table of Contents
Brush title record: [De1CTF 2019] SSRF Me
Recurring topic links: https://buuoj.cn/challenges
Reference Links: three solutions De1CTF ssrf_me the
analysis two web SSRF ME && ShellShellShell De1CTF 2019's
One, involving knowledge points
1, MD5 length extension attack
Reference MD5 attack length expansion brief notes
On MD5 extend the length of the attack
Attack scenario: file=filename&hash=md5($secret_key.filename)
Verify successful download files
Objective: To pass any arbitrary file filename read
conditions:
- It is known to any one
md5($secret_key.filename)
, and knows the plaintext filename. - Known
secret_key
length. - Users can submit md5 value.
- Tools: HashPump / Python module: hashpumpy
2, Python 2.x - 2.7.16 urllib.fopen support local_file lead LFI (CVE-2019-9948)
https://bugs.python.org/issue35907
- When there is no agreement, the default
file
protocol to read - Can be used
local_file:
to bypass, for example,local_file:flag.txt
path is the relative path to the script
local_file://
you must use an absolute path (usually this agreement)
PS:local-file:///proc/self/cwd/flag.txt
can also be read as/proc/self/cwd/
representative of the current path - If you use urllib2.urlopen (param) to include the file must add
file
, otherwise it will reportValueError: unknown url type: /path/to/file
an error
Second, problem-solving approach
See reference links, not repeat them
Third, the summary
The code must be sensitive, good at searching existing vulnerability
cve library: cve Database