请遵循以下步骤: XXE的基本工作示例用HTML攻击
看来,进行此跟进工作要比尝试费劲地解决上一个问题要容易得多.我认为最好让该查询的正确答案显得简单明了.
seemed easier to make this follow up than to try and shoehorn my progress into the previous question. I thought better to allow the correct answer to that query to appear correct plain and simple.
我现在将示例扩展为以下内容:
I have now evolved my example to the following:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <p id="xmlOut"></p> <script type="application/javascript"> var xml = ` <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd"> <!ENTITY bar "test that entity substitution works in general"> ]> <foo> display some text | &bar; | &xxe; </foo> `; parser = new DOMParser(); xmlDoc = parser.parseFromString(xml, "text/xml"); document.getElementById("xmlOut").innerHTML = xmlDoc.getElementsByTagName("foo")[0].childNodes[0].nodeValue; </script> </body> </html>在这里,我以字符串形式编写XML,并使用DOM解析器对其进行解析.一切正常,除了xxe实体未填充任何东西.正如对最后一个问题的回答者所述,firefox似乎有可能阻止外部实体...东西.我也尝试用我的主目录中的文本文件替换,但是那也不起作用.我也尝试给出不带file://前缀的路径.到目前为止没有任何工作.
Here, I'm writing in the XML as a string and parsing it with DOM parser. Everything works as expected, except that the xxe entity is not populated by anything. It does seem possible, as the answerer to the last question stated, that firefox blocks external entity ... stuff. I also tried substituting in a text file in my home directory and that didn't work either. I also tried giving the path without the file:// prefix. Nothing has worked so far.
我可以确认DTD已被解析和使用,所以这是向前迈出的一大步.
I can confirm that the DTD is being parsed and used though, so that's a big step forward.
任何提示均表示感谢!!
Any tips appreciated~!
推荐答案似乎大多数浏览器都不会加载外部DTD,使得这种类型的xxe攻击很难测试:正确使用XML的外部DTD
seems like most browsers do not load external DTD's making this type of xxe attack pretty hard to test: Proper use of External DTD for XML
但是,如果有人有其他见解,请随时留下答案或评论!
If anyone has any other insight though, feel free to leave an answer or comment!
更多推荐
HTML第2部分中XXE攻击的基本工作示例
发布评论