your name here

[2025-07-15] Web-SSRF

๐Ÿฆฅ ๋ณธ๋ฌธ

#!/usr/bin/python3
from flask import (
    Flask,
    request,
    render_template
)
import http.server
import threading
import requests
import os, random, base64
from urllib.parse import urlparse

app = Flask(__name__)
app.secret_key = os.urandom(32)

try:
    FLAG = open("./flag.txt", "r").read()  # Flag is here!!
except:
    FLAG = "[**FLAG**]"

@app.route("/")
def index():
    return render_template("index.html")

@app.route("/img_viewer", methods=["GET", "POST"])
def img_viewer():
    if request.method == "GET":
        return render_template("img_viewer.html")
    elif request.method == "POST":
        url = request.form.get("url", "")
        urlp = urlparse(url)
        if url[0] == "/":
            url = "http://localhost:8000" + url
        elif ("localhost" in urlp.netloc) or ("127.0.0.1" in urlp.netloc):
            data = open("error.png", "rb").read()
            img = base64.b64encode(data).decode("utf8")
            return render_template("img_viewer.html", img=img)
        try:
            data = requests.get(url, timeout=3).content
            img = base64.b64encode(data).decode("utf8")
        except:
            data = open("error.png", "rb").read()
            img = base64.b64encode(data).decode("utf8")
        return render_template("img_viewer.html", img=img)

local_host = "127.0.0.1"
local_port = random.randint(1500, 1800)
local_server = http.server.HTTPServer(
    (local_host, local_port), http.server.SimpleHTTPRequestHandler
)

def run_local_server():
    local_server.serve_forever()

threading._start_new_thread(run_local_server, ())

app.run(host="0.0.0.0", port=8000, threaded=True)
  • ์ฝ”๋“œ๋งŒ ๋ด์„œ๋Š” FLAG๋ฅผ ๋ชฐ๋ž์ง€๋งŒ ๊ฐ™์€ ํŒŒ์ผ์— flag.txt๊ฐ€ ์žˆ๋Š” ๊ฑธ ๋ณด๊ณ  ssrf ๋ฐฉ์‹์œผ๋กœ ๋ฐฑ์—”๋“œ์—์„œ flag.txt์— ์ ‘๊ทผํ•ด์•ผ ํ•œ๋‹ค๋Š” ๊ฒƒ์„ ๊นจ๋‹ฌ์•˜๋‹ค.

image.png

  • static/dream.png๋Š” ์ž˜ ์ ‘๊ทผ๋˜๋Š” ๋ฐ flag.txt๋Š” ์ ‘๊ทผ์ด ์•ˆ๋ผ์„œ ์˜๋ฌธ์ด์—ˆ๋‹ค.
  • ๊ทธ๋ž˜์„œ ์ฐพ์•„๋ณด๋‹ˆ static ํด๋”๋Š” 8000 ํฌํŠธ๋กœ ์ ‘๊ทผ ๊ฐ€๋Šฅํ•˜์ง€๋งŒ flag.txt๋Š” ๋‚ด๋ถ€๋ง์„ ํ†ตํ•ด์„œ ์ ‘๊ทผํ•ด์•ผ ํ•œ๋‹ค๋Š” ๊ฒƒ์„ ์•Œ์•˜๋‹ค. 1500~1800 ํฌํŠธ๋กœ ์ ‘๊ทผํ•ด์•ผ ํ•œ๋‹ค๋Š” ๊ฒƒ์ด๋‹ค. ๊ทธ๋Ÿฌ๋ฉด ์œ„์˜ elif ์ฝ”๋“œ๋ฅผ ์‚ฌ์šฉํ•ด์•ผ ํ•˜๋Š” ๋ฐ ip์ฃผ์†Œ ํ•„ํ„ฐ๋ง์„ ํšŒํ”ผํ•˜๋ ค๋ฉด ๋Œ€๋ฌธ์ž๋ฅผ ์“ฐ๋ฉด ๋œ๋‹ค๋Š” ๊ฒƒ์ด๋‹ค.
  • 1500~1800 ํฌํŠธ ์ค‘ ๋žœ๋ค์ด๋ผ ๋ฌด์ฐจ๋ณ„ ๊ณต๊ฒฉ์„ ํ•ด์•ผ ํ•œ๋‹ค๊ณ  ํ•œ๋‹ค.

ํ’€์ด

  • burf suite๋ฅผ ์‚ฌ์šฉํ–ˆ๋‹ค.
  • ํฌํŠธ๋ฅผ 1500-1800๊นŒ์ง€ ๋ณด๋‚ด์—ˆ๋‹ค.

image.png

length๊ฐ€ ๋‹ค๋ฅธ ํฌํŠธ๋Š” 1543์ด์—ˆ๋‹ค. response๋ฅผ ํ™•์ธํ•˜๋‹ˆ

image.png

src์— ๋‹ค๋ฅธ ๊ฐ’์ด ๋“ค์–ด์žˆ์—ˆ๊ณ  ์ด๋ฅผ ๋””์ฝ”๋”ฉํ•˜๋‹ˆ flag๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ์—ˆ๋‹ค.

Categories:

Updated:

Leave a comment

You may also enjoy