{"id":667,"date":"2021-07-28T09:13:32","date_gmt":"2021-07-28T14:13:32","guid":{"rendered":"https:\/\/www.searchevolution.com\/security\/?p=667"},"modified":"2023-04-08T08:43:15","modified_gmt":"2023-04-08T13:43:15","slug":"vulnerabilite-ssrf","status":"publish","type":"post","link":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/","title":{"rendered":"Vuln\u00e9rabilit\u00e9 SSRF (Server Side request forgery)"},"content":{"rendered":"\n<p>Une vuln\u00e9rabilit\u00e9 SSRF est lorsque vous pouvez vous connecter \u00e0 un site web qui utilise des bases de donn\u00e9es comme elasticsearch ou mysql sur leur r\u00e9seau local, mais vous ne pouvez y acc\u00e9der directement. Si vous pouvez ex\u00e9cuter un script sur le serveur qui permet d&#8217;inclure un URL, il est possible que vous soyez capable d&#8217;y acc\u00e9der et avoir acc\u00e8s \u00e0 l&#8217;information souhait\u00e9.<\/p>\n\n\n\n<p>Nous voyons ici qu&#8217;une image est incluse via le param\u00e8tre url. Nous pourrions par exemple utiliser http:\/\/localhost:9200 pour acc\u00e9der au serveur elasticsearch sur le serveur web.<br><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\r\n\r\nif (isset($_GET&#91;'url']))\r\n\r\n{\r\n  $url = $_GET&#91;'url'];\r\n  $image = fopen($url, 'rb');\r\n  header(\"Content-Type: image\/png\");\r\n  fpassthru($image);\r\n\r\n}?><\/code><\/pre>\n\n\n\n<p>Il est possible qu&#8217;il y ait filtration (localhost ou 127.0.0.1 interdit). Il est possible de contourner cette protection (parfois)<\/p>\n\n\n\n<ul>\n<li>http:\/\/0.0.0.0:9200<\/li>\n\n\n\n<li>http:\/\/[::]:9200 #ipv6<\/li>\n\n\n\n<li>http:\/\/::::9200<\/li>\n\n\n\n<li>http:\/\/0x7f000001:9200 #encodage hexad\u00e9cimal.<\/li>\n\n\n\n<li>https:\/\/gist.github.com\/mzfr\/fd9959bea8e7965d851871d09374bb72<\/li>\n\n\n\n<li><code>http:\/\/2130706433:9200 #encodage d\u00e9cimal<\/code><\/li>\n\n\n\n<li>http:\/\/0\/<\/li>\n\n\n\n<li>http:\/\/127.1<\/li>\n\n\n\n<li>http:\/\/127.0.1<\/li>\n\n\n\n<li>http:\/\/127.0.0.1\/%61dmin #single encode<\/li>\n\n\n\n<li>http:\/\/127.0.0.1\/%2561dmin #double encode<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">D&#8217;autres protocoles utilis\u00e9s lors de l&#8217;exploit d&#8217;une vuln\u00e9rabilit\u00e9 SSRF<\/h2>\n\n\n\n<ul>\n<li>file:\/\/\/etc\/passwd<\/li>\n\n\n\n<li>phar:\/\/<\/li>\n\n\n\n<li>gopher:\/\/<\/li>\n\n\n\n<li>data:\/\/<\/li>\n\n\n\n<li>dict:\/\/<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">S\u00e9curiser un code PHP pour contrer les attaques expos\u00e9es par une vuln\u00e9rabilit\u00e9 SSRF<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\r\n\/\/ Obtenez l'URL \u00e0 partir d'un formulaire ou d'une autre source\r\n$url = $_POST&#91;'url'];\r\n\r\n\/\/ V\u00e9rifiez que l'URL est un lien HTTP ou HTTPS valide\r\nif (filter_var($url, FILTER_VALIDATE_URL) &amp;&amp; (strpos($url, \"http:\/\/\") === 0 || strpos($url, \"https:\/\/\") === 0)) {\r\n\r\n    \/\/ Si l'URL est valide, faites une requ\u00eate en utilisant la fonction file_get_contents()\r\n    $content = file_get_contents($url);\r\n\r\n    \/\/ Affichez le contenu de la r\u00e9ponse\r\n    echo $content;\r\n} else {\r\n    \/\/ Si l'URL n'est pas valide, affichez un message d'erreur\r\n    echo \"URL invalide\";\r\n}\r\n?>\r\n<\/code><\/pre>\n\n\n\n<p>Dans cet exemple, nous utilisons la fonction PHP <code>filter_var()<\/code> pour valider que l&#8217;URL fournie est un lien HTTP ou HTTPS valide. Ensuite, nous v\u00e9rifions \u00e9galement que l&#8217;URL commence bien par &#8220;http:\/\/&#8221; ou &#8220;https:\/\/&#8221;. Si l&#8217;URL est valide, nous effectuons une requ\u00eate en utilisant la fonction <code>file_get_contents()<\/code>, qui est s\u00e9curis\u00e9e car elle ne permet pas de forger des requ\u00eates \u00e0 des ressources internes. Si l&#8217;URL n&#8217;est pas valide, nous affichons simplement un message d&#8217;erreur.<\/p>\n\n\n\n<p>Il est important de noter que m\u00eame si ce code est s\u00e9curis\u00e9 contre les vuln\u00e9rabilit\u00e9s SSRF, il doit \u00eatre utilis\u00e9 avec prudence et uniquement avec des URL de confiance. Il est \u00e9galement recommand\u00e9 de limiter l&#8217;acc\u00e8s \u00e0 cette fonctionnalit\u00e9 \u00e0 des utilisateurs de confiance, afin d&#8217;\u00e9viter toute tentative d&#8217;exploitation de la vuln\u00e9rabilit\u00e9 SSRF.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Autres consid\u00e9rations<\/h2>\n\n\n\n<p>Si l&#8217;application est <a href=\"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/vulnerabilite-xxe\/\">vuln\u00e9rable \u00e0 XXE<\/a>, cela peut \u00eatre utilis\u00e9 pour performer un attaque SSRF<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Types de SSRF<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"720\" src=\"https:\/\/www.searchevolution.com\/security\/wp-content\/uploads\/2023\/04\/ssrf-types.png\" alt=\"Les diff\u00e9rents types de SSRF\" class=\"wp-image-1114\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Une vuln\u00e9rabilit\u00e9 SSRF (Server-Side Request Forgery) est une faille de s\u00e9curit\u00e9 qui permet \u00e0 un attaquant de forger des requ\u00eates depuis le serveur cible vers des syst\u00e8mes internes ou externes, en exploitant des contr\u00f4les d&#8217;entr\u00e9e inad\u00e9quats. Cette faille peut \u00eatre utilis\u00e9e pour acc\u00e9der \u00e0 des informations confidentielles, ex\u00e9cuter des attaques \u00e0 distance, ou effectuer des actions malveillantes sur les syst\u00e8mes cibles.