说实话,拿到此题时一眼蒙,就一个URL,打开URL内容如下:fbfK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8R3`.`.
页面上就出一个图 ,WEB的题的确没怎么玩,不知道怎么玩,但可以看出那个图的src是通过url.php去读文件7b3K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6r3k6Q4x3X3g2H3k6h3c8A6P5g2)9J5k6h3y4G2L8g2)9J5c8Y4g2H3L8r3!0S2k6q4)9J5c8Y4c8W2j5h3#2Q4x3V1j5%4y4U0u0Q4x3V1k6@1k6h3q4E0x3U0x3$3y4K6j5J5i4K6u0W2M7r3&6Y4i4K6u0o6i4@1f1@1i4@1t1^5i4K6V1@1i4@1f1$3i4@1t1K6i4@1p5^5i4@1f1&6i4K6R3%4i4K6S2m8i4@1f1@1i4@1t1^5i4@1q4p5i4@1f1$3i4K6W2o6i4K6R3&6i4@1f1@1i4@1t1^5i4K6R3H3i4@1f1@1i4@1t1^5i4@1q4m8i4@1f1&6i4@1p5I4i4@1t1#2i4@1f1&6i4K6W2p5i4@1p5J5i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1$3i4K6S2r3i4K6V1H3i4@1f1%4i4@1p5@1i4@1u0m8i4K6t1$3L8s2c8Q4x3@1u0Q4x3U0q4Q4x3X3c8Q4x3X3b7`. phpinfo.php-->
345K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8Y4g2J5L8q4)9J5k6i4m8Z5M7q4)9K6c8Y4g2J5L8q4)9K6c8r3k6A6L8r3g2Q4x3@1q4Q4x3V1k6Q4x3V1k6D9L8$3y4S2L8r3S2G2M7%4c8Q4x3V1k6$3j5i4u0Q4x3V1k6%4N6%4N6Q4x3V1k6Z5N6r3#2D9i4K6u0r3N6i4u0D9i4K6u0W2M7r3S2H3
读到的url.php的内容为:
从url.php的内容可看到,这儿对HOST有检测,传入的URL经parse_url解析后,只有HOST为ctf.pediy.com 或 127.0.0.1 或 localhost 才能通过 检测. 同时可以看到文件中有注释:084K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3#2)9J5k6e0f1%4i4K6u0W2x3U0f1@1i4K6u0W2y4o6u0Q4x3V1k6X3L8r3q4Y4i4K6u0W2M7r3S2H3 ","get",[],true,5);//get flagac7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3#2)9J5k6e0f1%4i4K6u0W2x3U0f1@1i4K6u0W2y4o6u0Q4x3V1k6X3L8r3q4Y4i4K6u0W2M7r3S2H3 得到,在本地打开这个页面看到提示:
4eeK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8Y4g2J5L8q4)9J5k6i4m8Z5M7q4)9K6c8Y4g2J5L8q4)9K6c8r3S2@1N6s2m8Q4x3@1q4Q4x3V1k6Q4x3V1j5I4x3U0y4Q4x3X3f1#2y4#2)9J5k6e0t1#2y4q4)9J5k6e0b7J5i4K6u0r3k6X3I4S2k6#2)9J5k6i4m8Z5M7l9`.`.
不过在本地打开这个URL,提示:bc8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3#2)9J5k6e0f1%4i4K6u0W2x3U0f1@1i4K6u0W2y4o6u0Q4x3V1k6X3L8r3q4Y4i4K6u0W2M7r3S2H3 解析后host是123.57.254.42 ,当然不在白名单中.
