漏洞代码示例:
以下是一个用curl获取数据的功能
```
<?php
if(isset($_POST['url'])){
$link = $_POST['url'];
$filename = 'D:xampphtdocstestuploadtxt'.rand().'.txt';
$curlobj = curl_init($link);
$fp = fopen($filename,"w");
curl_setopt($curlobj,CURLOPT_FILE,$fp);
curl_setopt($curlobj,CURLOPT_HEADER,0);
curl_exec($curlobj);
curl_close($curlobj);
fclose($fp);
$fp = fopen($filename,"r");
$result = fread($fp,filesize($filename));
fclose($fp);
echo $result;
}
?>
```
```
<!DOCTYPE html>
<html>
<head>
<title>ssrf</title>
</head>
<body>
<center>
<form name="input" action="http://localhost/test/ssrf.php" method="POST">
<input type="text" name="url">
<input type="submit" value="Submit">
</form>
</center>
</body>
</html>
```
1、服务探测
红色标注IP主机B与本机A在同一内网下
submit提交之后
主机B本来只有内网可以访问,但是由于curl请求资源的代码存在漏洞,导致对外网开放的主机A可以直接请求处于同一内网主机B的资源,导致内网应用服务探测。
2、读取本地文件
file:///C:/Windows/win.ini(Linux下读取/etc/passwd)
3、请求非http服务的开放端口,返回banner信息
request:http://ip:22/1.txt
