0%

SSRF学习笔记

SSRF代码分析

  • PHP中可能存在SSRF漏洞的函数
file_get_contents(),fsockopen(),curl_exec()
  • file_get_contents()函数SSRF例子
<?php
if(isset($_POST['url'])){
    $content=file_get_content($_POST['url']);
    $filename='./images/'.rand().'img.jpg';
    file_put_contents($filename,$content);
    echo $_POST['url'];
    $img="<img src=\"".$filename."\"/>";
}
echo $img;
?>
  • fsockopen()函数SSRF例子
<?php
function Getfile($host,$port,$link){
    $fp = fscokopen($host,intval($port),$errno,$errstr,30);
    if(!fp){
        echo "$errstr (error number $errno)\n";
    }else{
        $out  = "GET $link HTTP/1.1\r\n";
        $out .= "Host:$host\r\n";
        $out  = "Connection: Close\r\n\r\n";
        $out .= "\r\n";
        fwrite($fp,$out);
        $content='';
        while(!feof($fp)){
          content .= fgets($fp,1024);  
        }
        fclose($fp);
        return $contents;
    }
}
?>
  • curl_exec()函数SSRF例子
<?php
if(isset($_POST['url'])){
    $link = $_POST['url'];
    $culobj = curl_init();
    curl_setopt($curlobj,CURLOPT_POST,0);
    curl_setopt($curlobj,CURLOPT_URL,$link);
    curl_setopt($curlobj,CURLOPT_RETURNTRANSFER,1);
    $result=curl_exec($curlobj);
    curl_close($curlobj);
    $filename = './images/'.rand().'.txt';
    file_put_contents($filename,$result);
    echo $result;
}
?>