Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


how to attack without knowing how to defend

Posted by deeson at 2020-02-26

XML is a kind of markup language which is used to tag electronic files and make them have structure. It can be used to tag data and define data types. It is a source language that allows users to define their own markup language. XML document structure includes XML declaration, DTD document type definition (optional), document element.

DTD (document type definition) is used to define the legal building blocks of XML documents. DTD can be declared in an XML document or referenced externally.

Internal declaration DTD

Root element [element declaration] >

Reference external DTD

Root element system "filename" >


Root element public "public" Id "filename >

DTD entities are variables that define shortcuts that reference plain text or special characters, and can be declared internally or referenced externally.

Internal declaration entity

Entity name "value of entity" >

Reference external entity

Entity name system "URI" >


Entity name public "public" Id "" URI ">

2、 XML external entity

When it is allowed to refer to external entities, by constructing malicious content, it can lead to read arbitrary files, execute system commands, detect intranet ports, attack intranet sites and other hazards.

There are many ways to introduce external entities, such as:

Malicious introduction of external entity mode 1:

XML content:

Malicious introduction of external entity mode 2:

XML content:

DTD file (evil. DTD) content:

Malicious introduction of external entity mode 3:

XML content:

DTD file (evil. DTD) content:

In addition, different programs support different protocols,

The figure above shows the default support protocol, which can also support other extension protocols, such as PHP

The following examples illustrate the hazards of xxE, which are not the only ones.

XxE hazard 1: reading arbitrary files

The case is to read / etc / passwd. Some XML parsing libraries support column directories. The attacker can obtain the account password through column directories and reading files, and then further attack. For example, after reading tomcat-users.xml to get the account password, log in to the manager of Tomcat to deploy webshell.

Besides, is there no problem if the data is not echoed? As follows,

No, you can send data to a remote server,

The contents of the remote evil.dtd file are as follows:

After triggering the xxE attack, the server will send the contents of the file to the attacker's website

XxE hazard 2: execution of system commands

This case is to execute system commands in the PHP environment where expect extension is installed. Other protocols may also execute system commands.

XxE hazard 3: detection of Intranet port

The case is to probe port 80 and port 81 of It can be known that the port 81 is closed and port 80 is open through the returned "connection rejected".

XxE hazard 4: attack intranet site

The case is to attack the intranet struts 2 website and execute system commands remotely.

3、 Client xxE case

Recently, an office document conversion software was found to have a xxE vulnerability (PS: thanks for the white hat Titans' report vulnerability of TSRC platform). An application scenario is: Web programs call the office software to obtain the content of office documents and provide online preview. Because the software reads XML files and allows reference to external entities when processing office documents, when users upload malicious documents and preview, it triggers the xxE attack. Details are as follows:

Create a new normal document with the content of hi TSRC,

After using the software, we can get the document content in text format,

When malicious code (referring to external entities) is injected into the docx's XML file, an xxE attack can be carried out.

4、 Defend against xxE attack

Scheme 1: use the method provided by development language to disable external entities



Other languages:

Scheme 2: filter XML data submitted by users

Keywords: system and public.


Whether it is a web program or a PC program, as long as the user controlled XML is processed, there may be a very harmful xxE vulnerability. Developers need to be careful when processing XML, and prohibit the reference of external entities in the user controlled XML data.

The code and technical details involved in this article are only used for technical exchange, and shall not be used for illegal purposes. Welcome to discuss and exchange, writing in a hurry, shortcomings, please do not hesitate to criticize and correct.