain name:
(1) using the @ When the site to limit access only http://www.xxx.comwhen the type of the domain name, you can use http basic way to bypass authentication, such as: http: //[email protected]
In the @Resolve domain name, there are processing differences in different processing functions, for example:
http://[email protected]@www.ccc.com
PHP's parse_url will recognize www.ccc.com, and libcurl will recognize it as www.bbb.com.
2. To bypass the restriction request IP is not an intranet address:
(1) Use short URLs to bypass
(2) Using a special domain name, xip.io can point to any domain name (the principle is DNS resolution), that is, 127.0.0.1.xip.io, which can be resolved to 127.0.0.1
(3) the use of binary conversion, 127.0.0.1 octal: 0177.0.0.1; Hex: 0x7f.0.0.1; Decimal:2130706433
(4) Utilization [::], http://[::]:80/will be parsed ashttp://127.0.0.1
(5) Add the port number, http://127.0.0.1:8080
(6) Using the period, it 127。0。0。1will be parsed as 127.0.0.1
(7) Use 302 jump
3. Restriction request is only for http protocol:
(1) Use 302 jump
(2) Use short address
0x04 exploit
1. Vulnerable function:
According to the different functions used in the background, the corresponding impacts and utilization methods are different. Improper use of the following functions in PHP will lead to SSRF:
file_get_contents()
fsockopen()
curl_exec()
file_get_contents()
The function of this function is to read the entire file into a string, and this function is the preferred method for reading the contents of the file into a string.
For example: the following code execution result is to output the string in the test.txt file.
<?php
echo file_get_contents(“test.txt”);
?>
fsockopen()
Use the fsockopen function to obtain the data (file or html) of the url specified by the user.
curl_exec()
This function can execute a given curl session.
Among the protocols supported by curl are:
2. Vulnerability shooting range:
Here we use the ssrf module of the pikachu shooting range for demonstration.
2.1、SSRF(curl):
First look curl_exec()at the ssrf shooting range that uses the function. Clicking on the page link will return a poem. Observe that it passes a url request to the background to
view the back-end code. You can see that it uses get to obtain the front-end url request, and the curl_exec function executes Request, and finally return the request result to the front end.
curl_init //初始cURL会话
curl_exec //执行cURL会话
Modify the uploaded url to http://www.badiu.com, you can see that the page shows Baidu data.
We can change the content in the url to the addresses and ports of other servers in the intranet to detect intranet information. For example, the port opening situation, for example, the following figure detects that the internal network host 192.168.50.130 has opened port 22: it
can be used with scripts or Burp to perform more efficient port detection, for example:
Open Burp, grab the package and send it to Intruder, set the Payload
It can be seen that it is detected that the port 80 of the internal network host is open.
We can also read the files of the internal network server through the SSRF vulnerability, for example, modify the url to
http://127.0.0.1/pikachu/vul/ssrf/ssrf_curl.php?url=file:///c:/windows/system.ini
2.2、SSRF(file_get_content):
Also click on the page tab, and found that the file protocol is used to read the file
. The back-end code
is roughly the same as the above. The difference is that it uses a file_get_contentsfunction to read and execute the file, and the file_get_contentsfunction can read the local file or Read remote files, for example:
http://127.0.0.1/pikachu/vul/ssrf/ssrf_fgc.php?file=http://192.168.50.130/index.html
http://127.0.0.1/pikachu/vul/ssrf/ssrf_fgc.php?file=file:///c:/windows/system.ini
Or use the filter to obtain the source code pages (direct access will only be php file is executed as explained in detail )
http://127.0.0.1/pikachu/vul/ssrf/ssrf_fgc.php?file=php://filter/read=convert.base64-encode/resource=test.php
Get the source code after base64 decryption:
0x05 How to defend against SSRF
1. No jump
2, in addition to disabling http and https protocol, such as: file://, gopher://, dict://and the like.
3. Restrict the requested port to the port commonly used by http, such as 80, 443, and 8080.
4. Unify the error information to prevent users from judging the port status of the remote server based on the error information.
5. Set a whitelist for the requested address or limit the internal network IP to prevent attacks on the internal network.
Reference article:
https://cloud.tencent.com/developer/article/1561355
https://www.cnblogs.com/DxyG/p/13742430.html
https://www.cnblogs.com/dogecheng/p/11652022 .html#2605005798
https://cloud.tencent.com/developer/article/1587012