2021年5月

先抓个包看看

https://i0.hdslb.com/bfs/article/0577324bc2c5d9ae61125f65a6c0f458e688882b.png

https://i0.hdslb.com/bfs/article/bf3cec32dc7b29cdf1ed76f51628cffd73ef264a.png

发现当前服务器的版本为Apache/2.2.15 (CentOS),于是便去查了该版本的漏洞

https://i0.hdslb.com/bfs/article/e0865d88d7d903199e8cd7020a41d5fbfc0a8910.png

https://i0.hdslb.com/bfs/article/222ae74f603df623c1c27e17041913310175bdc7.png

然后通过分析源码发现可以直接查看文件目录

https://i0.hdslb.com/bfs/article/4ee7af721b9110e9c7b617da8c4dd57c8703d374.png

https://i0.hdslb.com/bfs/article/b080cd1d1e07bfe4dab1294475589c6ade5ec332.png

查看了这些目录中的内容并没有发现敏感文件,由于我是条懒狗,没有去利用另外的漏洞,查阅了别人的writeup发现在网页首页源码中就有敏感php文件

https://i0.hdslb.com/bfs/article/9a8b4c012364c196ec482ef224bf8cfd94a53a9d.png

访问后发现需要添加请求头

https://i0.hdslb.com/bfs/article/c17eda263b0222c78c305eaea9197dea2895c6b9.png

https://i0.hdslb.com/bfs/article/f96a59e74505e27dd32bb577669e4df7f877a9f5.png

添加第一个请求头 Referer

然后他报出需要“Syclover”浏览器

https://i0.hdslb.com/bfs/article/932bc89de3ded151671becede01938e7600e6643.png

https://i0.hdslb.com/bfs/article/da4413f3fe2234f53a24828e36e26ec597f27706.png

那我们就添加第二个请求头User-Agent

哪知道他又报出需要通过本地访问,这里我就卡了。

通过查阅文档发现可以添加X-Forwarded-For可以伪造本地访问

https://i0.hdslb.com/bfs/article/d65fcb895280a37efc077ce76ff84a5e4438d9dd.png

https://i0.hdslb.com/bfs/article/48aa10f14145688fd32235dad96b4686cff97411.png

https://i0.hdslb.com/bfs/article/8700539c12c172cd77994e264808ea52fef9cc09.png

这这里添加第三个请求头X-Forworded-For

最后成功拿到flag

https://i0.hdslb.com/bfs/article/7e384546ef1f2e8f5fe936b3824aaf5d79424027.png

https://i0.hdslb.com/bfs/article/02db465212d3c374a43c60fa2625cc1caeaab796.png

下面进行这道题的技术总结

  1. 考察了对敏感文件名和敏感字段名对查找
  2. 对HTTP请求头的了解
  3. Referer: 来源页面,访问该页面的前一个页面
  4. User-Agent:浏览器名称常见的如谷歌浏览器(Chrome),火狐浏览器(FireFox),Safari浏览器都有对应的浏览器请求头
  5. X-Forwarded-For:一个事实标准 ,用于标识某个通过超文本传输协议代理或负载均衡连接到某个网页服务器的客户端的原始互联网地址(Wiki百科 HTTP 头字段)