服务器端请求伪造(SSRF)攻击全面指南<\/h1>

1. SSRF基础概念<\/h2>

1.1 什么是SSRF<\/h3>

服务器端请求伪造(Server-Side Request Forgery, SSRF)是一种安全漏洞，攻击者能够诱使服务器向非预期的目标发起请求。与客户端请求伪造(CSRF)不同，SSRF利用的是服务器端的请求能力。<\/p>

关键特征<\/strong>：<\/p>

服务器代表攻击者发起请求<\/li>
可以访问通常无法直接访问的内部资源<\/li>
绕过防火墙和安全组限制<\/li>
常用于探测和攻击内网服务<\/li> <\/ul>
1.2 攻击原理<\/h3>
Web服务器通常可以访问比外部用户更多的资源，因为：<\/p>

本地网络信任级别高于外部网络<\/li>
内部服务可能没有设置严格的身份验证<\/li>
防火墙通常允许内部服务器之间的通信<\/li> <\/ul>
1.3 典型攻击场景<\/h3>

WebHook调试接口<\/strong>：允许用户测试WebHook处理程序，输入任意URL获取响应<\/li>
REST API端点<\/strong>：服务器从用户提供的URL获取数据<\/li>
文件导入功能<\/strong>：从URL导入文件或数据<\/li>
图片\/资源加载<\/strong>：从用户提供的URL加载资源<\/li> <\/ol>
2. SSRF攻击技术详解<\/h2>
2.1 基本探测技术<\/h3>
内网扫描<\/strong>：<\/p>
http:\/\/127.0.0.1:8080 <\/span><\/span><\/span>http:\/\/10.0.0.3:3306 <\/span><\/span><\/span><\/code><\/pre>AWS元数据服务<\/strong>：<\/p> http:\/\/169.254.169.254\/latest\/meta-data\/ <\/span><\/span><\/span><\/code><\/pre>文件系统访问<\/strong>：<\/p> file:\/\/\/etc\/passwd <\/span><\/span><\/span><\/code><\/pre>2.2 IPv4地址绕过技术<\/h3> 当应用尝试通过正则表达式限制特定IP地址时，有多种表示方法可以绕过：<\/p> 2.2.1 整数表示法<\/h4> 将IPv4地址转换为32位整数：<\/p> 10.0.0.3 → 00001010.00000000.00000000.00000011 → 167772163 <\/code><\/pre> 请求：<\/p> http:\/\/167772163 <\/span><\/span><\/span><\/code><\/pre>2.2.2 十六进制表示法<\/h4> http:\/\/0x0A000003 <\/span><\/span><\/span>http:\/\/0x0A.0x00.0x00.0x03 <\/span><\/span><\/span><\/code><\/pre>2.2.3 八进制表示法<\/h4> http:\/\/01200000003 <\/span><\/span><\/span>http:\/\/012.00.00.03 <\/span><\/span><\/span><\/code><\/pre>2.2.4 溢出技术<\/h4> 某些NodeJS应用可能处理溢出：<\/p> http:\/\/265.0.0.3 # 265-256=9 → 实际解析为9.0.0.3 <\/span><\/span><\/span><\/code><\/pre>2.3 URL解析差异利用<\/h3> 不同URL解析库对特殊字符处理不一致：<\/p> 示例<\/strong>：<\/p> http:\/\/google.com# @secret.corp <\/span><\/span><\/span><\/code><\/pre> urlparse<\/code>库解析hostname为google.com<\/code><\/li> urllib<\/code>库解析hostname为secret.corp<\/code><\/li> <\/ul> 其他特殊字符<\/strong>：<\/p> 空格<\/li> 制表符<\/li> 换行符<\/li> 非ASCII字符<\/li> <\/ul> 2.4 协议注入技术<\/h3> 利用换行符注入其他协议命令：<\/p> SMTP协议注入<\/strong>：<\/p> https:\/\/mail.corp\r\nHELO web.corp\r\nMAIL FROM...:25\/ <\/span><\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p> 在SSL握手期间，主机名被完整使用<\/li> SMTP将换行符解释为命令结束符<\/li> 可在SSL流量中插入有效SMTP命令<\/li> <\/ul> 适用协议<\/strong>：<\/p> SMTP<\/li> SIP<\/li> 其他基于文本的协议<\/li> <\/ul> 3. 防御措施<\/h2> 3.1 输入验证最佳实践<\/h3> 使用标准库解析URL<\/strong>：<\/p> 不要自行实现URL解析逻辑<\/li> 使用语言提供的标准URL解析库<\/li> <\/ul> <\/li> 严格白名单<\/strong>：<\/p> ALLOWED_DOMAINS =<\/span> ['example.com'<\/span>, 'api.example.com'<\/span>] <\/span><\/span>if<\/span> parsed_url.