From 58bf59d2514dab6f78f222ae04f64b0a9619eb81 Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 22 Jan 2023 18:27:01 +0000 Subject: [PATCH] GitBook: [#3758] No subject --- SUMMARY.md | 1 + .../pentesting-web/php-tricks-esp/php-ssrf.md | 77 +++++++++++++++++++ .../README.md | 6 ++ .../cloud-ssrf.md | 1 + 4 files changed, 85 insertions(+) create mode 100644 network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md diff --git a/SUMMARY.md b/SUMMARY.md index c9f245d4..a7993eaf 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -349,6 +349,7 @@ * [disable\_functions bypass - mod\_cgi](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-mod\_cgi.md) * [disable\_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl\_exec](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md) * [PHP - RCE abusing object creation: new $\_GET\["a"\]($\_GET\["b"\])](network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd\_get-a-usd\_get-b.md) + * [PHP SSRF](network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md) * [Python](network-services-pentesting/pentesting-web/python.md) * [Special HTTP headers](network-services-pentesting/pentesting-web/special-http-headers.md) * [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md) diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md new file mode 100644 index 00000000..d0b63e4f --- /dev/null +++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md @@ -0,0 +1,77 @@ +# PHP SSRF + +
+ +🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). + +
+ +### SSRF PHP functions + +Some function such as _**file\_get\_contents(), fopen(), file(), md5\_file()** _ accept URLs as input that they will follow making **possible SSRF vulnerabilities** if the use can control the data: + +```php +file_get_contents("http://127.0.0.1:8081"); +fopen("http://127.0.0.1:8081", "r"); +file("http://127.0.0.1:8081"); +md5_file("http://127.0.0.1:8081"); +``` + +### CRLF + +Moreover, in some cases it might be even possible to send arbitrary headers via CRLF "vulnerabilities" in the previous functions: + +```php +# The following will create a header called from with value Hi and +# an extra header "Injected: I HAVE IT" +ini_set("from", "Hi\r\nInjected: I HAVE IT"); +file_get_contents("http://127.0.0.1:8081"); + +GET / HTTP/1.1 +From: Hi +Injected: I HAVE IT +Host: 127.0.0.1:8081 +Connection: close + +# Any of the previously mentioned functions will send those headers +``` + +{% hint style="warning" %} +For more info about that CRLF vuln, check this bug [https://bugs.php.net/bug.php?id=81680\&edit=1](https://bugs.php.net/bug.php?id=81680\&edit=1) +{% endhint %} + +Note that these function might have other methods to set arbitrary headers in requests, like: + +```php +$url = ""; + +$options = array( + 'http'=>array( + 'method'=>"GET", + 'header'=>"Accept-language: en\r\n" . + "Cookie: foo=bar\r\n" . // check function.stream-context-create on php.net + "User-Agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.102011-10-16 20:23:10\r\n" // i.e. An iPad + ) +); + +$context = stream_context_create($options); +$file = file_get_contents($url, false, $context); +``` + +
+ +🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). + +
diff --git a/pentesting-web/ssrf-server-side-request-forgery/README.md b/pentesting-web/ssrf-server-side-request-forgery/README.md index c85b894d..47df4ab3 100644 --- a/pentesting-web/ssrf-server-side-request-forgery/README.md +++ b/pentesting-web/ssrf-server-side-request-forgery/README.md @@ -186,6 +186,12 @@ If the web page is automatically creating a PDF with some information you have p Create several sessions and try to download heavy files exploiting the SSRF from the sessions. +## SSRF PHP Functions + +{% content-ref url="../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md" %} +[php-ssrf.md](../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md) +{% endcontent-ref %} + ## SSRF Redirect to Gopher For some exploitations you might need to **send a redirect response** (potentially to use a different protocol like gopher). Here you have different python codes to respond with a redirect: diff --git a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md index ac413b6b..72b52ed3 100644 --- a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md +++ b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md @@ -257,6 +257,7 @@ gcloud projects lists echo "" > /some/path/to/token gcloud config set auth/access_token_file /some/path/to/token gcloud projects lists +gcloud config unset auth/access_token_file ``` {% endhint %}