Links

PHP SSRF

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

SSRF PHP functions

Some function such as _file_get_contents(), fopen(), file(), md5_file() _ accept URLs as input that they will follow making possible SSRF vulnerabilities if the use can control the data:
file_get_contents("http://127.0.0.1:8081");
fopen("http://127.0.0.1:8081", "r");
file("http://127.0.0.1:8081");
md5_file("http://127.0.0.1:8081");

CRLF

Moreover, in some cases it might be even possible to send arbitrary headers via CRLF "vulnerabilities" in the previous functions:
# The following will create a header called from with value Hi and
# an extra header "Injected: I HAVE IT"
ini_set("from", "Hi\r\nInjected: I HAVE IT");
file_get_contents("http://127.0.0.1:8081");
​
GET / HTTP/1.1
From: Hi
Injected: I HAVE IT
Host: 127.0.0.1:8081
Connection: close
​
# Any of the previously mentioned functions will send those headers
For more info about that CRLF vuln, check this bug https://bugs.php.net/bug.php?id=81680&edit=1​
Note that these function might have other methods to set arbitrary headers in requests, like:
$url = "";
​
$options = array(
'http'=>array(
'method'=>"GET",
'header'=>"Accept-language: en\r\n" .
"Cookie: foo=bar\r\n" . // check function.stream-context-create on php.net
"User-Agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.102011-10-16 20:23:10\r\n" // i.e. An iPad
)
);
​
$context = stream_context_create($options);
$file = file_get_contents($url, false, $context);
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.