Loophole principle

SSRF（Server-Side Request Forgery: Server side Request Forgery ） It is a security vulnerability constructed by attackers and malicious requests initiated by the server . It is precisely because the malicious request is initiated by the server , The server can request the internal network system connected to itself and isolated from the external network , So in general ,SSRF The target of the attack is the intranet system that the attacker cannot directly access .

Causes of loopholes

SSRF The formation of vulnerabilities is mostly due to the fact that the server provides the function of obtaining data from other server applications without filtering and limiting the target address . for example , Hackers operate the server from the specified URL Address to get text content of web page , Load a picture at the specified address , Download, etc. , What we use is server request forgery ,SSRF Vulnerabilities can exploit flawed WEB The application acts as a proxy to attack both remote and local servers

attacks

The attacker wants to access the host B Service on , However, due to the existence of firewall or host B It is the intranet host that makes the attacker unable to directly access the host B. And the server A There is SSRF Loophole , At this time, the attacker can use the server A To initiate SSRF attack , Through the server A Host computer B Initiate request , To get the host B Some information .

harm ：

1、 External network 、 The intranet where the server is located 、 The server scans the port locally , Get some services banner Information, etc .

2、 Attack other applications running on the intranet or local server , Such as redis、mysql etc. .

3、 On the Intranet Web Application for fingerprint identification , Identify asset information within the enterprise .

4、 Click on the intranet and Internet Web application , Mainly used HTTP GET/POST An attack that can be implemented by request ,（ such as Struts2 Exploit ,SQL Injection, etc. ）
5、 utilize file Protocol reading server local files, etc .

SSRF The limitation of ：

Limit the port of a request to Web port , Only access to HTTP and HTTPS Request .

Restricted domain name can only be http://www.xxx.com

Restrict access to intranet IP, To prevent attacks on the intranet .

Mask the details returned .

Forbid unusual agreements , Only allow http and https request . Can prevent similar to file:///,gopher://,ftp:// Etc .

SSRF Vulnerability bypass method ：

[email protected]　　　　　　　　　　http://[email protected]

2. Add port number 　　　　　　http://127.0.0.1:8080

3. Short address 　　　　　　　　https://0x9.me/cuGfD

4. Can point to any ip Domain name of 　 xip.io

5.ip Convert the address into hexadecimal to access 192.168.0.1=32322

Expand Let's talk about

utilize HTTP Basic identity authentication bypasses

If the object code restricts access, the domain name can only be http://www.xxx.com, So we can use HTTP Basic identity authentication bypasses . namely

@:[http://[email protected]](http://www.evil.com/)

utilize 302 Jump around the intranet IP

Bypass the intranet ip We can take advantage of the limitations of 302 The way to jump , There are two .

（1） There is a magical service on the network , The website is http://xip.io, When accessing any subdomain of this service , Will be redirected to this subdomain

for instance ：

When we visit ：http://127.0.0.1.xip.io/flag.php when , The actual visit is http://127.0.0.1/1.php.

Websites like this and http://nip.io,http://sslip.io

（2） Short address jump bypasses ,

Binary conversion bypasses the intranet IP

Some different hexadecimal alternatives can be used ip Address , To bypass the WAF

Here's a php Scripts can be converted with one click

<?php
$ip = '127.0.0.1';
$ip = explode('.',$ip);
$r = ($ip[0] << 24) | ($ip[1] << 16) | ($ip[2] << 8) | $ip[3] ;
if($r < 0) {
$r += 4294967296;
}
echo " Decimal system :";     
echo $r;
echo " octal :";    
echo decoct($r);
echo " Hexadecimal :";  
echo dechex($r);
?>

Other points 127.0.0.1 The address of

http://localhost/       # localhost It means 127.0.0.1
http://0/               # 0 stay window Lower representative 0.0.0.0, And in the liunx Lower representative 127.0.0.1
http://[0:0:0:0:0:ffff:127.0.0.1]/    #  stay liunx The available ,window After the test, I can't 
http://[::]:80/           #  stay liunx The available ,window After the test, I can't 
http://127.0.0.1/       #  Use Chinese full stops to bypass 
http://①②⑦.⓪.⓪.①
http://127.1/
http://127.00000.00000.001/ # 0 It doesn't matter if the quantity is more or less , Finally, it will point to 127.0.0.1

Loophole damage

Attackers do not need to authenticate to access internal data , Could lead to the disclosure of sensitive information , Hackers can also maliciously execute flushall To clear all data ;

An attacker can use EVAL perform lua Code , Or write back door file to disk through data backup function ;

The most serious situation , If Redis With root Identity running , Hackers can give root Account write in SSH A public key file , Directly through SSH Log in to the victim server .