LinuxЧÀÍÆ÷Çå¾²£º¼Ó¹ÌWeb½Ó¿ÚÒÔ×èÖ¹XXE¹¥»÷¡£
LinuxЧÀÍÆ÷Çå¾²£º¼Ó¹ÌWeb½Ó¿ÚÒÔ×èÖ¹XXE¹¥»÷
µ¼ÑÔ£º
Ëæ×ÅWebÓ¦ÓóÌÐòµÄÆÕ±éÓ¦Óã¬Ð§ÀÍÆ÷µÄÇå¾²ÐÔ³ÉΪÁË»¥ÁªÍøÓû§Ô½À´Ô½¹Ø×¢µÄÎÊÌâ¡£ÔÚÒÑÍùµÄ¼¸ÄêÖУ¬ÍⲿʵÌå¼ç¸ºÆðÁË»á¼ûWebЧÀÍÆ÷²¢Ö´ÐпÉÄܵ¼ÖÂЧÀÍÆ÷ÊÜËðµÄ¶ñÒâÐÐΪµÄ½ÇÉ«¡£ÆäÖУ¬XXE¹¥»÷ÊÇÒ»ÖÖ×îΪÆÕ±éºÍΣÏյĹ¥»÷ÀàÐÍÖ®Ò»¡£±¾ÎĽ«ÏÈÈÝXXE¹¥»÷µÄÔÀí£¬²¢ÌṩÔõÑù¼Ó¹ÌWeb½Ó¿ÚÒÔÔ¤·ÀXXE¹¥»÷µÄ°ì·¨£¬Ìá¸ßLinuxЧÀÍÆ÷µÄÇå¾²ÐÔ¡£
Ò»¡¢Ê²Ã´ÊÇXXE¹¥»÷£¿
XXE£¨XML External Entity£©¹¥»÷ÊÇͨ¹ýÏòЧÀÍÆ÷·¢ËͶñÒâ½á¹¹µÄXMLÎļþÀ´Ê¹ÓÃЧÀÍÆ÷ÉϵÄÎó²îµÄÒ»ÖÖ¹¥»÷·½·¨¡£¹¥»÷Õß¿ÉÒÔʹÓÃʵÌåÀ©Õ¹ºÍ²ÎÊýʵÌåÀ´¶ÁÈ¡Îļþ¡¢Ö´ÐÐÔ¶³Ì´úÂëµÈ¶ñÒâ²Ù×÷£¬´Ó¶ø»ñÈ¡Ãô¸ÐÐÅÏ¢²¢¶ÔЧÀÍÆ÷¾ÙÐÐδÊÚȨ»á¼û¡£
ÒÔÏÂÊÇÒ»¸ö¼òÆÓµÄÓÃÓÚÑÝʾXXE¹¥»÷µÄXMLÎļþ£º
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root> <data>&xxe;</data> </root>
µÇ¼ºó¸´ÖÆ
ÉÏÊöXMLÎļþÖУ¬Í¨¹ýʹÓÃÍⲿʵÌåµÄ·½·¨¶ÁÈ¡ÁËЧÀÍÆ÷ÉϵÄ/etc/passwdÎļþ£¬µ¼ÖÂÃô¸ÐÐÅÏ¢±»Ð¹Â¶¡£
¶þ¡¢¼Ó¹ÌWeb½Ó¿ÚÒÔ×èÖ¹XXE¹¥»÷
ΪÁ˱ÜÃâXXE¹¥»÷£¬ÎÒÃÇ¿ÉÒÔ½ÓÄÉÒÔϼ¸¸ö°ì·¨£º
½ûÓÃÍⲿʵÌ壨Disable External Entities£©£º
ΪÁË×èֹʹÓÃʵÌåÀ©Õ¹¾ÙÐÐXXE¹¥»÷£¬ÎÒÃÇ¿ÉÒÔͨ¹ý½ûÓÃÍⲿʵÌåÀ´½â¾ö¡£ÔÚPHPµÄÉèÖÃÎļþphp.iniÖУ¬½«libxml_disable_entity_loaderÉèÖÃΪtrue£¬¼´¿É½ûÓÃÍⲿʵÌå¡£
libxml_disable_entity_loader(true);
µÇ¼ºó¸´ÖÆ
ÑéÖ¤Óû§ÊäÈ루Validate User Input£©£º
¹ØÓÚÓû§ÊäÈëµÄXMLÊý¾Ý£¬ÎÒÃÇÒª¾ÙÐÐÑÏ¿áµÄÊäÈëÑéÖ¤£¬È·±£ÊäÈëµÄÊý¾ÝÇкÏÔ¤ÆÚµÄÃûÌ᣿ÉÒÔʹÓÃXML Schema½ç˵Êý¾ÝÀàÐͺͽṹ£¬²¢¶ÔÓû§ÊäÈë¾ÙÐÐУÑé¡£
ÒÔÏÂÊÇÒ»¸ö¼òÆÓµÄʾÀý£¬Õ¹Ê¾ÁËÔõÑùʹÓÃXML SchemaÑéÖ¤Êý¾Ý£º
<?xml version="1.0" encoding="UTF-8"?> <root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="schema.xsd"> <data>Valid data</data> </root>
