[B! SSRF] ionisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ionis id:ionis

SSRFã«é–¢ã™ã‚‹ionisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (12)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

PayloadsAllTheThings/Server Side Request Forgery at master Â· swisskyrepo/PayloadsAllTheThings
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
ionis 2019/09/23
SSRF

ã¾ã¨ã‚

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£
ãƒªãƒ³ã‚¯
SSRFåŸºç¤Ž
OWASP Night 2019-09-18 / OWASP Japan
ionis 2019/09/19
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

SSRF

gopher
ãƒªãƒ³ã‚¯
https://blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
ionis 2019/09/18
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

SSRF

BlackHat
ãƒªãƒ³ã‚¯
Emad Shanab - Ø£Ø¨Ùˆ Ø¹Ø¨Ø¯ Ø§Ù„Ù„Ù‡ on Twitter: "Server Side Request Forgery SSRF Types And Ways To Exploit It:- Part 1:- https://t.co/9ZSW7GL9YT Part 2:-â€¦ https://t.co/uaK2bmpdsd"
ionis 2019/07/19
ã‚ã¨ã§èªã‚€

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

SSRF
ãƒªãƒ³ã‚¯
nginxã®è¨å®šãƒŸã‚¹ã§èµ·ã“ã‚‹SSRF - Qiita
ã¯ã˜ã‚ã« ã“ã®è¨˜äº‹ã¯ä¸‹è¨˜ãƒªãƒ³ã‚¯ã®æ—¥æœ¬èªžç¿»è¨³è¨˜äº‹ã§ã™ ç¿»è¨³ãŒèª¤ã£ã¦ã„ã‚‹å ´åˆã¯ã‚³ãƒ¡ãƒ³ãƒˆã‹@no1zy_secã¾ã§ãŠçŸ¥ã‚‰ã›ã„ãŸã ã‘ã‚‹ã¨å¹¸ã„ã§ã™ã€‚ [SSRF] Server Side Request Forgery Server Side Request Forgeryã¯ã‚µãƒ¼ãƒãƒ¼ã«ä»»æ„ã®ãƒªã‚¯ã‚¨ã‚¹ãƒˆã®å®Ÿè¡Œã‚’å¼·åˆ¶ã™ã‚‹æ”»æ’ƒã§ã™ã€‚ä¾‹ãˆã°nginxã®å ´åˆã€proxy_passãƒ‡ã‚£ãƒ¬ã‚¯ãƒ†ã‚£ãƒ–ã®ç¬¬2å¼•æ•°ã‚’æ”»æ’ƒè€…ãŒæŒ‡å®šã§ãã‚‹å ´åˆã«æ”»æ’ƒãŒå¯èƒ½ã«ãªã‚Šã¾ã™ã€‚ ã©ã†ã‚„ã£ã¦è¦‹ã¤ã‘ã‚‹ã‹ ã“ã“ã«ã‚µãƒ¼ãƒãƒ¼ã‚’è„†å¼±ã«ã™ã‚‹2ç¨®é¡žã®ã‚¨ãƒ©ãƒ¼ãŒã‚ã‚Šã¾ã™ã€‚ internalãƒ‡ã‚£ãƒ¬ã‚¯ãƒ†ã‚£ãƒ–ã®æ¬ å¦‚ã€‚ ã“ã‚Œã¯å†…éƒ¨ãƒªã‚¯ã‚¨ã‚¹ãƒˆã«ã®ã¿ä½¿ã†ã“ã¨ãŒã§ãã‚‹ã“ã¨ã‚’ç¤ºã™ãŸã‚ã«ä½¿ç”¨ã•ã‚Œã¾ã™ å®‰å…¨ã§ãªã„å†…éƒ¨ãƒªãƒ€ã‚¤ãƒ¬ã‚¯ãƒˆ internalãƒ‡ã‚£ãƒ¬ã‚¯ãƒ†ã‚£ãƒ–ã®æ¬ å¦‚ internalãƒ‡ã‚£ãƒ¬ã‚¯ãƒ†ã‚£ãƒ–ã®æ¬ å¦‚ã§SSRFã‚’ã™ã‚‹ã“ã¨ãŒã§ãã‚‹å…¸åž‹çš„ãªè¨å®šãƒŸã‚¹ã§ã™ã€‚
ionis 2019/07/19
ã‚ã¨ã§èªã‚€

