漏洞代碼示例:
以下是一個用curl獲取數據的功能
```
<?php
if(isset($_POST['url'])){
$link = $_POST['url'];
$filename = 'D:xampphtdocstestuploadtxt'.rand().'.txt';
$curlobj = curl_init($link);
$fp = fopen($filename,"w");
curl_setopt($curlobj,CURLOPT_FILE,$fp);
curl_setopt($curlobj,CURLOPT_HEADER,0);
curl_exec($curlobj);
curl_close($curlobj);
fclose($fp);
$fp = fopen($filename,"r");
$result = fread($fp,filesize($filename));
fclose($fp);
echo $result;
}
?>
```
```
<!DOCTYPE html>
<html>
<head>
<title>ssrf</title>
</head>
<body>
<center>
<form name="input" action="http://localhost/test/ssrf.php" method="POST">
<input type="text" name="url">
<input type="submit" value="Submit">
</form>
</center>
</body>
</html>
```
1、服務探測
紅色標注IP主機B與本機A在同一內網下
![](/upload/attach/201801/201801041802_nz7zl5q9khgk084.jpg)
submit提交之后
![](/upload/attach/201801/201801041803_9osn5zgyczu9vmz.jpg)
主機B本來只有內網可以訪問,但是由于curl請求資源的代碼存在漏洞,,導致對外網開放的主機A可以直接請求處于同一內網主機B的資源,,導致內網應用服務探測,。
2,、讀取本地文件
file:///C:/Windows/win.ini(Linux下讀取/etc/passwd)
![](/upload/attach/201801/201801041803_1n701xgk2u2hjwc.jpg)
3、請求非http服務的開放端口,,返回banner信息
request:http://ip:22/1.txt
![](/upload/attach/201801/201801041803_gljqlz3hx6zofxv.jpg)