java基础漏洞学习----SSRF漏洞
java基础漏洞学习----SSRF漏洞
JAVA的SSRF常见利用协议
仅支持sun.net.www.protocol下所有的协议:http,https,file,ftp,mailto,jar及netdoc
传入的URL必须和重定向后的URL协议一致,JAVA中的SSRF不能和PHP中一样使用gother协议来扩展攻击面
常见的可以发起网络请求,并且会导致SSRF漏洞的写法
1.urlConnection
package com.example.servletdemo;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URL;
import java.net.URLConnection;
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class SSRF1 extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
response.setContentType("text/html;charset=UTF-8");
try {
String url = request.getParameter("url");
URL u = new URL(url);
URLConnection urlConnection = u.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
StringBuilder result = new StringBuilder();
String line;
while((line = reader.readLine())!=null){
result.append(line).append("\n");
}
response.getWriter().print(result.toString());
reader.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
web.xml中加入相关路由
<servlet>
<servlet-name>SSRF1</servlet-name>
<servlet-class>com.example.servletdemo.SSRF1</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SSRF1</servlet-name>
<url-pattern>/SSRF1</url-pattern>
</servlet-mapping>
造成SSRF漏洞
2.HttpURLConnection
HttpURLConnection继承自URLConnection
修改部分代码
import java.net.HttpURLConnection;
...
URLConnection urlConnection = u.openConnection();
HttpURLConnection httpUrl = (HttpURLCommection)urlConnection;
BufferedReader reader = new BufferedReader(new InputStreamReader(httpUrl.getInputStream()));
StringBuilder result = new StringBuilder();
3.Request
主代码
package com.example.servletdemo;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hc.client5.http.fluent.Request;
public class SSRF3 extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
response.setContentType("text/html;charset=UTF-8");
try {
String url = request.getParameter("url");
String content = Request.get(url).execute().returnContent().toString();
response.getWriter().print(content);
} catch (Exception e) {
e.printStackTrace();
}
}
}
pom.xml
<dependency>
<groupId>org.apache.httpcomponents.client5</groupId>
<artifactId>httpclient5-fluent</artifactId>
<version>5.1.4</version>
</dependency>
4.openStream
主代码
package com.example.servletdemo;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.google.common.io.Files;
public class SSRF4 extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
response.setContentType("text/html;charset=UTF-8");
InputStream inputStream = null;
OutputStream outputStream = null;
try {
String url = request.getParameter("url");
String downLoadImgFileName = Files.getNameWithoutExtension(url) + "." + Files.getFileExtension(url);
response.setHeader("content-disposition", "attachment;filename=" + downLoadImgFileName);
URL u = new URL(url);
int length;
byte[] bytes = new byte[1024];
inputStream = u.openStream();
outputStream = response.getOutputStream();
while ((length = inputStream.read(bytes)) > 0) {
outputStream.write(bytes, 0, length);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
if (inputStream != null) {
inputStream.close();
}
if (outputStream != null) {
outputStream.close();
}
}
}
}
pom.xml中添加
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>30.1-jre</version>
</dependency>
web.xml中添加
<servlet>
<servlet-name>SSRF4</servlet-name>
<servlet-class>com.example.servletdemo.SSRF4</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SSRF4</servlet-name>
<url-pattern>/SSRF4</url-pattern>
</servlet-mapping>
5.HttpClient
主代码
package com.example.servletdemo;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
public class SSRF5 extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
response.setContentType("text/html;charset=UTF-8");
try {
String url = request.getParameter("url");
CloseableHttpClient client = HttpClients.createDefault();
HttpGet httpGet = new HttpGet(url);
BufferedReader reader = new BufferedReader(new InputStreamReader(client.execute(httpGet).getEntity().getContent()));
StringBuilder result = new StringBuilder();
String line;
while((line = reader.readLine())!=null){
result.append(line).append("\n");
}
response.getWriter().print(result.toString());
reader.close();
client.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
pom.xml中添加依赖
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.13</version>
</dependency>
代码审计
搜索urlConnection,url,Request.HttpClient等
