RaaS
SSRF using Gopher protocol leads to tampering of Redis key-value store
Last updated
Was this helpful?
SSRF using Gopher protocol leads to tampering of Redis key-value store
Last updated
Was this helpful?
Description: Since everything is going online, I decided to make an easy Requests as a Service Bot to make life easier, but I seem to have messed up oops!!!
Author:
We are able to enter a URL for the server to request. A pretty trivial LFI vulnerability exists as a result of SSRF, allowing us to view files using the file://
protocol.
Since we're provided with the Dockerfile, we know that the server code is in /code/app.py
.
Thus, we can request file:///code/app.py
to view the server code.
Immediately, we see that a Redis database is used. The hostname is redis
, and it is listening on port 6379.
If a POST request is received, the Requests_On_Steroids
function, which we will analyze later, is used to fetch the URL. Otherwise, the <userID>_isAdmin
key in the Redis database is checked. If the value is "yes", then the flag is shown in the response.
It appears that we would have to overwrite our <userID>_isAdmin
value. Since we have a SSRF vulnerability, we might be able to leverage it to communicate with the Redis instance.
In main.py
, we can see that the Requests_On_Steroids
function supports the Gopher protocol. Using Gopher, we can communicate with any TCP server (but of course, we would have to follow the service's higher-layer protocol).
However, instead of gopher://
, we must use inctf://
instead.
In modules/Gophers.py
, we find the GopherAdapter
code.
Interestingly, a line of code was modified to remove /_
in the URL's path.
Redis also offers inline commands, allowing us to send our commands directly, but without the above change, our inline commands (parsed.path
) would still look like this:
The /SET
command is unrecognized, leading to an error. Instead, we can leverage the replacement using the following payload:
The path, when replaced, would be
which sets our <userID>_isAdmin
value to "yes".
This gives us the flag: inctfi{IDK_WHY_I_EVEN_USED_REDIS_HERE!!!}
With some Googling, we can find out that the Gopher adapter was actually modified from this . I wanted to find out if any changes was made from the original script, so I diff-ed the two scripts.
Ideally, we would send multi-line input using the , but this wouldn't work because urllib.parse
was updated to .