Common Payload Analysis#
It seems like everyone is using this test code:
Using XML to send data:
But when I tried using parameter entities, it seems that I couldn't carry data:
Nested entities also don't work:
The most commonly used method for carrying data:
Prepare two files on your own VPS, I did the experiment on my local machine.
Open a web service on port 8001 on your local machine,
The content of the local.xml
file:
This file represents sending the data to another port 8887 after reading it, and then we send the data to the victim's server,
Then you can receive the data on port 8887
Another payload also works
DTD file
Payload sent
Error XXE#
This method p actually mentioned it a long time ago, you can achieve an error through three levels of nested XML
XXE Probe Intranet#
Case Analysis#
NetDing Cup 2020 fileJava#
The vulnerability used is CVE20143529
Reproduction code
pom.xml
Exploitation process:
Prepare an Excel file:
Prepare the DTD file
It will read the file and then send it to port 8887
Get the flag by listening
References#
This YouTube video explains it well: https://youtu.be/gjm6VHZa_8s?si=rMGJmuSI9XJNtt_S