nginx

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

SSRF

è¨å®š
ãƒªãƒ³ã‚¯
Redisã‹ã‚‰OSã‚³ãƒžãƒ³ãƒ‰ã‚’å®Ÿè¡Œã™ã‚‹æ”»æ’ƒæ–¹æ³•ï¼ˆSLAVEOFç·¨ï¼‰ - knqyf263's blog
ã¯ã˜ã‚ã« å‰å›žã®è¨˜äº‹ã§ã€èª¤ã£ã¦ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆã«é–‹æ”¾ã•ã‚ŒãŸRedisã‚’æ“ä½œã—ã¦OSã‚³ãƒžãƒ³ãƒ‰å®Ÿè¡Œã™ã‚‹ã¾ã§ã®æ”»æ’ƒæ–¹æ³•ã‚’èª¬æ˜Žã—ã¾ã—ãŸã€‚ knqyf263.hatena blog.com ã“ã¡ã‚‰ã®æ–¹æ³•ã§ã¯CONFIG SETã‚’ä½¿ã£ã¦ã„ãŸã®ã§ã™ãŒã€æœ€è¿‘ã‚³ãƒ³ãƒ†ãƒŠãŒåˆ©ç”¨ã•ã‚Œã‚‹ã“ã¨ãŒå¢—ãˆãŸãŸã‚ã«åˆºã•ã‚Šã«ãããªã£ã¦ã„ã¾ã™ã€‚ã¾ãŸã€Redisã®å®Ÿè¡Œãƒ¦ãƒ¼ã‚¶ã®æ¨©é™ãŒå¼·ã„å¿…è¦ãŒã‚ã£ãŸã‚Šã€ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆãƒ«ãƒ¼ãƒˆã®pathã‚’äºˆæ¸¬ã™ã‚‹å¿…è¦ãŒã‚ã£ãŸã‚Šã¨ã„ã£ãŸåˆ¶ç´„ã‚‚ã‚ã‚Šã¾ã—ãŸã€‚ãã†ã„ã£ãŸåˆ¶ç´„ã‚’å›žé¿ã™ã‚‹æ–¹æ³•ãŒç™ºè¡¨ã•ã‚Œã¦ã„ãŸã®ã§è©¦ã—ã¦ã¿ã¾ã—ãŸã€‚ ã•ã‚‰ã«ã€å‰å›žã¯RedisãŒå®Œå…¨ã«æ“ä½œã§ãã‚‹å‰æã‚’ç½®ã„ã¦ã„ã¾ã—ãŸãŒä»Šå›žã¯æ›´ã«é›£ã—ãSSRFã®ã¿ãŒä½¿ãˆã‚‹çŠ¶æ³ãŒæƒ³å®šã•ã‚Œã¦ã„ã¾ã™ã€‚SSRFã«ã¤ã„ã¦ã¯èª¿ã¹ãŸã‚‰å‡ºã‚‹ã¨æ€ã†ã®ã§å‰²æ„›ã—ã¾ã™ãŒã€ä»Šå›žã®å ´åˆã¯ç°¡å˜ã«è¨€ã†ã¨ã€ŒRedisã¯å…¬é–‹ã•ã‚Œã¦ã„ãªã„ãŒã€å…¬é–‹ã•ã‚Œã¦ã„ã‚‹Webã‚µãƒ¼ãƒãªã©çµŒç”±ã§æ”»æ’ƒè€…ãŒå†…éƒ¨ã®Redisã«
ionis 2019/07/16
redis

SSRF

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£
ãƒªãƒ³ã‚¯
Stealing Amazon EC2 Keys via an XSS Vulnerability
ionis 2019/06/07
ã‚·ã‚¹ãƒ†ãƒ å†…ã§HTMLãƒ¬ãƒ³ãƒ€ãƒªãƒ³ã‚°ã™ã‚‹éƒ¨åˆ†ãŒã‚ã‚‹éš›ã«æ°—ã‚’ã¤ã‘ã‚‹ã‚ˆã†ãªè©±

