[Web Security] XXe Vulnerability Defense Learning (i)

0x00, XXe vulnerability

XXe vulnerability Full name xML external Entity injection XML External entity Injection Vulnerability, XXE vulnerability occurs when an application parses an XML input without prohibiting the loading of external entities , resulting in malicious external files and code can be loaded, resulting in arbitrary file reads , command execution , intranet port scanning , attack intranet site , launch Dos attacks and other hazards.

XXe vulnerabilities are often triggered by the location of the XML file can be uploaded, the uploaded XML file is not filtered, resulting in the ability to upload malicious XML files.

0x01, XML basics

For XXe vulnerabilities, you must first understand the basics, understand the basic composition of XML documents

XML refers to Extensible Markup Language (Extensible Markup Language)

XML is designed to transmit and store data. HTML is designed to display data

XML separates data from HTML, and XML is an information transfer tool that is independent of software and hardware.

The XML language does not have a predefined label, allowing authors to define their own labels and their own document structure

Syntax rules FOR XML:

• An XML document must have a root element
• XML elements must have a close tag
• XML tags are sensitive to size
• XML elements must be nested correctly
• XML attribute values must be guided

<?XML version= "1.0" encoding= "UTF-8"?> <!--XML Declaration --<Girl age= "> <!--custom root element Girl;age property needs to be guided--<Hair>Long Hair</Hair> <!--custom 4 child elements, that is, the properties of the girl object- -< Eye>Big Eyes</ Eye>< Face>Lovely face.</ Face><Summary>Cute and beautiful girl</Summary></Girl> <!--closure of the root element---

Entity reference

In XML, some characters have a special meaning.

If you put the character "<" in an XML element, an error occurs because the parser takes it as the beginning of the new element.

This produces an XML error:

< message > <  then</message>

To avoid this error, use an entity reference instead of the "<" character:

< message > &lt; </message>

In XML, there are 5 predefined entity references:

&lt;	<	Less than sign
&gt;	>	Greater than sign
&amp;	&	and number
&apos;	‘	Single quotation marks
&quot;	"	Quotes

0x02, DTD ( Document Type Definition)

The role of a DTD (document type definition) is to define a legitimate building block for an XML document

DTDs can be declared in an XML document in rows or as an external reference.

<!--XML Declaration -<?XML version= "1.0"?> <!--Document Type definition -<!DOCTYPE Note [<!--define this document as a note type document--><!ELEMENT Note (to,from,heading,body)>  <!--define a note element with four elements -<!ELEMENT to (#PCDATA)>     <!--defines the to element as a "#PCDATA" type -<!ELEMENT from (#PCDATA)>   <!--defines the from element as the "#PCDATA" type -<!ELEMENT Head (#PCDATA)>   <!--defines the "#PCDATA" type for the head element -<!ELEMENT Body (#PCDATA)>   <!--defines the BODY element as the "#PCDATA" type -]]]><!--Document Elements -<Note>< to>Dave</ to>< from>Tom</ from><Head>Reminder</Head><Body>You is a good man</Body></Note>

The above XML code is basically divided into three parts:

The first part is the declaration of XML;

The second part is the DTD document type definition of XML

The third part is the XML statement

External entity attacks are injected mainly using the external entities of the DTD.

DTDs are constructed in two ways, namely internal DTD declaration and External DTD declaration

Internal DTD declaration:

<! DOCTYPE root element [element declaration] >

Example: If the code above

External DTD declaration:

<! DOCTYPE root element SYSTEM "file name" >

Instance:

<?XML version= "1.0"?><!DOCTYPE root-element SYSTEM "Test.dtd"><Note>< to>Y</ to>< from>K</ from><Head>J</Head><Body>Eshlkangi</Body></Note>

Test.dtd

<!ELEMENT to (#PCDATA)><!--defines the to element as a "#PCDATA" type -<!ELEMENT from (#PCDATA)><!--defines the from element as the "#PCDATA" type -<!ELEMENT Head (#PCDATA)><!--defines the "#PCDATA" type for the head element -<!ELEMENT Body (#PCDATA)><!--defines the BODY element as the "#PCDATA" type -

The Pcdata meaning is the parsed character data. Pcdata is the text that will be parsed by the parser. The text will be examined by the parser entity and tagged. The labels in the text are treated as tokens, and the entities are expanded.

CDATA means character data, CDATA is text that will not be parsed by the parser, and the labels in those text will not be treated as tokens, and the entities will not be expanded.

DTD entities are also constructed in two ways, namely, internal entity declarations and external entity declarations.

Internal entity declaration:

<! ENTITY entity-name "Entity-value" >

Instance:

<? XML version= "1.0" ><! DOCTYPE Note [<! ELEMENT Note (name) ><! ENTITY hacker "Eshlkangi" >]><note><name>&hacker;</name></note>

External entity declaration:

<! ENTITY entity-name SYSTEM "Url/url" >

Default protocol

PHP Extension Protocol

Instance:

<? XML cersion= "1.0" ><! DOCTYPE hack [<! ENTITY XXe SYSTEM "File:///etc/password" >]>

In the preceding code, the external entity "XXe" of the XML is given the value: FILE:///ETC/PASSWD

When parsing an XML document, XXe is replaced with file:///ect/passwd content.

Parameter entity + External entity:

<? XML version= "1.0" encoiding= "Utf-8" ><! DOCTYPE hack [    <! ENTITY% name SYSTEM "FILE:///ETC/PASSWD" >   %name;] >

The "%name" (parametric entity) is actually referenced in the DTD, and the "&name;" is referenced in the XML document.

The XXe exploit exploits the vulnerability caused by a DTD referencing an external entity.

0x03, attack ideas

1. Referencing external entity remote file read

2, Blind XXE

3. Dos

Attack Example: Look at the next chapter

[Web Security] XXe Vulnerability Defense Learning (i)