[NCTF2019]True XML cookbook

之前做过类似的题

XXE

直接读取根目录的flag

]>

	
	&xee;
	
	
	123123
	

1
2
3
4
5
6
7
8
9
10
11
12

报错了

爆出了绝对路径

读一下doLogin.php的源码

]>

	
	&xee;
	
	
	123123
	

1
2
3
4
5
6
7
8
9
10
11
12

读取不了，换个协议

]>

	
	&xee;
	
	
	123123
	

1
2
3
4
5
6
7
8
9
10
11
12

得到

PD9waHAKLyoqCiogYXV0b3I6IGMwbnkxCiogZGF0ZTogMjAxOC0yLTcKKi8KCiRVU0VSTkFNRSA9ICdhZG1pbic7IC8v6LSm5Y+3CiRQQVNTV09SRCA9ICcwMjRiODc5MzFhMDNmNzM4ZmZmNjY5M2NlMGE3OGM4OCc7IC8v5a+G56CBCiRyZXN1bHQgPSBudWxsOwoKbGlieG1sX2Rpc2FibGVfZW50aXR5X2xvYWRlcihmYWxzZSk7CiR4bWxmaWxlID0gZmlsZV9nZXRfY29udGVudHMoJ3BocDovL2lucHV0Jyk7Cgp0cnl7CgkkZG9tID0gbmV3IERPTURvY3VtZW50KCk7CgkkZG9tLT5sb2FkWE1MKCR4bWxmaWxlLCBMSUJYTUxfTk9FTlQgfCBMSUJYTUxfRFRETE9BRCk7CgkkY3JlZHMgPSBzaW1wbGV4bWxfaW1wb3J0X2RvbSgkZG9tKTsKCgkkdXNlcm5hbWUgPSAkY3JlZHMtPnVzZXJuYW1lOwoJJHBhc3N3b3JkID0gJGNyZWRzLT5wYXNzd29yZDsKCglpZigkdXNlcm5hbWUgPT0gJFVTRVJOQU1FICYmICRwYXNzd29yZCA9PSAkUEFTU1dPUkQpewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDEsJHVzZXJuYW1lKTsKCX1lbHNlewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDAsJHVzZXJuYW1lKTsKCX0JCn1jYXRjaChFeGNlcHRpb24gJGUpewoJJHJlc3VsdCA9IHNwcmludGYoIjxyZXN1bHQ+PGNvZGU+JWQ8L2NvZGU+PG1zZz4lczwvbXNnPjwvcmVzdWx0PiIsMywkZS0+Z2V0TWVzc2FnZSgpKTsKfQoKaGVhZGVyKCdDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD11dGYtOCcpOwplY2hvICRyZXN1bHQ7Cj8+
1

base64解码得到

/**
* autor: c0ny1
* date: 2018-2-7
*/

$USERNAME = 'admin'; //账号
$PASSWORD = '024b87931a03f738fff6693ce0a78c88'; //密码
$result = null;

libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');

try{
	$dom = new DOMDocument();
	$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
	$creds = simplexml_import_dom($dom);

	$username = $creds->username;
	$password = $creds->password;

	if($username == $USERNAME && $password == $PASSWORD){
		$result = sprintf("%d%s",1,$username);
	}else{
		$result = sprintf("%d%s",0,$username);
	}	
}catch(Exception $e){
	$result = sprintf("%d%s",3,$e->getMessage());
}

header('Content-Type: text/html; charset=utf-8');
echo $result;
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

看到有个账号密码，登录上去

登录之后啥也没有

使用XXE探测内网存活主机，我们分别读取关键文件：/etc/hosts 和 /proc/net/arp：

]>

	
	&xee;
	
	
	123123
	

1
2
3
4
5
6
7
8
9
10
11
12

]>

	
	&xee;
	
	
	123123
	

1
2
3
4
5
6
7
8
9
10
11
12

访问

]>

	
	&xee;
	
	
	123123
	

1
2
3
4
5
6
7
8
9
10
11
12

发包然后发现回显有报错

扫一下c段

然后通过返回包的长度找到flag（思路如此，但我没找到，看到有人说可能是返回包的问题，写了脚本去跑，我试了一下，也不行）