HTML XXE攻击的基本工作示例

本文介绍了HTML XXE攻击的基本工作示例的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在尝试在html页面中对XXE攻击进行一些测试，但是我很难提出一个可行的示例.在互联网上浏览了很长时间后，我想到了这个:

I'm trying to run some tests with XXE attacks in an html page, but i'm having trouble coming up with a working example. After looking around the internet for a long time, I came up with this:

<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> <script id="embeddedXML" type="text/xml"> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <foo>&xxe;</foo> </script> </head> <body> <script type="application/javascript"> alert(document.getElementById('embeddedXML').innerHTML); </script> </body> </html>

但是，它不起作用.脚本标签内的XML本身并不运行"，这意味着当警报弹出时，它仅将XML显示为纯文本.它不会解释DOCTYPE标头，也不会从列出的文件中获取信息.

But, it doesn't work. The XML inside the script tag doesn't "run", per se, meaning that when the alert pops up, it just displays the xml as plaintext. It doesn't interpret the DOCTYPE header thing and get the information from the listed file.

对此进行搜索非常困难，因为显然XML不会运行"，但是在解释此文本而不是直接写出文本时需要发生一些事情.我不知道那是什么，或者不知道如何在此处编写的HTML页面中使用它.

It's been very hard to google around for this because apparently XML doesn't "run", but something needs to happen where this text is interpreted instead of just written out. I don't know what that thing is, or how to get it working inside an HTML page as written here.

任何提示，不胜感激.谢谢！

any tips much appreciated. Thanks!

推荐答案

请参见 OWASP

危险因素包括:

应用程序解析XML文档.

The application parses XML documents.

现在，脚本元素被定义为(包含HTML 4术语)包含CDATA，因此其中的标记(</script>除外)没有特殊含义.因此，那里没有进行XML解析.

Now, script elements are defined (in HTML 4 terms) as containing CDATA, so markup in them (except </script>) has no special meaning. So there is no XML parsing going on there.

同时alert()处理字符串，而不处理标记，因此仍然没有进行XML解析.

Meanwhile alert() deals in strings, not in markup, so there's still no XML parsing going on.

由于您没有XML解析器，因此没有漏洞.

Since you have no XML parser, there's no vulnerability.

通常，如果要在网页中间进行XML解析，则需要使用JavaScript(例如，使用 DOM解析器，但如果它不支持DTD并且不易受攻击(即使它很易受攻击，那么它很可能会阻止对本地外部设备的访问)，我也不会感到惊讶.实体).

In general, if you want XML parsing in the middle of a web page then you need to use JavaScript (e.g. with DOM Parser but I wouldn't be surprised if it was not DTD aware and so not vulnerable (and even if it was vulnerable then it might well block access to local external entities).