GoSecure/dtd-finder

# DTD Finder [](https://travis-ci.org/GoSecure/dtd-finder) 在文件系统快照上识别 DTD，并使用这些本地 DTD 构建 XXE payload。 快速链接： - [获取完整的文件列表和 XXE Payload](https://github.com/GoSecure/dtd-finder/tree/master/list) - 了解更多信息，请[阅读详细的博客文章](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation/) ## 构建工具 ``` $ mvn install ``` ## 使用 Docker 镜像 1. 启动/构建 Docker 镜像 ``` $ docker run ... ``` 2. 导出文件系统 ``` $ docker export weblogic12 -o weblogic-12-dev.tar ``` 3. 启动 dtd-finder ``` $ java -jar dtd-finder-1.0-SNAPSHOT-all.jar weblogic-12-dev.tar ... [=] Found a DTD: /u01/oracle/wlserver/server/lib/consoleapp/webapp/WEB-INF/struts-config_1_2.dtd Testing 9 entities : [%AttributeName, %BeanName, %Boolean, %ClassName, %Integer, %Location, %PropName, %RequestPath, %RequestScope] [+] The entity %AttributeName is injectable [+] The entity %BeanName is injectable [+] The entity %Boolean is injectable [+] The entity %ClassName is injectable [+] The entity %Integer is injectable [+] The entity %Location is injectable [+] The entity %PropName is injectable [+] The entity %RequestPath is injectable [+] The entity %RequestScope is injectable ... The CLI tool can be launch against tar files and directories. ``` $ java -jar dtd-finder-1.0-SNAPSHOT-all.jar /specific/path/with/dtds ... ``` Report written to weblogic-12-dev.tar-dtd-report.md ``` ## 演示 

标签：CISA项目, DTD发现, GoSecure, JS文件枚举, Maven, URL发现, Web安全, XML外部实体注入, XXE, 安全检测, 数据展示, 本地DTD, 漏洞验证, 红队, 网络安全, 蓝队分析, 请求拦截, 载荷生成, 隐私保护