https://buuoj.cn/challenges#[BJDCTF2020]The%20mystery%20of%20ip

BUUCTF:[BJDCTF2020]The mystery of ip_PHP


BUUCTF:[BJDCTF2020]The mystery of ip_php_02


回显了IP,在hint.php有提示Do you know why i know your ip? 尝试修改X-Forwarded-For

BUUCTF:[BJDCTF2020]The mystery of ip_PHP_03


猜测这里可能是SSTI,输入{{7*7}}

BUUCTF:[BJDCTF2020]The mystery of ip_Smarty_04


确定了是SSTI,尝试{{config}}

BUUCTF:[BJDCTF2020]The mystery of ip_Smarty_05


看报错发现这里应该是PHP的一种比较老的引擎Smarty

查看版本

{$smarty.version}

BUUCTF:[BJDCTF2020]The mystery of ip_php_06


版本是:3.1.34-dev-7

查看Smarty3官方手册:https://www.smarty.net/docs/zh_CN/language.function.if.tpl

BUUCTF:[BJDCTF2020]The mystery of ip_php_07


全部的PHP条件表达式和函数都可以在if内使用,尝试:{if phpinfo()}{/if}

BUUCTF:[BJDCTF2020]The mystery of ip_PHP_08


BUUCTF:[BJDCTF2020]The mystery of ip_php_09