CTF SSRF (server request forgery)

Others 2019-08-25 21:18:54 views: null

table of Contents

CTF SSRF (server request forgery)

First, the concept

SSRF (Server-Side Request Forgery), a server-side request forgery, counterfeiting exploit server-initiated request to break through the restrictions can not get the client data

Foreign initiated local network requests are loopholes that may exist SSRF

Second, the harm

  • 1, can external network, server resides within the network, the local port scan, get some service banner information
  • 2, attack run, including network or local applications (such as overflow)
  • 3, internal network Web application fingerprinting, by accessing the default file
  • 4, Web application attacks inside and outside the network, primarily using the Get parameter can be achieved attacks (such as Struts2 exploits, SQL injection, etc.)
  • 5, read the files using the file protocol

Third, the vulnerability mining and judgment

  • Looking from the WEB function
    • Share: Share web content through a URL address
    • Transcoding services: the URL address bar to tune web content to fit the original address of the phone screen browsing
    • Translator: URL address translation by the corresponding content of the text.
    • And download images load: loaded via the URL or download pictures
    • Function undisclosed api achieve and other calls to the URL
  • Looking from the URL keywords
    • share、wap、url、link、src、source、target、u、3g、display、sourceURL、imageURL、domain
  • The basic judgment
    • echo
      • Direct observation
      • Ethereal
      • Monitor with vps
    • Delay
    • DNS requests

Fourth, the correlation function

  • file_get_contents

  • fsockopen

  • curl_exec

Five, IP bypass

  • Add Port
    For example:192.168.200.9:80
  • Short URL
    use 302 Jump to destination URL
  • Point to any IP domain xip.io
    example:10.0.0.1.xip.io resolves to 10.0.0.1
  • IP bypass restrictions
    • Decimal
    • Octal
    • Hex
    • Different combinations of binary conversion
  • 302 Jump
  • Combined dict://, file://,gopher://
  • http://[email protected]
    Equivalent to http://A.comthe identity of the access 10.10.10.10
  • http://A.com?xxx=xx
    Followed by a useless argument to bypass

Six, Gopher protocol

gopher is used to obtain the distribution type of file search on an Internet protocol network
gopher protocol support issue GET, POST request: can first get request packet capture and post request packet, in line with the request constitutes gopher protocol. ssrf use gopher protocol is the most powerful protocol
using the Gopher protocol expanding the attack surface

1. Limitations


(Source see the watermark)

  • phpinfo view curl Supported protocols
  • No password database

2, structural payload

https://github.com/tarunkant/Gopherus
https://github.com/swisskyrepo/SSRFmap

Guess you like

Origin www.cnblogs.com/20175211lyz/p/11408583.html
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com