0x01 examples
Here's an example Arnhem month title
tips: use ssrf, gopher play network
0x02 posted Code
<?php
highlight_file(__FILE__);
$x = $_GET['x'];
$pos = strpos($x,"php");
if($pos){
exit("denied");
}
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"$x");
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$result = curl_exec($ch);
echo $result;
0x03 analysis
First, xwe can control,
the X-usable agreement gopher, dict, http, https, fileand other
fileprotocols can be used to view the file
dictprotocol can be used to spy on port
gopherprotocol support GET&POSTrequest, commonly used in the attack network ftp, redis, telnet, smtpand other services, you can also use the gopherprotocol to access redisthe reboundshell
First we read the files using the file
First the script scan the directory to obtain flag.php.
Generally, we can also read the /etc/hosts, /etc/passwd, ~/.bash_historyand other file viewing trail
But the code has limited strpos (using 2570% bypass)
Finally, we read the /var/www/html/flag.phpclue to when
to continue reading /etc/hoststo get a network address
here we get the network segment, we can continue to scan, and found that only 172.18.0.1|2|3you can access.
http://101.71.29.5:10012/?x=http://172.18.0.2Return results as shown below, there are LFIvulnerabilities.
This is just 80the result of a port, then we look at the opening of other ports, we can see that 25the port is also open, and 25is the corresponding smtpservice.
So you can think of to use gopherthe protocol to play smtp, and then combined with previously discovered LFIvulnerabilities, come to the idea of
using the gopher fight smtp, leave a word Trojan in the log file, and then use the log file for LFI contains webshell
clear thinking after, they begin carried out, first with gopherusscript generation payload, gopherusaddress: https://github.com/tarunkant/Gopherus, which has detailed usage.
The 127.0.0.1:25 changed address within the network, then url encoded sent in the past
Then we use contains log files
so we can now go to smtpthe log file location, and generally speaking linuxthe message log file path is
- / Var / log / maillog
- /var/log/mail.log
- / Var / adm / maillog
- /var/adm/syslog/mail.log
Then we see a direct connection choppers flag
0x04 summary
1, https://bugs.php.net This is a web site that contains php vulnerability
例如我们可以利用谷歌语法搜索
site: [https://bugs.php.net](https://bugs.php.net) strpos
2, ssrf generally the first detection host, and detection ports, find the corresponding service, and then using the corresponding payload
0x05 link
A recurring topic when closed environment, so the direct use of a master's writeup another picture, a link posted here, forgive me!
link
