$30 off During Our Annual Pro Sale. View Details »

FTP2RCE

Bo0oM
March 01, 2021
Programming
0
6.4k

 FTP2RCE

Server-side request forgery via ftp account

https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0
https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf
https://www.ambionics.io/blog/laravel-debug-rce
https://github.com/tarunkant/Gopherus
https://github.com/dfyz/ctf-writeups/tree/master/hxp-2020/resonator

Bo0oM

March 01, 2021
Tweet

More Decks by Bo0oM

See All by Bo0oM
Защита от вредоносной автоматизации сегодня
bo0om
0
370
Defending against automatization using nginx
bo0om
0
630
Antibot pitch deck
bo0om
0
89
31337
bo0om
0
75
Your back is white
bo0om
0
190
Interpret it!
bo0om
0
980
At Home Among Strangers
bo0om
1
3.3k
2000day in Safari
bo0om
2
2k
Partyhack 3.0 - Telegram bugbounty writeup
bo0om
0
3.8k

Other Decks in Programming

See All in Programming
Modern Java for the Masses! Is Java Still Relevant?
deepu105
1
470
C++20からC++23までの変化
faithandbrave
5
5.8k
インターフェースのラッパーを作る際の落とし穴 / Go Conference mini 2023
mazrean
0
250
Cloudflare Workers は楽しい!
codehex
8
2.3k
Expo Router は Expo 導入の決め手となるか フロントエンドカンファレンス沖縄2023 @Kaito-Dogi
doggy
3
1.7k
Next.js App Router での MPA フロントエンド刷新
mugi_uno
28
9.4k
​고군분투 LLM 프로덕트 적용기: Blind Prompting 부터 Agent까지
huffon
2
1.2k
進化したWeb技術でPWAをネイティブアプリに近づける / frontend-conf-2023
yuhei_fujita
6
2.6k
Angular 17 - Rainaissance
gregonnet
0
140
LLMを使ったアプリケーション開発の基本とLangChain超入門
os1ma
18
7k
Accelerating App Dev with Cloudflare Workers
chimame
1
210
「defineCustomElement」を活用した サービス共通のUIコンポーネントライブラリ
piyoppi
0
230

Featured

See All Featured
The World Runs on Bad Software
bkeepers
PRO
59
6.2k
10 Git Anti Patterns You Should be Aware of
lemiorhan
645
57k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Being A Developer After 40
akosma
52
580k
The Mythical Team-Month
searls
214
41k
Thoughts on Productivity
jonyablonski
55
3.5k
For a Future-Friendly Web
brad_frost
168
8.5k
Mobile First: as difficult as doing things right
swwweet
214
8.3k
What's new in Ruby 2.0
geeforr
335
30k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
We Have a Design System, Now What?
morganepeng
41
6.5k
How STYLIGHT went responsive
nonsquared
89
4.5k

Transcript

  1. Anton “Bo0oM” Lopanitsyn
    FTP2RCE

    View Slide

  2. View Slide

  3. View Slide

  4. FTP - Active mode
    Command channel
    Data channel
    Port 21
    Client’s port
    Client’s port

    View Slide

  5. PORT 95,213,200,115,31,144
    31*256+144
    95.213.200.115

    View Slide

  6. View Slide

  7. 127.0.0.1:8080, OK

    What about redis?

    View Slide

  8. https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0

    https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf

    View Slide

  9. FTP - Passive mode
    Command channel
    Data channel
    Port 21
    Random port
    Random port

    View Slide

  10. View Slide

  11. A simple example of vulnerable code

    View Slide

  12. 1. PHP establishes an FTP connection

    $contents =
    fi
    le_get_contents($f);

    2. FakeFTP gives a port with a payload for passive
    mode

    3. Receiving a payload from socket and save to
    $contents

    4. PHP comes to the FTP again. FakeFTP says ok, let's
    save your
    fi
    le using passive mode

    fi
    le_put_contents($f, $contents);

    5. As a socket for passive mode puts the internal
    FastCGI port. The payload makes RCE

    View Slide

  13. Into the Wild
    CVE-2021-3129
    https://www.ambionics.io/blog/laravel-debug-rce

    View Slide

  14. https://github.com/tarunkant/Gopherus
    https://github.com/dfyz/ctf-writeups/tree/master/hxp-2020/resonator

    View Slide

  15. ?
    • https://twitter.com/i_bo0om

    • https://t.me/webpwn

    View Slide