Basics
SSRF - Server Side Request Forgery attacks. The ability to create requests from the
vulnerable server to intra/internet. Using a protocol supported by available URI schemas, you
can communicate with services running on other protocols. Here we collect the various options
and examples (exploits) of such interaction. See for introduction related researches.
Typical attack steps
1. Scan internal network to determine internal infrastructure which you may access
2. Collect opened ports at localhost and other internal hosts which you want (basically by
time-based determination)
3. Determine services/daemons on ports using wiki or daemons banners (if you may watch
output)
4. Determine type of you SSRF combination:
○ Direct socket access (such as this example)
○ Sockets client (such as java URI, cURL, LWP, others)
5. In case of direct socket access determine CRLF and other injections for smuggling
6. In case of sockets client, determine available URI schemas
7. Compare available schemas and services/daemons protocols to find smuggling
possibilities
8. Determine host-based auth daemons and try to exploit it
File Descriptors exploitation way
Useful in clouds, shared hostings and others large infrastructures. First read slides 20-21
about FDs and 22-23 about ProcFS from this paper.
There are three ways to access to FDs:
● Interpreters API (such as fd:// wrapper for PHP)
○ If there are no such API or required functions disabled, you can try to load native
extension:
■ PHP (require dlopen, but not exec):
https://github.com/dhotson/fdopen-php
● exec() call from API (such as exec(‘echo 123 > &<FDN>’);)
○ you may access only FDs without O_CLOEXEC flag.
○ C program to scan available FDs is here:
https://github.com/ONsec-Lab/scripts/blob/master/list-open-fd.c.
● ProcFS files (/proc/<PID>/fd/<N>)
* Note, that you can not access to sockets through /proc/<PID>/fd/<N> files!