nginx/1.18.0PHP/7.3.22

    1. <?php
    2. error_reporting(0);
    3. highlight_file(__FILE__);
    4. $url=$_POST['url'];
    5. $x=parse_url($url);
    6. if($x['scheme']==='http'||$x['scheme']==='https'){
    7. if(!preg_match('/localhost|127.0.0/')){
    8. $ch=curl_init($url);
    9. curl_setopt($ch, CURLOPT_HEADER, 0);
    10. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    11. $result=curl_exec($ch);
    12. curl_close($ch);
    13. echo ($result);
    14. }
    15. else{
    16.     die('hacker');
    17. }
    18. }
    19. else{
    20.     die('hacker');
    21. }
    22. ?>

    分析:
    协议必须是 http/https ,但过滤了 localhost 和 127.0.0

    poc

    1. url=http://127.0.0.1/flag.php

    preg_match 没传参可还行。。因为有 error_reporting(0) ,报错的地方恒为 False
    image.png
    flag
    ctfshow{db8a37d7-f045-4113-8a75-379ad1cd8936}