Analysis of SSRF attack instances (1)

Ssrf attack Overview

Many web applications provide the ability to retrieve data from other servers. With the URL specified by the user, the web application can obtain images, download files, and read file content. If this function is maliciously used, you can use a defective web application as a proxy to attack remote and local servers. This type of attack is called Server-side Request Forgery ).

For example, the display is a typical application that provides this function:

If the application does not properly verify and filter the URL provided by the user and the information returned by the remote server, this type of Server Request Forgery may exist. Google, Facebook, Adobe, baidu, tencent, and other well-known companies have discovered such vulnerabilities. There are five types of attacks that can be achieved by attackers using ssrf:

1. You can scan the Internet, server Intranet, and local ports to obtain the banner information of some services;

2. Attack applications running on the Intranet or local device (such as overflow );

3. Fingerprint Recognition for Intranet web applications by accessing default files;

4. Attacks against web applications on the Intranet and Internet, mainly attacks that can be implemented using get parameters (such as struts2 and sqli );

5. Use the file protocol to read local files.

Common backend implementation

Ssrf attacks may be written in any language. We use some php code to analyze them as an example. Most of the Code comes from the real application source code.

1, php file_get_contents:

 
 

  
  
<?php 
  
  
if (isset($_POST['url']))  
  
  
{  
  
  
$content = file_get_contents($_POST['url']);  
  
  
$filename ='./images/'.rand().';img1.jpg';  
  
  
file_put_contents($filename, $content);  
  
  
echo $_POST['url'];  
  
  
$img = " 
  
}  
  
  
echo $img;  
  
  
?> 
 
 

This Code uses the file_get_contents function to get an image from the url specified by the user. Save the file name on the hard disk and display it to the user.

2, php fsockopen ():

 
 

  
  
<?php  
  
  
function GetFile($host,$port,$link)  
  
  
{  
  
  
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);  
  
  
if (!$fp) {  
  
  
echo "$errstr (error number $errno) \n";  
  
  
} else {  
  
  
$out = "GET $link HTTP/1.1\r\n";  
  
  
$out .= "Host: $host\r\n";  
  
  
$out .= "Connection: Close\r\n\r\n";  
  
  
$out .= "\r\n";  
  
  
fwrite($fp, $out);  
  
  
$contents='';  
  
  
while (!feof($fp)) {  
  
  
$contents.= fgets($fp, 1024);  
  
  
}  
  
  
fclose($fp);  
  
  
return $contents;  
  
  
}  
  
  
} 
  
  
?> 
 
 

This Code uses the fsockopen function to obtain user-defined url data (file or html ). This function uses socket to establish a tcp connection with the server to transmit the original data.

3, php curl_exec ():

 
 

  
  
<?php  
  
  
if (isset($_POST['url'])) 
  
  
{ 
  
  
$link = $_POST['url']; 
  
  
$curlobj = curl_init(); 
  
  
curl_setopt($curlobj, CURLOPT_POST, 0); 
  
  
curl_setopt($curlobj,CURLOPT_URL,$link); 
  
  
curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1); 
  
  
$result=curl_exec($curlobj); 
  
  
curl_close($curlobj); 
  
  
 
  
  
$filename = './curled/'.rand().'.txt'; 
  
  
file_put_contents($filename, $result);  
  
  
echo $result; 
  
  
} 
  
  
?> 
 
 

This is another common implementation. Use curl to obtain data.

Attack scenarios

In most web server architectures, the web server itself can access the Internet and the Intranet of the server. Shows where requests from the web server can arrive.