[HITCON 2017]SSRFme

[HITCON 2017]SSRFme

Come to the point , Enter the page and give it directly php Code ：

10.244.80.206 <?php
    if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $http_x_headers = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        $_SERVER['REMOTE_ADDR'] = $http_x_headers[0];
    }

    echo $_SERVER["REMOTE_ADDR"];

    $sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]);
    @mkdir($sandbox);
    @chdir($sandbox);

    $data = shell_exec("GET " . escapeshellarg($_GET["url"]));
    $info = pathinfo($_GET["filename"]);
    $dir  = str_replace(".", "", basename($info["dirname"]));
    @mkdir($dir);
    @chdir($dir);
    @file_put_contents(basename($info["basename"]), $data);
    highlight_file(__FILE__);

The audit code knows , Back to my ip, And orange Combine md5 Encrypted to get sandbox route

Path is ：/sandbox/2eeed2f9aeae6311b507ada8fb98809e/

adopt url Input will GET Command execution , After execution, it will be saved to us with filename In named file , Try to read the root directory , And create a file ：payload：/?url=/&filename=a, Then return to the path to view the content , Found out flag and readflag, It should be through readflag To read flag

GET The bottom layer actually uses open function ,open Function can execute commands , In short, if we want to use GET file:|id, You have to meet id This file exists . We need to implement /readflag, So you need to create a /readflag file , structure payload：/?url=/&filename=|/readflag

And then use it file Function executes the command to construct again payload：/?url=file:|/readflag&filename=a, After execution, return to the path again to check flag