当前位置：网站首页>SSRF (server side request forgery) -- Principle & bypass & Defense

SSRF The main principle of vulnerability formation ： The interface provided by the port provided by the server contains parameters that users can request , It is not filtered , The server will execute parameters .

In short ： The attacker forges the request of the server to launch an attack , The attacker uses the server as a springboard to attack the target system .

Since it's a springboard , That is to say, the attacker cannot directly access the target service , In order to better understand the process , I drew a picture

The intranet server here contains some databases , Direct information of the host

testing

SSRF Verification method ：

1. Analyze whether the sent request is sent by the server through packet capturing , If it is a request sent by the server , It is very likely to exist SSRF Loophole
2. Find the resource address in the source code of the page , If the resource address type is www.baidu.com/xxx.php?xxx=（ Address ） It's possible that SSRF Loophole
3.dnslog Wait for tools to test , See if they're being interviewed
4. Straight back Banner、title、content Etc

0/2 Exploit

Bypass

Draw a foundation here http://[email protected] And http://127.0.0.1 The request is the same , The content of this request is 127.0.0.1 The content of , This bypass is also in URL Jump around applies .
The principle of using is , utilize URL The rule problem of parsing .

In general, use URL Parsing results in SSRF Filtering is bypassed, basically Because the back-end uses an incorrect regular expression to URL It's parsed .

utilize URL The rule problem of parsing , You can also construct different URL Visit the same website resources

Symbol replacement

In the browser, you can use different segmentation symbols to replace the . Division , have access to .、｡、． Instead of
www.baidu.com
www｡baidu｡com
www．baidu．com
above URl You can visit Baidu directly

Local return address

127.0.0.1, Often referred to as a local loopback address , Some expressions are as follows (ipv6 Your address uses http Access needs to add [])
The distinction here is , stay linux Next ,127.0.0.1 and 0.0.0.0 It's all about yourself .

http://127.0.0.1
http://localhost
http://127.255.255.254
127.0.0.1 - 127.255.255.254
http://[::1]
http://[::ffff:7f00:1]
http://[::ffff:127.0.0.1]
http://127.1
http://127.0.1
http://0:80

Use the website to shorten

There are many websites on the Internet that convert URLs to non short URLs .

•https://www.985.so/

•https://www.urlc.cn/

Here you can bypass a short URL

xip.io Bypass

Just give an example to understand
http://xxx.192.168.0.1.xip.io/ == 192.168.0.1 (xxx arbitrarily ）
Point to any ip Domain name of ：xip.io(37signals Customization of development implementation DNS service )
It will resolve the following domain names to specific addresses

Such bypassing and dns Bypassing is a truth

Attack posture

Intranet port scan

ssrf.php?url=127.0.0.1:3306 # Detect the presence of MySQL service

file The protocol reads intranet files

ssrf.php?url=file:///etc/passwd # Read passwd file

utilize Gopher The protocol expands the attack surface

Here you can refer to the article of Changting , Very nice, nice

utilize Gopher The protocol expands the attack surface

0/3 SSRF defense

• prohibit 302 Jump , Or check whether the destination address is an intranet address or a legal address every time you jump .
• Filter the return information , Verify the return result of the request from the remote server , Is it legal .
• Disable high-risk protocols , for example ：gopher、dict、ftp、file etc. , Only http/https
• Set up URL White list or restricted intranet IP
• The port limiting requests is http Common ports for , Or open the port of remote calling service according to business needs
•catch error message , Do unified error messages , Prevent hackers from judging the service corresponding to the port through error information

原网站

版权声明
本文为[Song dock]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/200/202207180653543075.html