首页
论坛
专栏
课程

分享:
漏洞代码示例: 以下是一个用curl获取数据的功能 ``` <?php if(isset($_POST['url'])){ $link = $_POST['url']; $filename = 'D:xampphtdocstestuploadtxt'.rand().'.txt'; $curlobj = curl_init($link); $fp = fopen($filename,"w"); curl_setopt($curlobj,CURLOPT_FILE,$fp); curl_setopt($curlobj,CURLOPT_HEADER,0); curl_exec($curlobj); curl_close($curlobj); fclose($fp); $fp = fopen($filename,"r"); $result = fread($fp,filesize($filename)); fclose($fp); echo $result; } ?> ``` ``` <!DOCTYPE html> <html> <head> <title>ssrf</title> </head> <body> <center> <form name="input" action="http://localhost/test/ssrf.php" method="POST"> <input type="text" name="url"> <input type="submit" value="Submit"> </form> </center> </body> </html> ``` 1、服务探测 红色标注IP主机B与本机A在同一内网下 ![](/upload/attach/201801/201801041802_nz7zl5q9khgk084.jpg) submit提交之后 ![](/upload/attach/201801/201801041803_9osn5zgyczu9vmz.jpg) 主机B本来只有内网可以访问,但是由于curl请求资源的代码存在漏洞,导致对外网开放的主机A可以直接请求处于同一内网主机B的资源,导致内网应用服务探测。 2、读取本地文件 file:///C:/Windows/win.ini(Linux下读取/etc/passwd) ![](/upload/attach/201801/201801041803_1n701xgk2u2hjwc.jpg) 3、请求非http服务的开放端口,返回banner信息 request:http://ip:22/1.txt ![](/upload/attach/201801/201801041803_gljqlz3hx6zofxv.jpg)

上一篇 :
下一篇 :
讨论 (0)
沪ICP备16048531号-1
沪公网安备 31011502006611号