Commit 47150852 authored by Jona Löffler's avatar Jona Löffler
Browse files

Upates

parent 64e5db36
<p align="center"><a href="https://laravel.com" target="_blank"><img src="https://raw.githubusercontent.com/laravel/art/master/logo-lockup/5%20SVG/2%20CMYK/1%20Full%20Color/laravel-logolockup-cmyk-red.svg" width="400"></a></p>
<p align="center">
<a href="https://travis-ci.org/laravel/framework"><img src="https://travis-ci.org/laravel/framework.svg" alt="Build Status"></a>
<a href="https://packagist.org/packages/laravel/framework"><img src="https://img.shields.io/packagist/dt/laravel/framework" alt="Total Downloads"></a>
<a href="https://packagist.org/packages/laravel/framework"><img src="https://img.shields.io/packagist/v/laravel/framework" alt="Latest Stable Version"></a>
<a href="https://packagist.org/packages/laravel/framework"><img src="https://img.shields.io/packagist/l/laravel/framework" alt="License"></a>
</p>
## About Laravel
Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experience to be truly fulfilling. Laravel takes the pain out of development by easing common tasks used in many web projects, such as:
- [Simple, fast routing engine](https://laravel.com/docs/routing).
- [Powerful dependency injection container](https://laravel.com/docs/container).
- Multiple back-ends for [session](https://laravel.com/docs/session) and [cache](https://laravel.com/docs/cache) storage.
- Expressive, intuitive [database ORM](https://laravel.com/docs/eloquent).
- Database agnostic [schema migrations](https://laravel.com/docs/migrations).
- [Robust background job processing](https://laravel.com/docs/queues).
- [Real-time event broadcasting](https://laravel.com/docs/broadcasting).
Laravel is accessible, powerful, and provides tools required for large, robust applications.
## Learning Laravel
Laravel has the most extensive and thorough [documentation](https://laravel.com/docs) and video tutorial library of all modern web application frameworks, making it a breeze to get started with the framework.
If you don't feel like reading, [Laracasts](https://laracasts.com) can help. Laracasts contains over 1500 video tutorials on a range of topics including Laravel, modern PHP, unit testing, and JavaScript. Boost your skills by digging into our comprehensive video library.
## Laravel Sponsors
We would like to extend our thanks to the following sponsors for funding Laravel development. If you are interested in becoming a sponsor, please visit the Laravel [Patreon page](https://patreon.com/taylorotwell).
### Premium Partners
- **[Vehikl](https://vehikl.com/)**
- **[Tighten Co.](https://tighten.co)**
- **[Kirschbaum Development Group](https://kirschbaumdevelopment.com)**
- **[64 Robots](https://64robots.com)**
- **[Cubet Techno Labs](https://cubettech.com)**
- **[Cyber-Duck](https://cyber-duck.co.uk)**
- **[Many](https://www.many.co.uk)**
- **[Webdock, Fast VPS Hosting](https://www.webdock.io/en)**
- **[DevSquad](https://devsquad.com)**
- **[Curotec](https://www.curotec.com/services/technologies/laravel/)**
- **[OP.GG](https://op.gg)**
- **[CMS Max](https://www.cmsmax.com/)**
- **[WebReinvent](https://webreinvent.com/?utm_source=laravel&utm_medium=github&utm_campaign=patreon-sponsors)**
- **[Lendio](https://lendio.com)**
## Contributing
Thank you for considering contributing to the Laravel framework! The contribution guide can be found in the [Laravel documentation](https://laravel.com/docs/contributions).
## Code of Conduct
In order to ensure that the Laravel community is welcoming to all, please review and abide by the [Code of Conduct](https://laravel.com/docs/contributions#code-of-conduct).
## Security Vulnerabilities
If you discover a security vulnerability within Laravel, please send an e-mail to Taylor Otwell via [taylor@laravel.com](mailto:taylor@laravel.com). All security vulnerabilities will be promptly addressed.
## License
The Laravel framework is open-sourced software licensed under the [MIT license](https://opensource.org/licenses/MIT).
# SSRF Demo Code for AdvSec 21/22
This repository contains the code for demonstrating a SSRF vulnerability in a close-to real-world scenario.
The demonstration is written in PHP and makes use of the [Laravel framework](https://laravel.com).
To get started, set up the project on a web server (e.g. NGINX, Apache).
There are many options that aim to simplify this process, for example:
- [DDEV](ddev.com)
- [Laravel Homestead](https://laravel.com/docs/8.x/homestead)
- [Laravel Sail](https://laravel.com/docs/8.x/sail)
- [Laradock](https://laradock.io/)
With the project running, visit `/profile`.
This page will provide a minimal input form, in to which an URI can be entered.
After clicking `Save`, the input will be persisted to the database.
When a valid URI pointing to an image was provided, that image will now be diplayed on the page.
Other valid URIs will be rendered as broken `<img>` tags, but the content corresponding content is visible in the Browser's Dev Tools.
Possible inputs
* an actual image
* https://cdn.pixabay.com/photo/2016/09/01/08/24/smiley-1635449_1280.png
* Malicious examples
* http://ip-api.com/json
* http://localhost/admin
* /var/www/html/.env
* /usr/passwd
\ No newline at end of file
......@@ -16,10 +16,10 @@
</div>
<div>
<form method="POST" action="/">
<form method="POST" action="/profile">
@csrf
<input type="string" name="url">
<button type="submit">Speichern</button>
<button type="submit">Save</button>
</form>
</div>
</body>
......
......@@ -4,46 +4,28 @@ use Illuminate\Support\Facades\Route;
use Illuminate\Http\Request;
use App\Models\Avatar;
Route::get('/', function () {
return view('avatars', ['avatars' => Avatar::all()]);
});
/*
* Actual image
* - https://cdn.pixabay.com/photo/2016/09/01/08/24/smiley-1635449_1280.png
*
* Malicious examples for url parameter
* - http://ip-api.com/json
* - http://localhost/admin
* - /var/www/html/.env
* - /usr/passwd
*/
Route::post('/', function (Request $request) {
Route::post('/profile', function (Request $request) {
$request->validate(['url' => 'required']);
(new Avatar(['url' => $request->input('url')]))->save();
return redirect("/");
return redirect('profile');
});
# Variant 1
Route::get('avatars/{avatar}', function(Avatar $avatar) {
$img = fopen($avatar->url, "rb");
return response()->stream(fn() => fpassthru($img));
Route::get('/profile', function () {
return view('avatars', ['avatars' => Avatar::all()]);
});
# Variant 2
Route::get('avatars/{avatar}', function(Avatar $avatar) {
$img = file_get_contents($avatar->url);
return response($img)->header('Content-Type', 'img/png');
});
// Route::get('avatars/{avatar}', function(Avatar $avatar) {
// $img = fopen($avatar->url, "rb");
// return response()->stream(fn() => fpassthru($img));
// });
Route::get('admin', function() {
return [
'info' => 'Super sensitive business information only for admins',
'info' => 'Sensitive admin dashboard.',
];
});
});
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment