SSRF workshop
-
Upload
ivan-novikov -
Category
Technology
-
view
3.495 -
download
1
description
Transcript of SSRF workshop
![Page 1: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/1.jpg)
SSRF exploitation.
WorkshopSpecial for DefCon-UA
08/12/2012 Moscow, Neuron Hackspace
![Page 2: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/2.jpg)
SSRF - Server Side Request Forgery
● The ability to create requests from the
vulnerable server to intra/internet
● Using a protocol supported by available URI
schemas, you can communicate with
services running on other protocols
(smuggling)
![Page 3: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/3.jpg)
SSRF - Server Side Request Forgery● What i can do with forged requests?
● Anything!
○ Get data from internal network!
○ Exploit all host-based auth!
○ Exploit local services at loopback
interface!
○ etc...
![Page 4: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/4.jpg)
SSRF - Server Side Request Forgery
Firewall
Intranet
FrontendBackend
Access to internal network
Access to loopback interface
HTTP request
HTTP requestAPI
request
Forged request
Forged request
![Page 5: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/5.jpg)
SSRF - reasons
● SSRF not a vulnerability
● SSRF is class of attacks
● XXE,RFI,CRLF injection and others is SSRF's
friends
● Anything that can open socket can be
SSRFed
![Page 6: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/6.jpg)
SSRF - reasons● Direct writing to sockets in webapp
● HTTP clients (libcurl, LWP, Java:URL, etc)
● Databases functions
● Format processing
○ XML parsers (XXE, DTD, XSD, XSLT, etc)
○ OpenOffice (DDE, dynamic data, etc)
○ PDF (tcpdf library, etc)
![Page 7: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/7.jpg)
SSRF - what stuff needed?
● Desire
● Luck
● Ability to anticipate and assume
● nc (nc -l -vv -p 12345 )
● SSRF cheatsheet doc
![Page 8: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/8.jpg)
SSRF - cheatsheet
● We collected all related information about
SSRF and their exploitation in one
cheatsheet:
https://docs.google.
com/document/d/1v1TkWZtrhzRLy0bYXBcdL
UedXGb9njTNIJXa3u9akHM/edit
![Page 9: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/9.jpg)
HTTP clients bugs
Bypass webapp filters i.e. preg_replace using
redirect
● any host -> localhost
● valid port -> any port
● valid schema -> any schema
● SOP for browsers, not for HTTPClients
![Page 10: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/10.jpg)
CASE #1. Market & Payment system. OAuth token hijacking
● Application received OAuth token from
payment server
● Token added to HTTP request created by
libcurl CURLOPT_HTTPHEADER
● This header will be append to all requests
sended by libcurl. Even after redirects ;)
![Page 11: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/11.jpg)
CASE #1. Market & Payment system. OAuth token hijacking
● Find a open redirect vuln (WASC-38) at
payment server
● Change payment url to call redirect instead
of valid payment transaction
● Jack a OAuth token from market to
payment system ;)
https://dev.onsec.ru/workshop/market/
![Page 12: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/12.jpg)
CASE #1. Market & Payment system. OAuth token hijacking
MarketPayment system
HTTP request
HTTP requestwith OAuth token
Evil host
Open redirect vuln
SSRF attack
HTTP requestwith OAuth token
OAuth token from market
![Page 13: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/13.jpg)
Let's go to server-side exploitations
● SSRF really cool for exploit host-based auth
● Host based auth must die ;)
● NoSQL databases, monitoring services and
much more provide privileges to loopback
connections by default
![Page 14: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/14.jpg)
Protocol smuggling● When you say "GET / HTTP/1.1", what hears
a service?
● When you receive data by one of
prehistoric protocols what TCP packet you
send?
● When you say "bla[valid packet]bla", what
hears a service?
![Page 15: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/15.jpg)
Protocols and URI schemas in HTTP clients● gopher:// provide you to create almost any
TCP packet (no 0x00 for cURL, no bytes
greater than 0x7f for Java)
● dict:// provide you to forge second line in
plaint/text request (cURL only)
● ldap:// provide you to forge request with
constant prefix (LWP only)
![Page 16: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/16.jpg)
What things do smuggling possible?● HTTP clients don't check a protocol but
send data immediately after connect
(ldap for LWP)
● Services do not close socket after receive
invalid packet
● Protocol that you can forge fits within the
protocols that you want to exploit
![Page 17: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/17.jpg)
CASE #2. Wordpress exploitation● Yes, it is latest wordpress (3.4.2) without
any plugins
● Reason - libcurl unsafe redirect
● But SSRF can be triggered only from admin
panel
● Use old our friend CSRF!
● CSRF + SSRF make you happy ;)
![Page 18: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/18.jpg)
CASE #2. Wordpress exploitation● No gopher:// protocol in Debian squeeze
for cURL
● But dict:// available and provide us to
exploit memcached
● CSRF + SSRF = memcached exploit ;)
https://dev.onsec.ru/workshop/wordpress/
![Page 19: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/19.jpg)
Format processors are SSRF friends● 23/03/2012 in Kyiv I told about XXE based
SSRF
● XML parsers, DTD, XSD, XSLT - all of them
provide SSRF
● OpenOffice provide SSRF
● Many processing libraries provide SSRF
● Anything that can open socket can be
SSRFed
![Page 20: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/20.jpg)
CASE #3. TCPDF library SSRF● http://www.tcpdf.org/
● Very common library for PDF conversion
● Example application convert users HTML to
● What about external resources such as
images?
● TCPDF using cURL
https://dev.onsec.ru/workshop/pdfconv/
![Page 21: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/21.jpg)
CASE #4. LWP avatars uploader
● LWP - libwww Perl
● Usefully and common library
● Provide unsafe redirect ;)
● Support gopher protocol by default ;)
● Lets go!!!
![Page 22: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/22.jpg)
CASE #4. LWP avatars uploaderZabbix agentd explotation
● Zabbix is common monitoring system
● Zabbix agentd - local daemon for various
check
● Host-based auth ;)
● Support command execution ;)
https://dev.onsec.ru/workshop/avatars/
![Page 23: SSRF workshop](https://reader034.fdocuments.in/reader034/viewer/2022042715/557f6645d8b42af1298b4905/html5/thumbnails/23.jpg)
CASE #5. Have a free time?● Let's go Postgres explotation
● dblink() function provide us to do SSRF
through SQLi
http://www.postgresql.org/docs/8.
4/static/dblink.html
SELECT dblink_send_query('host=127.0.0.1
dbname=quit user=\'\nstats\n\' port=11211
sslmode=disable','select 1');