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

AWS

XSS

SSRF
ãƒªãƒ³ã‚¯
EC2ä¸Šã§DNS Rebindingã«ã‚ˆã‚‹SSRFæ”»æ’ƒå¯èƒ½æ€§ã‚’æ¤œè¨¼ã—ãŸ
AWS EC2ç’°å¢ƒã§ã®DNS Rebindingã«ã¤ã„ã¦æ¤œè¨¼ã—ãŸã®ã§ç´¹ä»‹ã—ã¾ã™ã€‚ ã¾ãšã¯ã€ã€Œå‰å›žã¾ã§ã®ãŠã•ã‚‰ã„ã€ã§ã™ã€‚å…ˆæ—¥ä»¥ä¸‹ã®è¨˜äº‹ã§SSRFæ”»æ’ƒãŠã‚ˆã³SSRFè„†å¼±æ€§ã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã—ãŸã€‚ SSRF(Server Side Request Forgery)å¾¹åº•å…¥é–€ ã“ã®è¨˜äº‹ã®ä¸ã§ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ç´¹ä»‹ã—ã¾ã—ãŸã€‚ ãƒ›ã‚¹ãƒˆåã‹ã‚‰IPã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’æ±‚ã‚ã‚‹éš›ã«ã‚‚ä»¥ä¸‹ã®å•é¡ŒãŒç™ºç”Ÿã—ã¾ã™ã€‚ DNSã‚µãƒ¼ãƒãƒ¼ãŒè¤‡æ•°ã®IPã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’è¿”ã™å ´åˆã®å‡¦ç†ã®æ¼ã‚Œ IPã‚¢ãƒ‰ãƒ¬ã‚¹ã®è¡¨è¨˜ã®å¤šæ§˜æ€§ï¼ˆå‚è€ƒè¨˜äº‹ï¼‰ IPã‚¢ãƒ‰ãƒ¬ã‚¹ãƒã‚§ãƒƒã‚¯ã¨HTTPãƒªã‚¯ã‚¨ã‚¹ãƒˆã®ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã®å·®ã‚’æ‚ªç”¨ã—ãŸæ”»æ’ƒï¼ˆTOCTOUè„†å¼±æ€§ï¼‰ ãƒªã‚¯ã‚¨ã‚¹ãƒˆå…ˆã®Webã‚µãƒ¼ãƒãƒ¼ãŒã€æ”»æ’ƒå¯¾è±¡ã‚µãƒ¼ãƒãƒ¼ã«ãƒªãƒ€ã‚¤ãƒ¬ã‚¯ãƒˆã™ã‚‹ ä¸Šè¨˜ã®TOCTOU(Time of check to time of use)å•é¡Œã¯ã€DNSã®åå‰è§£æ±ºã®æ–‡è„ˆã§ã¯DNS Rebindingã¨ã‚‚å‘¼ã°ã‚Œã¾ã™ã€‚ DNS R
ionis 2019/03/04
SSRF

DNS Rebinding

AWS
ãƒªãƒ³ã‚¯
å¾³ä¸¸æµ©ã®æ—¥è¨˜: SSRF(Server Side Request Forgery)å¾¹åº•å…¥é–€
SSRF(Server Side Request Forgery)ã¨ã„ã†è„†å¼±æ€§ãªã„ã—æ”»æ’ƒæ‰‹æ³•ãŒæœ€è¿‘æ³¨ç›®ã•ã‚Œã¦ã„ã¾ã™ã€‚ä»¥ä¸‹ã¯ã€ã“ã“3ãƒ¶æœˆã«SSRFã«ã¤ã„ã¦è¨€åŠã•ã‚ŒãŸè¨˜äº‹ã§ã™ã€‚ EC2ä¸Šã®AWS CLIã§ä½¿ã‚ã‚Œã¦ã„ã‚‹169.254ã«ã¤ã„ã¦ SSRFè„†å¼±æ€§ã‚’åˆ©ç”¨ã—ãŸGCE/GKEã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã¸ã®æ”»æ’ƒä¾‹ SSRFã‚’åˆ©ç”¨ã—ãŸãƒ¡ãƒ¼ãƒ«é€ä¿¡ãƒ‰ãƒ¡ã‚¤ãƒ³ã®ä¹—ã£å–ã‚Š ã€ŒCODE BLUE 2018ã€å‚åŠ ãƒ¬ãƒãƒ¼ãƒˆï¼ˆå²©é–“ç·¨ï¼‰ ã“ã®ã€Œç©ºå‰ã®SSRFãƒ–ãƒ¼ãƒ ã€ã«ä¾¿ä¹—ã—ã¦ã€SSRFã¨ã„ã†æ”»æ’ƒæ‰‹æ³•ãŠã‚ˆã³è„†å¼±æ€§ã«ã¤ã„ã¦èª¬æ˜Žã—ã¾ã™ã€‚ SSRFæ”»æ’ƒã¨ã¯ SSRFæ”»æ’ƒã¨ã¯ã€æ”»æ’ƒè€…ã‹ã‚‰ç›´æŽ¥åˆ°é”ã§ããªã„ã‚µãƒ¼ãƒãƒ¼ã«å¯¾ã™ã‚‹æ”»æ’ƒæ‰‹æ³•ã®ä¸€ç¨®ã§ã™ã€‚ä¸‹å›³ã«SSRFæ”»æ’ƒã®æ§˜åã‚’ç¤ºã—ã¾ã™ã€‚ æ”»æ’ƒè€…ã‹ã‚‰ã¯ã€å…¬é–‹ã‚µãƒ¼ãƒãƒ¼ï¼ˆ203.0.113.2ï¼‰ã«ã¯ã‚¢ã‚¯ã‚»ã‚¹ã§ãã¾ã™ãŒã€å†…éƒ¨ã®ã‚µãƒ¼ãƒãƒ¼ï¼ˆ192.168.0.5ï¼‰ã¯ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã§éš”é›¢ã•ã‚Œã¦ã„ã‚‹ãŸã‚å¤–éƒ¨ã‹ã‚‰ç›´æŽ¥
ionis 2018/12/06
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

