SSRF - ianchen0119/About-Security GitHub Wiki

SSRF

SSRF 全名為 Server-Side Request Forgery ，是一種由 Hacker 構建惡意請求，讓伺服器端發起請求的安全漏洞。舉例來說，一般使用者是無法取得伺服器端內網資訊的，但如果服務端有 SSRF 安全漏洞，我們就可以從中取得隱私資訊。

案例分析： SSRFrog

SSRFrog 為 Bamboo Fox 2021 CTF 中的挑戰之一

SSRFrog Challenge

Clicking the link gives us this page: SSRFrog Page

First thing we did is do View Source on the page and we saw this in a comment:

FLAG is on this server: http://the.c0o0o0l-fl444g.server.internal:80

We are also given a link to the source code:

const express = require("express");
const http = require("http");

const app = express();

app.get("/source", (req, res) => {
    return res.sendFile(__filename);
})
app.get('/', (req, res) => {
    const { url } = req.query;
    if (!url || typeof url !== 'string') return res.sendFile(__dirname + "/index.html");

    // no duplicate characters in `url`
    if (url.length !== new Set(url).size) return res.sendFile(__dirname + "/frog.png");

    try {
        http.get(url, resp => {
            resp.setEncoding("utf-8");
            resp.statusCode === 200 ? resp.on('data', data => res.send(data)) : res.send(":(");
        }).on('error', () => res.send("WTF?"));
    } catch (error) {
        res.send("WTF?");
    }
});

app.listen(3000, '0.0.0.0');

網址混淆器

Domain Obfuscator

Reference

ctf-writeups-2021