首先服务器是如何知道我的ip的呢,猜想可能是XFF或Client-IP这两个header. 抓个包 发现是通过XFF
参考了一下这位师傅的博客. PHP的模板注入(Smarty模板)
看看flag.php源代码是啥.
<?php require_once('header.php'); require_once('./libs/Smarty.class.php'); $smarty = new Smarty(); if (!empty($_SERVER['HTTP_CLIENT_IP'])) { $ip=$_SERVER['HTTP_CLIENT_IP']; } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip=$_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip=$_SERVER['REMOTE_ADDR']; } //$your_ip = $smarty->display("string:".$ip); echo "<div class=\"container panel1\"> <div class=\"row\"> <div class=\"col-md-4\"> </div> <div class=\"col-md-4\"> <div class=\"jumbotron pan\"> <div class=\"form-group log\"> <label><h2>Your IP is : "; $smarty->display("string:".$ip); echo " </h2></label> </div> </div> </div> <div class=\"col-md-4\"> </div> </div> </div>"; ?> $smarty->display("string:".$ip);这里没做过滤使用了smarty引擎直接显示.