SSRF

å…¥é–€

AWS
ãƒªãƒ³ã‚¯
GitHub - cujanovic/SSRF-Testing: SSRF (Server Side Request Forgery) testing resources
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
ionis 2018/11/28
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

SSRF

ãƒ†ã‚¹ãƒˆ

ã¾ã¨ã‚
ãƒªãƒ³ã‚¯
ã‚µã‚¤ãƒœã‚¦ã‚ºè„†å¼±æ€§å ±å¥¨é‡‘åˆ¶åº¦ã§èªå®šã•ã‚ŒãŸSSRF
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
ionis 2018/10/23
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

SSRF

writeup
ãƒªãƒ³ã‚¯
SECCON 2017 Online CTFã«å‚åŠ ã—ã¾ã—ãŸ - ã¨ã‚ã‚‹è¨ºæ–å“¡ã®å‚™å¿˜éŒ²
12/9ï½ž12/10ã«é–‹å‚¬ã—ãŸSECCON 2017 Online CTFã«å‚åŠ ã„ãŸã—ã¾ã—ãŸï¼ vulsã¨ã„ã†ãƒãƒ¼ãƒ ã§å‚åŠ ã—ã¦ã€æœ€çµ‚çµæžœã¯46ä½ã§ã—ãŸã€‚ ç§ã¯Webå•ã‚’ãƒ¡ã‚¤ãƒ³ã§æ‹…å½“ã—ã¦ã„ã¾ã—ãŸã€‚ ä»Šå›žã¯ã¡ã‚‡ã£ã¨æ—¥æ›œæ—¥ã«æ‰€ç”¨ãŒã‚ã£ãŸãŸã‚ã€æ®‹å¿µãªãŒã‚‰ãƒ•ãƒ«å‚æˆ¦ã§ããªã‹ã£ãŸã®ã§ã™ãŒã€ä¹…ã€…ã«ã‚ªãƒ•ãƒ©ã‚¤ãƒ³ã§é›†ã¾ã£ã¦ã€æ˜¨å¹´ã¨åŒã˜ã‚ˆã†ã«ãƒ¬ãƒƒãƒ‰ãƒ–ãƒ«ç‰‡æ‰‹ã«ãƒ”ã‚¶ã‚’é£Ÿã¹ãªãŒã‚‰ï¼£ï¼´ï¼¦ã‚’ã‚„ã‚‹ã“ã¨ãŒã§ãã¦ã™ã”ãæ¥½ã—ã‹ã£ãŸã§ã™ï¼ æŠ˜è§’ãªã®ã§ã€å°‘ãªã„ã®ã§ã™ãŒç§ãŒè§£ã„ãŸå•é¡Œã®Write UPã«ã¤ã„ã¦ä»Šå›žãƒ–ãƒã‚°ã«æ›¸ã“ã†ã‹ã¨æ€ã„ã¾ã™ã€‚ SqlSRF (400 points) ä»Šå›žç§ãŒè§£ã„ãŸã®ã¯ã€ŒSqlSRFã€ã¨ã„ã†å•é¡Œã§ã™ã€‚ å•é¡Œåã‹ã‚‰ã—ã¦ã€è¦‹ãŸçž¬é–“ã«å¤šåˆ†SQLã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã¨SSRFã‚’ã•ã›ã‚‹å•é¡Œãªã‚“ã ã‚ã†ãªã¨æŽ¨æ¸¬ã—ã¾ã—ãŸãŒã€çµæžœçš„ã«ã„ã†ã¨ãã®é€šã‚Šã®å•é¡Œã§ã—ãŸã€‚ å•é¡Œã«ã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ãªè¨˜è¼‰ãŒã‚ã£ã¦ã€URLãŒè¨˜è¼‰ã•ã‚Œã¦ã„ã¾ã™ã€‚ T
ionis 2017/12/12
CTF

writeup

SSRF

SQLã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³
ãƒªãƒ³ã‚¯
1