<\/span>hostname not<\/span> in<\/span> ALLOWED_DOMAINS: <\/span><\/span> raise<\/span> Exception<\/span>("Invalid domain"<\/span>) <\/span><\/span><\/code><\/pre><\/li> 协议限制<\/strong>：<\/p> 只允许HTTP\/HTTPS<\/li> 禁止file:\/\/, ftp:\/\/, gopher:\/\/等危险协议<\/li> <\/ul> <\/li> <\/ol> 3.2 网络层防护<\/h3> 出口过滤<\/strong>：<\/p> 限制服务器只能访问必要的公网端点<\/li> 禁止访问内网IP段(10.0.0.0\/8, 172.16.0.0\/12, 192.168.0.0\/16)<\/li> <\/ul> <\/li> 网络隔离<\/strong>：<\/p> 将Web服务器放在DMZ区域<\/li> 限制Web服务器访问元数据服务(如169.254.169.254)<\/li> <\/ul> <\/li> <\/ol> 3.3 应用层防护<\/h3> DNS重绑定防护<\/strong>：<\/p> 解析URL的hostname后立即使用，不要缓存<\/li> 验证DNS解析结果是否在允许范围内<\/li> <\/ul> <\/li> 响应处理<\/strong>：<\/p> 不要将原始响应返回给客户端<\/li> 对响应内容进行严格过滤<\/li> <\/ul> <\/li> <\/ol> 4. 高级攻击技术<\/h2> 4.1 端口扫描<\/h3> 利用SSRF进行内网端口扫描：<\/p> import<\/span> requests <\/span><\/span> <\/span><\/span>for<\/span> port in<\/span> range(1<\/span>, 1025<\/span>): <\/span><\/span> try<\/span>: <\/span><\/span> response =<\/span> requests.<\/span>get(f<\/span>'http:\/\/127.0.0.1:<\/span>{<\/span>port}<\/span>'<\/span>, timeout=<\/span>1<\/span>) <\/span><\/span> print(f<\/span>"Port <\/span>{<\/span>port}<\/span> is open"<\/span>) <\/span><\/span> except<\/span>: <\/span><\/span> continue<\/span> <\/span><\/span><\/code><\/pre>4.2 云服务元数据利用<\/h3> AWS元数据服务<\/strong>：<\/p> http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/ROLE_NAME <\/span><\/span><\/span><\/code><\/pre>Google Cloud<\/strong>：<\/p> http:\/\/metadata.google.internal\/computeMetadata\/v1beta1\/instance\/service-accounts\/default\/token <\/span><\/span><\/span><\/code><\/pre>4.3 内部API滥用<\/h3> 通过SSRF访问内部管理接口：<\/p> http:\/\/localhost:8080\/actuator\/env <\/span><\/span><\/span>http:\/\/localhost:8080\/phpmyadmin\/ <\/span><\/span><\/span><\/code><\/pre>5. 测试与验证<\/h2> 5.1 测试工具<\/h3> Burp Suite Collaborator<\/strong> - 检测出站请求<\/li> SSRF Sheriff<\/strong> - Chrome扩展检测SSRF<\/li> Gopherus<\/strong> - 生成SSRF攻击payload<\/li> <\/ol> 5.2 测试Payloads<\/h3> http:\/\/127.0.0.1:80 http:\/\/localhost:22 http:\/\/[::]:80\/ http:\/\/0177.0.0.1\/ http:\/\/2130706433\/ http:\/\/0x7f000001\/ http:\/\/127.1\/ http:\/\/127.0.1\/ <\/code><\/pre> 6. 总结<\/h2> SSRF是一种危害严重的安全漏洞，能够穿透网络边界访问内部系统。防御SSRF需要多层次的安全措施：<\/p> 输入验证<\/strong>：严格验证所有用户提供的URL<\/li> 网络控制<\/strong>：实施严格的出口过滤<\/li> 最小权限<\/strong>：限制服务器网络访问权限<\/li> 持续监控<\/strong>：监控异常请求模式<\/li> <\/ol> 随着云原生架构和微服务的普及，SSRF的攻击面正在扩大，开发者和安全团队需要更加重视这类漏洞的防护。<\/p>