µÇ¼ºó¸´ÖÆ
ʹÓð×Ãûµ¥»úÖÆ£¨Whitelist£©¹ýÂËʵÌ壺
ʹÓð×Ãûµ¥»úÖÆ¿ÉÒÔÏÞÖÆÆÊÎöµÄʵÌ壬ֻÔÊÐíÆÊÎöÔ¤½ç˵µÄʵÌå¡£¿ÉÒÔͨ¹ý¶ÔÆÊÎöµÄXML¾ÙÐÐÔ¤´¦Àí£¬É¾³ý²»ÐèÒªµÄʵÌå½ç˵¡£ÒÔÏÂÊÇÒ»¸öʾÀý´úÂ룺
$xml = file_get_contents('php://input'); $xml = preg_replace('/<!ENTITY.*?>/', '', $xml);
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂëʹÓÃÕýÔò±í´ïʽɾ³ýÁËXMLÎĵµÖеÄʵÌå½ç˵¡£
ʹÓÃÇå¾²µÄXMLÆÊÎö¿â£º
ΪÁËÔ¤·ÀXXE¹¥»÷£¬ÎÒÃÇÓ¦¸Ã¾¡¿ÉÄÜʹÓÃÇå¾²µÄXMLÆÊÎö¿â£¬ºÃ±ÈÔÚPHPÖÐʹÓÃSimpleXML¿â¡£SimpleXMLÌṩÁËһЩÇå¾²»úÖÆÀ´±ÜÃâXXE¹¥»÷¡£
$dom = new DOMDocument(); $dom->loadXML($xml, LIBXML_NOENT | LIBXML_NOERROR | LIBXML_NOWARNING);
µÇ¼ºó¸´ÖÆ
ÉÏÊöʾÀýÖУ¬Í¨¹ýÉèÖÃLIBXML_NOENT | LIBXML_NOERROR | LIBXML_NOWARNING²ÎÊý£¬DOMDocumentÀà»á½ûÓÃÍⲿʵÌå¡¢²»ÏÔʾÆÊÎö¹ýʧºÍÖÒÑÔÐÅÏ¢¡£
½áÂÛ£º
ΪÁË°ü¹ÜLinuxЧÀÍÆ÷µÄÇå¾²ÐÔ£¬±ÜÃâXXE¹¥»÷ºÜÊÇÖ÷Òª¡£Í¨¹ý½ûÓÃÍⲿʵÌå¡¢ÑéÖ¤Óû§ÊäÈ롢ʹÓð×Ãûµ¥»úÖƹýÂËʵÌåºÍʹÓÃÇå¾²µÄXMLÆÊÎö¿â£¬ÎÒÃÇ¿ÉÒÔÓÐÓõØÌá·ÀXXE¹¥»÷¡£¹ØÓÚЧÀÍÆ÷ÖÎÀíÔ±À´Ëµ£¬°´ÆÚ¸üÐÂЧÀÍÆ÷²Ù×÷ϵͳºÍÓ¦ÓóÌÐò¡¢¼à¿Ø²¢ÆÊÎöÈÕÖ¾ÎļþÒÔ¼°ÉèÖÃÇ¿ÃÜÂëµÈ²½·¥Ò²ÊǺÜÊÇÖ÷ÒªµÄЧÀÍÆ÷Ç徲ʵ¼ù¡£Ö»ÓÐÒ»Ö±ÔöǿЧÀÍÆ÷µÄÇå¾²ÐÔ£¬ÎÒÃDzŻªÓÐÓõØÑÚ»¤ÍøÕ¾ºÍÓû§µÄÊý¾ÝÇå¾²¡£
²Î¿¼×ÊÁÏ£º
OWASP XXE¹¥»÷Ìá·ÀÖ¸ÄÏ – https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
PHP: SimpleXMLÀà – https://www.php.net/manual/zh/class.simplexml_element.php
DOMDocumentÀà – https://www.php.net/manual/zh/class.domdocument.php
ÒÔÉϾÍÊÇLinuxЧÀÍÆ÷Çå¾²£º¼Ó¹ÌWeb½Ó¿ÚÒÔ×èÖ¹XXE¹¥»÷¡£µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