Analysis of SSRF attack instances (1)

Source: Internet
Author: User

Ssrf attack Overview

Many web applications provide the ability to retrieve data from other servers. With the URL specified by the user, the web application can obtain images, download files, and read file content. If this function is maliciously used, you can use a defective web application as a proxy to attack remote and local servers. This type of attack is called Server-side Request Forgery ).

For example, the display is a typical application that provides this function:

If the application does not properly verify and filter the URL provided by the user and the information returned by the remote server, this type of Server Request Forgery may exist. Google, Facebook, Adobe, baidu, tencent, and other well-known companies have discovered such vulnerabilities. There are five types of attacks that can be achieved by attackers using ssrf:

1. You can scan the Internet, server Intranet, and local ports to obtain the banner information of some services;

2. Attack applications running on the Intranet or local device (such as overflow );

3. Fingerprint Recognition for Intranet web applications by accessing default files;

4. Attacks against web applications on the Intranet and Internet, mainly attacks that can be implemented using get parameters (such as struts2 and sqli );

5. Use the file protocol to read local files.

Common backend implementation

Ssrf attacks may be written in any language. We use some php code to analyze them as an example. Most of the Code comes from the real application source code.

1, php file_get_contents:

 
 
  1. <?php 
  2. if (isset($_POST['url']))  
  3. {  
  4. $content = file_get_contents($_POST['url']);  
  5. $filename ='./images/'.rand().';img1.jpg';  
  6. file_put_contents($filename, $content);  
  7. echo $_POST['url'];  
  8. $img = "
  9. }  
  10. echo $img;  
  11. ?> 

This Code uses the file_get_contents function to get an image from the url specified by the user. Save the file name on the hard disk and display it to the user.

2, php fsockopen ():

 
 
  1. <?php  
  2. function GetFile($host,$port,$link)  
  3. {  
  4. $fp = fsockopen($host, intval($port), $errno, $errstr, 30);  
  5. if (!$fp) {  
  6. echo "$errstr (error number $errno) \n";  
  7. } else {  
  8. $out = "GET $link HTTP/1.1\r\n";  
  9. $out .= "Host: $host\r\n";  
  10. $out .= "Connection: Close\r\n\r\n";  
  11. $out .= "\r\n";  
  12. fwrite($fp, $out);  
  13. $contents='';  
  14. while (!feof($fp)) {  
  15. $contents.= fgets($fp, 1024);  
  16. }  
  17. fclose($fp);  
  18. return $contents;  
  19. }  
  20. ?> 

This Code uses the fsockopen function to obtain user-defined url data (file or html ). This function uses socket to establish a tcp connection with the server to transmit the original data.

3, php curl_exec ():

 
 
  1. <?php  
  2. if (isset($_POST['url'])) 
  3. $link = $_POST['url']; 
  4. $curlobj = curl_init(); 
  5. curl_setopt($curlobj, CURLOPT_POST, 0); 
  6. curl_setopt($curlobj,CURLOPT_URL,$link); 
  7. curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1); 
  8. $result=curl_exec($curlobj); 
  9. curl_close($curlobj); 
  10.  
  11. $filename = './curled/'.rand().'.txt'; 
  12. file_put_contents($filename, $result);  
  13. echo $result; 
  14. ?> 

This is another common implementation. Use curl to obtain data.

Attack scenarios

In most web server architectures, the web server itself can access the Internet and the Intranet of the server. Shows where requests from the web server can arrive.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.