您好我正在努力在 ASP.NET Core 中创建一个易受XML 外部实体注入攻击的网页。我这样做是为了测试缓解 XXE 攻击的方法。我想解析器默认情况下不受 XXE 影响。因此,我尝试了几种不同的方法来使解析器易受攻击,但似乎都不起作用。到目前为止,我有一个设置设置为的 XMLReader DTDProcessing.Parse,加载到带有自定义 URL 解析器的 XMLDocument 以允许任何内容通过。我还缺少其他设置吗?要遵循的代码:
加载 XML 文档并检索数据的服务
using File_Upload_Processes.Models;
using Microsoft.AspNetCore.Hosting;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using System.Xml;
namespace File_Upload_Processes.Services
{
public class XMLDataSendService
{
public IWebHostEnvironment WebHostEnviroment { get; }
public XMLDataSendService(IWebHostEnvironment webHostEnvironment)
{
WebHostEnviroment = webHostEnvironment;
}
private string XML_Doc_Name
{
get { return Path.Combine(WebHostEnviroment.WebRootPath, "Data","file.xml"); }
}
public XmlDocument Load_XML_Doc()
{
var doc_location = Path.Combine(WebHostEnviroment.ContentRootPath, "Data", "file.xml");
XmlDocument doc = new XmlDocument();
doc.XmlResolver = new CustomURLResolver();
doc.PreserveWhitespace = true;
XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Parse;
settings.ValidationType = ValidationType.None;
XmlReader reader = XmlReader.Create(doc_location, settings);
doc.Load(reader);
return doc;
}
public string Get_Node_Data(XmlDocument doc)
{
XmlNode element = doc.GetElementsByTagName("a")[0];
string output = element.InnerText;
return output;
}
class CustomURLResolver : XmlUrlResolver
{
public override Uri ResolveUri(Uri baseUri, string relativeUri)
{
Uri uri = new Uri(baseUri, relativeUri);
return base.ResolveUri(baseUri, relativeUri);
}
}
}
恶意 XML 文档
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///PATH_TO_FILE">]>
<foo>
<a>&xxe;</a>
</foo>