Simple Web 0x24(Lab - how2http)

Posted on 2024-01-31 | Post modified | In Security/Course/NTUST WS/Beginner |

Simple Web 0x24(Lab - how2http)

Source code

<?php
show_source(__FILE__);

include("flag.php");

if (!empty($_SERVER["HTTP_CLIENT_IP"])){
    $ip = $_SERVER["HTTP_CLIENT_IP"];
} elseif (!empty($_SERVER["HTTP_X_FORWARDED_FOR"])){
    $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else {
    $ip = $_SERVER["REMOTE_ADDR"];
}
if ($_COOKIE['user'] !== 'admin') die("Not admim");

if( $_SERVER["REQUEST_METHOD"] !== "FLAG" ) die("u don't need flag?");


if ($ip === "127.0.0.1") echo $FLAG;
else echo "NOPE!";
?>

Recon

主要是參考之前寫過的PicoCTF - Who are you?和PicoCTF - Who are you?，按照source code我們需要更改一些header讓他可以被forge然後bypass這些條件，首先是IP，他其實給的很寬鬆，還有X-Forwarded-For的header可以用，就直接==X-Forwarded-For: 127.0.0.1==；另外，cookie的user要等於admin→==Cookie: user=admin==；再來，request method要等於FLAG→==FLAG / HTTP/1.1==

Exploit

Flag: FLAG{b4by_httttp!}

Reference

X-Forwarded-For

Post author: SBK6401
Post link: https://bernie6401.github.io/security/course/ntust%20ws/beginner/2024/01/31/Simple-Web-0x24(Lab-how2http)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.