SSRF – Server Side Request Forgery attacks. The ability to create requests from the vulnerable server to intra/internet. Using a protocol supported by available URI schemas, you can communicate with services running on other protocols. Here we collect the various options and examples (exploits) of such interaction.
Typical Attack Steps
1. Scan internal network to determine internal infrastructure which you may access.
2. Collect opened ports at localhost and other internal hosts which you want (basically bytime-based determination).
3. Determine services/daemons on ports using wiki or daemons banners (if you may watch output) – also called “banner grabbing”.
4. Determine the type of your SSRF combination:
○ Direct socket access (such as this example )
○ Sockets client (such as java URI, cURL, LWP, others)
5. In case of direct socket access determine CRLF and other injections for smuggling.
6. In case of sockets client, determine available URI schemes.
7. Compare available schemas and services/daemons protocols to find smuggling possibilities.
8. Determine host-based auth daemons and try to exploit it
File Descriptors Exploitation Way
Useful in clouds, shared hostings and others large infrastructures.
There are three ways to access to FDs:
● Interpreters API (such as fd:// wrapper for PHP).
○ If there are no such API or required functions disabled, you can try to load native.
Extension: PHP (require dlopen, but not exec)
● exec() call from API (such as exec(‘echo 123 > & <FDN> ’);)
○ You may access only FDs without O_CLOEXEC
○ C program to scan available FDs is here.
● ProcFS files (/proc/ <PID> /fd/ <N> )
* Note, that you can not access to sockets through /proc/<PID>/fd/<N> files!
You can find the SSRF Bible PDF by ONSEC Lab here.