Simple Web 0x23(Lab - XXE)

Posted on 2023-02-09 | Post modified | In Security/Course/NTU CS/Web |

Simple Web 0x23(Lab - XXE)

tags: `NTUSTWS` `CTF` `Web`

Challenge: http://h4ck3r.quest:8604/

Background

XML Tree XML Parser AJAX - Server Response XML DTD

输入流 php://input

php://input可以读取没有处理过的POST数据。

Day 18：Stream 概述

php://input 取得所有的 input 通常來源於 HTTP body，值得注意的是，由這個 Stream 取得的內容是 Raw Body，所以需要自行解析。

來自外部的威脅-XXE漏洞攻擊成因 :::spoiler XXE course lecture

::: :::spoiler exploit type

:::

Source code

<?php
   $xmlfile = urldecode(file_get_contents('php://input'));
   if (!$xmlfile) die(show_source(__FILE__));

   $dom = new DOMDocument();
   $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
   $creds = simplexml_import_dom($dom);
   $user = $creds->user;
   echo "You have logged in as user $user";
?>

Exploit - XXE

Normal Usage in this webpage

Reference

Post author: SBK6401
Post link: https://bernie6401.github.io/security/course/ntu%20cs/web/2023/02/09/Simple-Web-0x14(Lab-XXE)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.

Simple Web 0x23(Lab - XXE)

tags: NTUSTWS CTF Web

Background

Source code

Exploit - XXE

Reference

tags: `NTUSTWS` `CTF` `Web`