# PHP SSRF

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### SSRF PHP functions

Some function such as **file\_get\_contents(), fopen(), file(), md5\_file()** accept URLs as input that they will follow making **possible SSRF vulnerabilities** if the use can control the data:

```php
file_get_contents("http://127.0.0.1:8081");
fopen("http://127.0.0.1:8081", "r");
file("http://127.0.0.1:8081");
md5_file("http://127.0.0.1:8081");
```

### Wordpress SSRF via DNS Rebinding

As [**explained in this blog post**](https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf), even the Wordpress function **`wp_safe_remote_get`** is vulnerable to DNS rebinding, making it potentially vulnerable to SSRF attacks. The main validation it calls is **wp\_http\_validate\_ur**l, which checks that the protocol is `http://` or `https://` and that the port is one of **80**, **443**, and **8080**, but it's **vulnerable to DNS rebinding**.

Other vulnerable functions according to the post are:

* `wp_safe_remote_request()`
* `wp_safe_remote_post()`
* `wp_safe_remote_head()`
* `WP_REST_URL_Details_Controller::get_remote_url()`
* `download_url()`
* `wp_remote_fopen()`
* `WP_oEmbed::discover()`

### CRLF

Moreover, in some cases it might be even possible to send arbitrary headers via CRLF "vulnerabilities" in the previous functions:

```php
# The following will create a header called from with value Hi and 
# an extra header "Injected: I HAVE IT"
ini_set("from", "Hi\r\nInjected: I HAVE IT");
file_get_contents("http://127.0.0.1:8081");

GET / HTTP/1.1
From: Hi
Injected: I HAVE IT
Host: 127.0.0.1:8081
Connection: close

# Any of the previously mentioned functions will send those headers
```

{% hint style="warning" %}
For more info about that CRLF vuln, check this bug <https://bugs.php.net/bug.php?id=81680&edit=1>
{% endhint %}

Note that these function might have other methods to set arbitrary headers in requests, like:

```php
$url = "";

$options = array(
  'http'=>array(
    'method'=>"GET",
    'header'=>"Accept-language: en\r\n" .
              "Cookie: foo=bar\r\n" .  // check function.stream-context-create on php.net
              "User-Agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.102011-10-16 20:23:10\r\n" // i.e. An iPad 
  )
);

$context = stream_context_create($options);
$file = file_get_contents($url, false, $context);
```

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://angelica.gitbook.io/hacktricks/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.