0x01 examples
Here's an example Arnhem month title
tips: use ssrf, gopher play network
0x02 posted Code
<?php
highlight_file(__FILE__);
$x = $_GET['x'];
$pos = strpos($x,"php");
if($pos){
exit("denied");
}
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"$x");
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$result = curl_exec($ch);
echo $result;
0x03 analysis
First, x
we can control,
the X-usable agreement gopher
, dict
, http
, https
, file
and other
file
protocols can be used to view the file
dict
protocol can be used to spy on port
gopher
protocol support GET&POST
request, commonly used in the attack network ftp
, redis
, telnet
, smtp
and other services, you can also use the gopher
protocol to access redis
the reboundshell
First we read the files using the file
First the script scan the directory to obtain flag.php
.
Generally, we can also read the /etc/hosts
, /etc/passwd
, ~/.bash_history
and other file viewing trail
But the code has limited strpos (using 2570% bypass)
Finally, we read the /var/www/html/flag.php
clue to when
to continue reading /etc/hosts
to get a network address
here we get the network segment, we can continue to scan, and found that only 172.18.0.1|2|3
you can access.
http://101.71.29.5:10012/?x=http://172.18.0.2
Return results as shown below, there are LFI
vulnerabilities.
This is just 80
the result of a port, then we look at the opening of other ports, we can see that 25
the port is also open, and 25
is the corresponding smtp
service.
So you can think of to use gopher
the protocol to play smtp
, and then combined with previously discovered LFI
vulnerabilities, come to the idea of
using the gopher fight smtp, leave a word Trojan in the log file, and then use the log file for LFI contains webshell
clear thinking after, they begin carried out, first with gopherus
script generation payload
, gopherus
address: https://github.com/tarunkant/Gopherus
, which has detailed usage.
The 127.0.0.1:25 changed address within the network, then url encoded sent in the past
Then we use contains log files
so we can now go to smtp
the log file location, and generally speaking linux
the message log file path is
- / Var / log / maillog
- /var/log/mail.log
- / Var / adm / maillog
- /var/adm/syslog/mail.log
Then we see a direct connection choppers flag
0x04 summary
1, https://bugs.php.net This is a web site that contains php vulnerability
例如我们可以利用谷歌语法搜索
site: [https://bugs.php.net](https://bugs.php.net) strpos
2, ssrf generally the first detection host, and detection ports, find the corresponding service, and then using the corresponding payload
0x05 link
A recurring topic when closed environment, so the direct use of a master's writeup another picture, a link posted here, forgive me!
link