Preface
A very familiar SSRF topic. The code audit at the beginning has now become an example of bypassing 127.0.0.1 filtering in many SSRF tutorials, but the redis master-slave replication behind this topic is something I don't know. It happened that today a master and I discussed this question, so I did this question by the way, and learned about the SSRF of redis master-slave replication.
WP
The first is the familiar code audit:
<?php
function check_inner_ip($url)
{
$match_result=preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',$url);
if (!$match_result)
{
die('url fomat error');
}
try
{
$url_parse=parse_url($url);
}
catch(Exception $e)
{
die('url fomat error');
return false;
}
$hostname=$url_parse['host'];
$ip=gethostbyname($hostname);
$int_ip=ip2long($ip);
return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16;
}
function safe_request_url($url)
{
if (check_inner_ip($url))
{
echo $url.' is inner ip';
}
else
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
$result_info = curl_getinfo($ch);
if ($result_info['redirect_url'])
{
safe_request_url($result_info['redirect_url']);
}
curl_close($ch);
var_dump($output);
}
}
if(isset($_GET['url'])){
$url = $_GET['url'];
if(!empty($url)){
safe_request_url($url);
}
}
else{
highlight_file(__FILE__);
}
// Please visit hint.php locally.
?>
Find a way to visit hint.php with SSRF. The simpler is to use 0.0.0.0 to bypass, or you can use the difference in the results obtained by host analysis to bypass. Here I use 0.0.0.0 to bypass.
The next step is hint, php:
<?php
if($_SERVER['REMOTE_ADDR']==="127.0.0.1"){
highlight_file(__FILE__);
}
if(isset($_POST['file'])){
file_put_contents($_POST['file'],"<?php echo 'redispass is root';exit();".$_POST['file']);
}
My first reaction was to test the writing of file_put_contents to escape exit. I just reproduced this stuff a few days ago. I held several postures in my hand and thought about it for a few seconds. Then I realized that I couldn’t call it. It should be a permission problem. , No permission to write files.
But given the redis password, it should be redis. This question examines the master-slave replication of redis.
Reference article: Redis
master-slave replication
redis security study notes
analysis of the use of SSRF in Redis
The specific operation is as follows. Download these two projects first:
Redis Rogue Server
redis-ssrf
mainly uses the 2 py files in redis-ssrf and the .so file in redis-rogue. Copy the .so file to the redis-ssrf directory.
Then make a magic change. 
Fill in the ip of your VPS for lhost and the port for lport. This port is the same as the port opened in rogue-server.py. Command fill in the command to be executed.
Change the ip here to 0.0.0.0 and the
password is root.
Then execute ssrf-redis.py to generate the payload. Then open rogue-server.py, then use the payload generated by ssrf-redis.py to url-encode it once and then hit it.
