WeChall - HOST me

Post author: vkkkv
Post link: <a href="https://vkkkv.github.io/wp/WeChall/wechall-host-me/" title="WeChall - HOST me">https://vkkkv.github.io/wp/WeChall/wechall-host-me/
Copyright Notice: All articles in this blog are licensed under <span class="exturl" data-url="aHR0cHM6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL2xpY2Vuc2VzL2J5LW5jLXNhLzQuMC8="> BY-NC-SA unless stating additionally.

Posted on 2026-06-10 In ctf Views: Disqus:

HTTP Host header 攻击。需要利用 Host 头操纵来触发服务器端的虚拟主机访问或密码重置逻辑。

目标 URL 是 /en/challenge/space/host_me/index.php。

普通的 Host 头修改不够——服务器或反向代理通过 X-Forwarded-Host 头来决定实际路由的目标虚拟主机。发送 X-Forwarded-Host: localhost 头部，使服务器认为请求目标是本地服务，从而触发解题条件。

1
2
3

$ curl -b 'WC=...' \
  -H 'X-Forwarded-Host: localhost' \
  'https://www.wechall.net/en/challenge/space/host_me/index.php'

注意 X-Forwarded-Host 不是 --resolve（那是 DNS 解析层面），这里的攻击点位于 HTTP 代理层对上游 Host 的信任。