漏洞代碼示例:
以下是一個用curl獲取數(shù)據(jù)的功能
```
<?php
if(isset($_POST['url'])){
$link = $_POST['url'];
$filename = 'D:xampphtdocstestuploadtxt'.rand().'.txt';
$curlobj = curl_init($link);
$fp = fopen($filename,"w");
curl_setopt($curlobj,CURLOPT_FILE,$fp);
curl_setopt($curlobj,CURLOPT_HEADER,0);
curl_exec($curlobj);
curl_close($curlobj);
fclose($fp);
$fp = fopen($filename,"r");
$result = fread($fp,filesize($filename));
fclose($fp);
echo $result;
}
?>
```
```
<!DOCTYPE html>
<html>
<head>
<title>ssrf</title>
</head>
<body>
<center>
<form name="input" action="http://localhost/test/ssrf.php" method="POST">
<input type="text" name="url">
<input type="submit" value="Submit">
</form>
</center>
</body>
</html>
```
1、服務(wù)探測
紅色標(biāo)注IP主機(jī)B與本機(jī)A在同一內(nèi)網(wǎng)下
![](/upload/attach/201801/201801041802_nz7zl5q9khgk084.jpg)
submit提交之后
![](/upload/attach/201801/201801041803_9osn5zgyczu9vmz.jpg)
主機(jī)B本來只有內(nèi)網(wǎng)可以訪問,但是由于curl請求資源的代碼存在漏洞,導(dǎo)致對外網(wǎng)開放的主機(jī)A可以直接請求處于同一內(nèi)網(wǎng)主機(jī)B的資源,導(dǎo)致內(nèi)網(wǎng)應(yīng)用服務(wù)探測。
2、讀取本地文件
file:///C:/Windows/win.ini(Linux下讀取/etc/passwd)
![](/upload/attach/201801/201801041803_1n701xgk2u2hjwc.jpg)
3、請求非http服務(wù)的開放端口,返回banner信息
request:http://ip:22/1.txt
![](/upload/attach/201801/201801041803_gljqlz3hx6zofxv.jpg)