XML & XXE
Aryb1n
4月 06, 2017
关于XML
参考
1. 格式正规的XML
- http://www.cnblogs.com/mengdd/archive/2013/05/27/3100884.html
2. 有效的XML
- http://www.cnblogs.com/mengdd/archive/2013/05/28/3102893.html
3. DTD详解
XXE
然后好蠢…终于知道XXE是引入外部实体
外部实体语法
<!ENTITY 实体名 SYSTEM "URI/URL">
DTD
<!ENTITY writer SYSTEM "http://www.baidu.com/index.php?tn=coralqq">
<!ENTITY copyright SYSTEM "http://www.baidu.com/index.php?tn=coralqq">
XML
&writer;©right;
XXE 例子
<!ENTITY file SYSTEM “file:///etc/passwd”>
<username>&file;</username>
附上学习blog
http://blog.csdn.net/qq_19876131/article/details/51831522
XEE
http://www.secpulse.com/archives/850.html
http://www.secpulse.com/archives/6256.html
https://www.secpulse.com/archives/6392.html