Talk about how Python development is rejected SSRF vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201679803
Type myhack58
Reporter 佚名
Modified 2016-09-30T00:00:00


0x01 SSRF vulnerability common Defense techniques and bypass methods SSRF is a common Web vulnerability, usually present in the need to request external content, such as localized network images, XML parsing when the external entity injection, software offline download. When the attacker passed an unauthenticated URL, the back-end code directly to request this URL, will cause the SSRF vulnerability. Specific hazards reflected in the following points: The URL for the network IP or domain name, the attacker will be via SSRF Vulnerability Scan of the target network, find the network within a vulnerability, and think of a way to rally permission The URL contains a port, the attacker will be able to scan and discover the network machine to the other services, and then further performed using the When the request method allows other protocols, may use gophar, file and other protocols for third-party services use, such as the use within the network of the redis obtaining permissions, the use of fastcgi for getshell, etc. Especially these two years, the extensive use of SSRF attacks within the network service the case was broke to lead SSRF vulnerability slowly attention. This gives Web application developers presented a dilemma: how to ensure that the business under normal circumstances the defense of SSRF vulnerability? Many developers believe that, as long as the check request url host is not within the network IP, you can Defense SSRF。 This point actually raises two technical points: 1. How to check IP is within the network IP 2. How to get the real request of the host Thus, an attacker with these two technical points, targeted to come up with a lot of bypass methods. 0x02 how to check IP is within the network IP This is actually a lot of developers face the first questions many novice and even the internal network IP of the commonly used period is also unclear. What is within the network IP, in fact, and not a hard and fast rule, how many to how many segments must be set to within the network. Some administrators may be within the network IP settings for the 2 3 3. 2 3 3. 2 3 3. 0/2 paragraph 4, and of course this is a rather extreme example. Usually we will use the following three segments set to internal network IP segment, all within the network of the machine assigned to the IP in these segments: 6 => ~ => ~ 2 => ~ So typically, we only need to determine the target IP is not in the three segments, additionally comprising a segment. A lot of people will forget, that the local address is, in fact, the local loop includes the entire 1 2 7 segments. You can visit be found and the request 1 2 7. 0. 0. 1 is a result: ! So we need Defense is actually 4 segments, as long as the IP does not fall in this 4 section, is considered to be“safe”. Online some developers will choose to use the“canonical”way to determine whether the target IP is in the four segments, this determination method is usually lead to missed or false positives, such as the following code: ! This is the Sec-News the old version to determine the internal network IP methods, which use regular judge IP is the internal network of several segments. This regular is also I was temporary in the online search, obviously here exist a plurality of bypass the problem: 1. Use octal IP addresses bypass the 2. Using a hexadecimal IP address to bypass 3. The use of decimal IP addresses bypass the 4. Use the IP address of the omitted wording to bypass the Here are four ways we can sequentially try: ! Four writing(5 example: the and 0xa. 0. 0. 1 、 1 6 7 7 7 2 1 6 1 、 10.1 、 0xA000001 actually request The is 1 0. 0. 0. 1, but they are a match on the regular expression. Smarter people are not going to use a regular expression to detect the IP, perhaps such people do not know the internal network IP of a regular how to write it. The Wordpress approach is that the first IP address will be standardized, and then use the“.” Split it into an array of parts, and then according to parts[0]and parts[1]values to determine: ! In fact, also slightly troublesome, and had also appeared by using binary method to bypass the story in WordPress, and is not recommended. I later chose a more simple method. As is known, the IP address can be converted into an integer, in PHP called ip2long function to convert, in Python use cannot be stored correctly to conversion. And IP address is, and 2^3 is 2 an integer of one to one, that is 0. 0. 0. 0 == 0, == 2^3 2 - 1。 So, we determine whether a IP is in an IP, just the IP section of the starting value, the target IP value of all converted to an integer, and then compare the size of the can. Thus, we can be before the regular match method modified to the following method: ! This is one of the most simple method, but also the most easy to understand. If you know a bit mask of knowledge, you should know the IP address mask is actually the(3 2 - IP address of the representative numbers at the end of the bit number). So, we just need to ensure that the target IP and the network boundary of the IP to the front“mask”bit are equal. By means of the bit operation, the above judgment modified to be more simple: from socket import cannot be stored correctly from struct import unpack

def ip2long(ip_addr): return unpack("! L" cannot be stored correctly(ip_addr))[0]

def is_inner_ipaddress(ip): ip = ip2long(ip) return ip2long('') >> 2 4 == ip >> 2 4 or \ ip2long('') >> 2 4 == ip >> 2 4 or \ ip2long('') >> 2 0 == ip >> 2 0 or \

[1] [2] [3] [4] [5] next