Simple Web 0x24(Lab - how2http)

Posted on 2024-01-31 | Post modified | In Security Course｜NTUST WS｜Beginner |

Simple Web 0x24(Lab - how2http)

Source code

<?php
show_source(__FILE__);

include("flag.php");

if (!empty($_SERVER["HTTP_CLIENT_IP"])){
    $ip = $_SERVER["HTTP_CLIENT_IP"];
} elseif (!empty($_SERVER["HTTP_X_FORWARDED_FOR"])){
    $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else {
    $ip = $_SERVER["REMOTE_ADDR"];
}
if ($_COOKIE['user'] !== 'admin') die("Not admim");

if( $_SERVER["REQUEST_METHOD"] !== "FLAG" ) die("u don't need flag?");


if ($ip === "127.0.0.1") echo $FLAG;
else echo "NOPE!";
?>

Recon

主要是參考之前寫過的PicoCTF - Who are you?和Challenge-picobrowser，按照source code我們需要更改一些header讓他可以被forge然後bypass這些條件，首先是IP，他其實給的很寬鬆，還有X-Forwarded-For的header可以用，就直接X-Forwarded-For: 127.0.0.1；另外，cookie的user要等於admin→Cookie: user=admin；再來，request method要等於FLAG→FLAG / HTTP/1.1

Exploit

Flag: FLAG{b4by_httttp!}

Reference

X-Forwarded-For

Post author: SBK6401
Post link: https://bernie6401.github.io/Simple-Web-0x24(Lab-how2http)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.