ssrf vulnerability learning

Posted by tetley at 2020-04-14

SSRF vulnerability is a way to break through the internal network.

SSRF (server side request forgery) is a security vulnerability constructed by an attacker to form a request initiated by the server. In general, the target of SSRF attack is the internal system that cannot be accessed from the external network. Because it is initiated by the server, it can request the internal system connected to it and isolated from the external network.

The reason for the formation of SSRF is that the server provides the function of obtaining data from other server applications and does not filter and restrict the target address. For example, get the text content of the web page from the specified URL address, load the pictures of the specified address, download and so on.

Looking for web functions:

1. Share: share web content through URL address

The title tag and related text content are obtained through the target URL address. If the scope of the target address is not filtered and restricted in this function, there is a SSRF vulnerability

2. Transcoding: optimize the web content of the original address through URL address to make it suitable for mobile screen browsing

4. Picture loading and downloading: loading or downloading pictures through URL address

5. Picture and article collection function

6. Unpublished API implementation and other functions of calling URL

Find from URL keyword:

Exclusion 1:

Exclusion 2:

*Weblog is not configured properly, and inborn SSRF vulnerability * Discuz x2.5 / x3.0 / X3.1 / x3.2 SSRF vulnerability * cve-2016-1897 / 8 - ffmpeg * cve-2016-3718 - ImageMagick

There are three kinds of attacks that attackers can achieve by using SSRF:

1. Obtain the banner information of web application reachable server service and collect fingerprint identification of Intranet web application, such as open port, middleware version information, etc.

2. Attack the system or application running in the intranet, obtain the weak password of each system of the intranet to roam the intranet, attack the vulnerable intranet web application to obtain webshell, such as ST2 command execution, discuz SSRF to implement getshell through redis, etc.

3. The vulnerable components are combined with FTP: / /, file: / /, gopher: / /, dict: / /. Such as ffmpeg arbitrary file reading, xxE attack and so on.

What's a good way to detect an ongoing SSRF attack?

SSRF has certain characteristics. Generally, an interface, abnormal request intranet IP, is recorded in the log system, and is likely to be continuous. Because he has to guess, there will be obvious requests in a certain period of time. You can use this feature to make a preliminary judgment.

The need to defend against SSRF?

The enterprise's security protection is often aimed at the external network. Compared with the external network, the internal network's security is generally relatively weak. The SSRF vulnerability just opens the door between the external network and the internal network, which makes the originally seemingly solid protection suddenly collapse, bringing huge harm to the enterprise and the individual. In light of this, it will lead to the leakage of the internal network server and the system's relevant sensitive information, while in heavy, it will lead to the internal network diffuse Swims, combined with other vulnerabilities to obtain the internal network system webshell and carry out internal network penetration, sensitive data is stolen.

How to defend against SSRF?

1. It is easy to filter the returned information and verify the response of the remote server to the request;

2. Unify the error information to avoid that the user can judge the port status of the remote server according to the error information;

4. Blacklist intranet IP. Avoid the application being used to obtain the intranet data and attack the Intranet;

6. Regular is used to verify the parameters to prevent malformed requests from bypassing the blacklist.

1、 Pig man SSRF use learning

Wooyun-2016-0215779 somewhere SSRF vulnerability in Xiaomi (intranet shell can be attached with multithreaded fuzzy script)

Wooyun-2016-0215419 a SSRF vulnerability (a very good exploit point) of Tencent is attached with a exploit script

#1 vulnerability information

SSRF utilization point, parameter: URL

#2 server echo

When a remote request is initiated from the SSRF utilization point, if the URL resource exists and the MIME type is HTML, the script of the server will analyze the title, IMG and other resources in the HTML page and return them to the client. If the mime is of another type, the original will be returned directly.

##Example 1 request port 22 of the remote server to directly echo the banner information of openssh

##Example 2 request port 80 of the remote server to echo the head and picture resources

##Example 3 request non-existent server or non open port

#3 use scenarios

Loction 302 jump to auxiliary script [302. PHP]

Getshell auxiliary script [shell. PHP]

#4 server support protocol

##Dict protocol - dict:// 8080 / Hello: Dict


##Gopher protocol - gopher:// 8080/gopher


##File Protocol - file: / / / etc / passwd

A supplementary script is needed here

The server requests 302 to jump and directly read the local file of the server

##To conclude

It can be judged from the echo results that the curl of the server is the lower version of 7.15.1, which supports dict, FTP, gopher, dict and other protocols

2、 Pig man uses SSRF vulnerability to implement intranet getshell

#1 vulnerability detection + vulnerability inspection

The first is vulnerability testing, to find the location of the vulnerability. When a message is passed to access the Internet, the fast response indicates that there is a vulnerability.

For example: access to the server

In addition, to detect the intranet, you need to know the intranet address. Pig man got it through info.php

#2 Analysis of the principle of Intranet service detection rules

There is an open 8080 port, and the web page is loaded in 1s

Using FTP protocol to access the open port 8080, the web page remains keep alive until the timeout of starting nginx

Access to the nonexistent port 11011 triggers the timeout of Xiaomi's nginx, and the loading is completed within 3.1s

In other words, we can detect the open port services of the intranet through the completion time of page loading

#3 form intranet detection script

Piggy man intranet detection script

In addition, pig man also mentioned the way of always detecting. If the length of the returned page content is less than 9, the service is open.

Traverse detection for fixed 10. Network B and C segments

Pig man fixed segment traversal script

Random detection for intranet 10. Network segment

Pig man random segment traversal script

#4 remote utilization and analysis using dict protocol

SSRF exploit script

Above is the source code of pig man. Next, I will extract the source code and analyze it

#Utilization statement after sorting

Using redis to write timing task to obtain root permission

#Operation after obtaining shell successfully

#5 table of execution rules of Struts2 command

#6. Repair plan:

1. Update patch

2. The server of SSRF, iptables prohibit access to intranet resources