构造 yyyy 在 url.php 的 白名单中的 URL:
422K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8Y4g2J5L8q4)9J5k6i4m8Z5M7q4)9K6c8Y4g2J5L8q4)9K6c8o6p5J5x3#2)9J5k6e0f1%4i4K6u0W2x3U0f1@1i4K6u0W2y4o6u0Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6r3k6Q4x3X3g2H3k6h3c8A6P5g2)9J5k6h3y4G2L8g2)9J5c8W2)9J5k6g2)9J5k6g2)9J5c8X3k6D9j5h3N6Q4x3X3g2H3K9s2l9`. 4d2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8Y4g2J5L8q4)9J5k6i4m8Z5M7q4)9K6c8Y4g2J5L8q4)9K6c8o6p5J5x3#2)9J5k6e0f1%4i4K6u0W2x3U0f1@1i4K6u0W2y4o6u0Q4x3@1q4Q4x3V1k6Q4x3V1j5I4x3U0N6Q4x3X3f1H3i4K6u0W2x3q4)9J5k6e0q4Q4x3V1k6Q4x3X3g2Q4x3X3g2Q4x3V1k6X3L8r3q4Y4i4K6u0W2M7r3S2H3 cd4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8Y4g2J5L8q4)9J5k6i4m8Z5M7q4)9K6c8Y4g2J5L8q4)9K6c8o6p5J5x3#2)9J5k6e0f1%4i4K6u0W2x3U0f1@1i4K6u0W2y4o6u0Q4x3@1q4Q4x3V1k6Q4x3V1k6D9L8$3y4S2L8r3S2G2M7%4c8Q4x3V1k6Q4x3X3g2Q4x3X3g2Q4x3V1k6X3L8r3q4Y4i4K6u0W2M7r3S2H3
上面三个URL都能通过检测 ,在本地打开任意一个,就能拿到flag了:
<html>
<head>
<meta charset="utf-8">
<title>欢迎挑战 Design by 香草</title>
</head>
<body>
<!--phpinfo.php-->
<img src="url.php?url=fb7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6r3k6Q4x3X3g2H3k6h3c8A6P5g2)9J5k6h3y4G2L8g2)9J5c8Y4g2H3L8r3!0S2k6q4)9J5c8Y4c8W2j5h3#2Q4x3V1j5%4y4U0u0Q4x3V1k6@1k6h3q4E0x3U0x3$3y4K6j5J5i4K6u0W2M7r3&6Y4 ">
</body>
</html>
<html>
<head>
<meta charset="utf-8">
<title>欢迎挑战 Design by 香草</title>
</head>
<body>
<!--phpinfo.php-->
<img src="url.php?url=fb7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6r3k6Q4x3X3g2H3k6h3c8A6P5g2)9J5k6h3y4G2L8g2)9J5c8Y4g2H3L8r3!0S2k6q4)9J5c8Y4c8W2j5h3#2Q4x3V1j5%4y4U0u0Q4x3V1k6@1k6h3q4E0x3U0x3$3y4K6j5J5i4K6u0W2M7r3&6Y4 ">
</body>
</html>
<?php
function curl_request($url, $data=null, $method='get', $header = array("content-type: application/json"), $https=true, $timeout = 5){
$method = strtoupper($method);
$ch = curl_init();//初始化
curl_setopt($ch, CURLOPT_URL, $url);//访问的URL
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);//只获取页面内容,但不输出
if($https){
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);//https请求 不验证证书
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);//https请求 不验证HOST
}
if ($method != "GET") {
if($method == 'POST'){
curl_setopt($ch, CURLOPT_POST, true);//请求方式为post请求
}
if ($method == 'PUT' || strtoupper($method) == 'DELETE') {
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); //设置请求方式
}
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);//请求数据
}
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header); //模拟的header头
//curl_setopt($ch, CURLOPT_HEADER, false);//设置不需要头信息
$result = curl_exec($ch);//执行请求
curl_close($ch);//关闭curl,释放资源
return $result;
}
$url=$_GET["url"];
$uu=parse_url($url);
$host=isset($uu["host"])?$uu["host"]:"";
$scheme=isset($uu["scheme"])?$uu["scheme"]:"";
if(empty($host)){
die("host is null");
}
if(empty($scheme)){
die("scheme is null");
}
//https://ctf.pediy.com/upload/team/762/team236762.png?
if($host=="ctf.pediy.com"||$host=="127.0.0.1"||$host=="localhost"){
//echo curl_request("a7dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3#2)9J5k6e0f1%4i4K6u0W2x3U0f1@1i4K6u0W2y4o6u0Q4x3V1k6X3L8r3q4Y4i4K6u0W2M7r3S2H3 ","get",[],true,5);//get flag
echo curl_request($url,'',"get",[],true,5);
}else{
die("host not allow");
}
?>
<?php
function curl_request($url, $data=null, $method='get', $header = array("content-type: application/json"), $https=true, $timeout = 5){
$method = strtoupper($method);
$ch = curl_init();//初始化
curl_setopt($ch, CURLOPT_URL, $url);//访问的URL
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);//只获取页面内容,但不输出
if($https){
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);//https请求 不验证证书
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);//https请求 不验证HOST
}
if ($method != "GET") {
if($method == 'POST'){
curl_setopt($ch, CURLOPT_POST, true);//请求方式为post请求
}
if ($method == 'PUT' || strtoupper($method) == 'DELETE') {
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); //设置请求方式
}
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);//请求数据
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
