首先服务器是如何知道我的ip的呢,猜想可能是XFF或Client-IP这两个header.
抓个包
发现是通过XFF
smarty模板注入
参考了一下这位师傅的博客.
PHP的模板注入(Smarty模板)
看看flag.php源代码是啥.
<?phprequire_once('header.php');require_once('./libs/Smarty.class.php');$smarty = new Smarty();if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip=$_SERVER['HTTP_CLIENT_IP'];}elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];}else{
$ip=$_SERVER['REMOTE_ADDR'];}//$your_ip = $smarty->display("string:".$ip);echo "<div class=\"container panel1\"><div class=\"row\"><div class=\"col-md-4\"> </div><div class=\"col-md-4\"><div class=\"jumbotron pan\"><div class=\"form-group log\"><label><h2>Your IP is : ";$smarty->display("string:".$ip);echo " </h2></label></div> </div></div><div class=\"col-md-4\"> </div></div></div>";?>
$smarty->display("string:".$ip);
这里没做过滤使用了smarty引擎直接显示.