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Autres ressources<\/h2>\n\n\n\n<p><a href=\"https:\/\/github.com\/swisskyrepo\/SSRFmap\">Trouver et exploiter des services avec la faille SSRF<\/a> : SSRFmap<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/blob\/master\/Server%20Side%20Request%20Forgery\/README.md\">Diff\u00e9rentes fa\u00e7ons d&#8217;exploiter SSRFmap<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Une vuln\u00e9rabilit\u00e9 SSRF est lorsque vous pouvez vous connecter \u00e0 un site web qui utilise des bases de donn\u00e9es comme elasticsearch ou mysql sur leur r\u00e9seau local, mais vous ne pouvez y acc\u00e9der directement. Si vous pouvez ex\u00e9cuter un script sur le serveur qui permet d&#8217;inclure un URL, il est possible que vous soyez capable d&#8217;y acc\u00e9der et avoir acc\u00e8s \u00e0 l&#8217;information souhait\u00e9. Nous voyons ici qu&#8217;une image est incluse via le param\u00e8tre url. Nous pourrions par exemple utiliser http:\/\/localhost:9200 pour acc\u00e9der au serveur elasticsearch sur le serveur web. Il est possible qu&#8217;il y ait filtration (localhost ou 127.0.0.1 interdit). <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Vuln\u00e9rabilit\u00e9 SSRF (Server Side request forgery) -<\/title>\n<meta name=\"description\" content=\"Comment exploiter une vuln\u00e9rabilit\u00e9 SSRF et les diff\u00e9rents types de SSRF (Server Side Request Forgery) et comment prot\u00e9ger son code php\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vuln\u00e9rabilit\u00e9 SSRF (Server Side request forgery) -\" \/>\n<meta property=\"og:description\" content=\"Comment exploiter une vuln\u00e9rabilit\u00e9 SSRF et les diff\u00e9rents types de SSRF (Server Side Request Forgery) et comment prot\u00e9ger son code php\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-28T14:13:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-04-08T13:43:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.searchevolution.com\/security\/wp-content\/uploads\/2023\/04\/ssrf-types.png\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/\",\"name\":\"Vuln\u00e9rabilit\u00e9 SSRF (Server Side request forgery) -\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-07-28T14:13:32+00:00\",\"dateModified\":\"2023-04-08T13:43:15+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"description\":\"Comment exploiter une vuln\u00e9rabilit\u00e9 SSRF et les diff\u00e9rents types de SSRF (Server Side Request Forgery) et comment prot\u00e9ger son code php\",\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Vuln\u00e9rabilit\u00e9 SSRF (Server Side request forgery)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Vuln\u00e9rabilit\u00e9 SSRF (Server Side request forgery) -","description":"Comment exploiter une vuln\u00e9rabilit\u00e9 SSRF et les diff\u00e9rents types de SSRF (Server Side Request Forgery) et comment prot\u00e9ger son code php","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/","og_locale":"fr_CA","og_type":"article","og_title":"Vuln\u00e9rabilit\u00e9 SSRF (Server Side request forgery) -","og_description":"Comment exploiter une vuln\u00e9rabilit\u00e9 SSRF et les diff\u00e9rents types de SSRF (Server Side Request Forgery) et comment prot\u00e9ger son code php","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-07-28T14:13:32+00:00","article_modified_time":"2023-04-08T13:43:15+00:00","og_image":[{"url":"https:\/\/www.searchevolution.com\/security\/wp-content\/uploads\/2023\/04\/ssrf-types.png"}],"author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/","name":"Vuln\u00e9rabilit\u00e9 SSRF (Server Side request forgery) -","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-07-28T14:13:32+00:00","dateModified":"2023-04-08T13:43:15+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"description":"Comment exploiter une vuln\u00e9rabilit\u00e9 SSRF et les diff\u00e9rents types de SSRF (Server Side Request Forgery) et comment prot\u00e9ger son code php","breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-ssrf\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"Vuln\u00e9rabilit\u00e9 SSRF (Server Side request forgery)"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/667"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=667"}],"version-history":[{"count":6,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/667\/revisions"}],"predecessor-version":[{"id":1123,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/667\/revisions\/1123"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}