SSRF Bypass Tips

SSRF(服务器端请求伪造)测试资源

基于快速URL的绕过:

htaccess - 针对各种情况的重定向测试

状态码:300,301,302,303,305,307,308

文件类型:jpg,json,csv,xml

现场演示:

JPG 301响应没有和有效的响应主体:

没有和有效的响应主体的json 301响应:

没有和有效的回应主体的csv 301回应:

没有和有效的响应主体的xml 301响应:

custom-30x - 使用PHP自定义30x响应和位置标题

现场演示:

custom-200 - 使用PHP自定义200响应和Content-Location标头

现场演示:

custom-201 - 使用PHP自定义201响应和位置标题

现场演示:

使用netcat的最小Web服务器

ip.py - 用于SSRF测试的备用IP编码工具

python ip.py IP PORT WhiteListedDomain EXPORT(可选)

DNS固定

nslookup ssrf-169.254.169.254.localdomain.pw

http://xip.io/

nslookup 169.254.169.254.xip.io

nslookup 127.127.127.127.xip.io

DNS固定争用条件

nslookup ssrf-race-169.254.169.254.localdomain.pw

DNS重新绑定

点子安装twised

python dns.py WhitelistedIP InternalIP Port

python dns.py 216.58.214.206 169.254.169.254 53

http://webcache.googleusercontent.com/search?q=cache:http://www.611eternity.com/DNSRebinding%E6%8A%80%E6%9C%AF%E5%AD%A6%E4%B9% A0 /

cloud-metadata.txt - 用于SSRF测试的云元数据字典

svg - 带有svg文件的SSRF

ffmpeg - 带有ffmpeg的SSRF

https://hackerone.com/reports/237381

https://hackerone.com/reports/243470

https://github.com/neex/ffmpeg-avi-m3u-xbin

https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf

https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.g22371f2702_0_15

iframe - 使用html iframe + URL旁路的SSRF

现场演示:

滥用封闭的字母数字

common-open-ports.txt - 常用端口列表

Java / Python FTP注入允许防火墙绕过

http://webcache.googleusercontent.com/search?q=cache:http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html

https://github.com/ecbftw/poc/blob/master/java-python-ftp-injection/ftp-injection-server.py

http://webcache.googleusercontent.com/search?q=cache:https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/

SSRF + Gopher + Redis

http://webcache.googleusercontent.com/search?q=cache:http://vinc.top/2016/11/24/%E3%80%90ssrf%E3%80%91ssrfgopher%E6%90%9E%E5 %AE%9A%E5%86%85%E7%BD%91%E6%9C%AA%E6%8E%88%E6%9D%83redis /

https://webcache.googleusercontent.com/search?q=cache:http://antirez.com/news/96

前5个常常容易出现SSRF漏洞的功能:

https://webcache.googleusercontent.com/search?q=cache:https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF

AppSecEU15-Server_side_browsing_considered_harmful.pdf

https://www.youtube.com/watch?v=8t5-A4ASTIU

美国17财-A-NEW-ERA-OF-SSRF-开拓-URL解析器,在向的编程,Languages.pdf

https://www.youtube.com/watch?v=D1S-G8rJrEk

一个小巧可爱的网址模糊器

https://github.com/orangetw/Tiny-URL-Fuzzer

通过滥用Ruby本地解析器中的错误绕过服务器端请求伪造过滤器

https://edoverflow.com/2017/ruby-resolv-bug/

https://hackerone.com/reports/287245

https://hackerone.com/reports/215105

0177.1 => 127.0.0.1

0x7f.1 => 127.0.0.1

127.1 => 127.0.0.1

SSRF提示

http://webcache.googleusercontent.com/search?q=cache:http://blog.safebuff.com/2016/07/03/SSRF-Tips/

PHP的SSRF技术

https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51

SSRF圣经

https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM

SSRF代理

https://github.com/bcoles/ssrf_proxy

SSRF Proxy有助于通过易受服务器端请求伪造攻击的服务器隧穿HTTP通信

  • 发表于:
  • 原文链接https://kuaibao.qq.com/s/20180606A0XYUR00?refer=cp_1026
  • 腾讯「云+社区」是腾讯内容开放平台帐号(企鹅号)传播渠道之一,根据《腾讯内容开放平台服务协议》转载发布内容。

同媒体快讯

扫码关注云+社区

领取腾讯云代金券