Blind SSRF vulnerabilities：盲SSRF漏洞实例

What is blind SSRF?

Blind SSRF vulnerabilities arise when an application can be induced to issue a back-end HTTP request to a supplied URL, but the response from the back-end request is not returned in the application’s front-end response.
不能看见返回给客户端的内容

What is the impact of blind SSRF vulnerabilities?

The impact of blind SSRF vulnerabilities is often lower than fully informed SSRF vulnerabilities because of their one-way nature. They cannot be trivially exploited to retrieve sensitive data from back-end systems, although in some situations they can be exploited to achieve full remote code execution.
比传统的SSRF漏洞更难寻找，危害更小

How to find and exploit blind SSRF vulnerabilities

The most reliable way to detect blind SSRF vulnerabilities is using out-of-band (OAST) techniques. This involves attempting to trigger an HTTP request to an external system that you control, and monitoring for network interactions with that system.

The easiest and most effective way to use out-of-band techniques is using Burp Collaborator. You can use the Burp Collaborator client to generate unique domain names, send these in payloads to the application, and monitor for any interaction with those domains. If an incoming HTTP request is observed coming from the application, then it is vulnerable to SSRF.
检测盲目SSRF漏洞最可靠的方法是使用带外（OAST）技术。这涉及到尝试触发对您控制的外部系统的HTTP请求，以及监视与该系统的网络交互。
使用带外技术最简单、最有效的方法是使用Burp Collaborator。您可以使用Burp Collaborator客户端生成唯一的域名，将这些域名以有效负载的形式发送到应用程序，并监视与这些域的任何交互。如果观察到来自应用程序的传入HTTP请求，则该请求易受SSRF攻击。

BurpCollaboration的作用：
https://blog.csdn.net/fageweiketang/article/details/89073662

Simply identifying a blind SSRF vulnerability that can trigger out-of-band HTTP requests doesn’t in itself provide a route to exploitability. Since you cannot view the response from the back-end request, the behavior can’t be used to explore content on systems that the application server can reach. However, it can still be leveraged to probe for other vulnerabilities on the server itself or on other back-end systems. You can blindly sweep the internal IP address space, sending payloads designed to detect well-known vulnerabilities. If those payloads also employ blind out-of-band techniques, then you might uncover a critical vulnerability on an unpatched internal server.

仅仅识别可能触发带外HTTP请求的盲目SSRF漏洞本身并不能提供可利用性的途径。由于无法查看来自后端请求的响应，因此该行为不能用于浏览应用程序服务器可以访问的系统上的内容。但是，它仍然可以用来探测服务器本身或其他后端系统上的其他漏洞。您可以盲目地扫描内部IP地址空间，发送用于检测已知漏洞的有效负载。如果这些有效负载也采用带外盲技术，那么您可能会发现未修补的内部服务器上存在严重漏洞。