Htlab_Weekly_Ctf_16

有点另类的SSRF

输出127.0.0.1，有回显说要post一个admin

提示需要登陆

改成admin=1

试了一下发现是加X-Client-IP，其实遇到这种问题，也可以不这么麻烦，直接把X-Forwarded-For、X-Client-IP、X-Real-IP全部加上就好了，然后提示读源码

 
// /opt/flag.txt

function getUrlContent($url){
    // $url = safe($url);
    $url = escapeshellarg($url);
    $pl = "curl ".$url;
    // echo $pl;
    $content = shell_exec($pl);
    return $content;
}

echo "you need to login as admin!";
echo "";
if(isset($_POST['admin']))
{
    if($_POST['admin']==1)
    {
        if($_SERVER['HTTP_X_CLIENT_IP'])
        {
            echo "fileread source.txt";
            if (isset($_POST['handler'])&&!empty($_POST['handler']))
            {
					$url = $_POST['handler'];
					$content_url = getUrlContent($url);
					echo $content_url;
}
}
        else
            {
                echo "only 127.0.0.1 can get the flag!!";
            }
}else
{
	$_POST['admin']=0;
}
}
?>

也就是读一下/opt/flag.txt拿到flag，用file协议去读，拿到flag