漏洞代碼示例:
以下是一個(gè)用curl獲取數(shù)據(jù)的功能
```
<?php
if(isset($_POST['url'])){
$link = $_POST['url'];
$filename = 'D:xampphtdocstestuploadtxt'.rand().'.txt';
$curlobj = curl_init($link);
$fp = fopen($filename,"w");
curl_setopt($curlobj,CURLOPT_FILE,$fp);
curl_setopt($curlobj,CURLOPT_HEADER,0);
curl_exec($curlobj);
curl_close($curlobj);
fclose($fp);
$fp = fopen($filename,"r");
$result = fread($fp,filesize($filename));
fclose($fp);
echo $result;
}
?>
```
```
<!DOCTYPE html>
<html>
<head>
<title>ssrf</title>
</head>
<body>
<center>
<form name="input" action="http://localhost/test/ssrf.php" method="POST">
<input type="text" name="url">
<input type="submit" value="Submit">
</form>
</center>
</body>
</html>
```
1�����、服務(wù)探測(cè)
紅色標(biāo)注IP主機(jī)B與本機(jī)A在同一內(nèi)網(wǎng)下
submit提交之后
主機(jī)B本來(lái)只有內(nèi)網(wǎng)可以訪(fǎng)問(wèn)����,但是由于curl請(qǐng)求資源的代碼存在漏洞�����,導(dǎo)致對(duì)外網(wǎng)開(kāi)放的主機(jī)A可以直接請(qǐng)求處于同一內(nèi)網(wǎng)主機(jī)B的資源�����,導(dǎo)致內(nèi)網(wǎng)應(yīng)用服務(wù)探測(cè)��。
2、讀取本地文件
file:///C:/Windows/win.ini(Linux下讀取/etc/passwd)
3�、請(qǐng)求非http服務(wù)的開(kāi)放端口,返回banner信息
request:http://ip:22/1.txt
滬公網(wǎng)安備 31011502006611號(hào)
