Now many different client technologies, such as web-side, mobile, cloud, and so on, use XML to send messages to business applications. In order for the application to use these custom XML messages, the application must parse the XML document and check that the format is correct.
This article describes the XML external entity (XXE) injection attack and its fundamentals to better understand how and how to
As you all know, many web and mobile applications rely on client-server Web communication interaction services. In Web services such as soap and restful, the most common data formats are XML and JSON. When a Web service is transferred using either XML or one of the JSON, the server may receive data formats that the developer did not anticipate. If the XML parser on the server is not well configured, the terminal in the JSON transmission may suffer a XXe
=" Evil_ Php.png "alt=" Wkiom1u8wvnrkvwiaab3nze9omc234.jpg "/>Results:650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6B/FB/wKioL1U8xHPSBLEJAAFnQcIB2GM494.jpg "title=" Result.png "alt=" Wkiol1u8xhpsblejaafnqcib2gm494.jpg "/>(2) in the properties, only PHP cantest1.php$xml 1=%remote;%param1;EOF;EVIL.DTD2:Unsuccessful, general report internal errorSolution:1, upgrade the LIBXML2 library version to more than 2.9, from more than 2.9 does not default to execute external entities.2, perform
allowed or not. See this post here on so for few ideas. Just return from to null ResolveUri() save Your code from this kind of attacks. The the URI is allowed you can simply return the default XmlUrlResolver.ResolveUri() implementation.To use it:XmlDocument xmldoc = new XmlDocument () Xmldoc.xmlresolver = new Customurlresolver (); Xmldoc.loadxml (ouroutputxmlstring ); For more details about how XML external resources is resolved just read resolving external resources on MS Docs. If your code i
0x00, XXe vulnerability Attack instanceAttack Ideas:1. Referencing external entities remote file reads2. Blind XXE3. Dos0x01, external entity reference, with EchoExperimental operating platform: The XXe topic on Bwapp PlatformTopic:To grab a packet, click any bugs? button, grab the package as follows:You can see that the xxe
Analysis of Different Types of DTD/XXE attacks
When evaluating the security of XML-based services, you cannot forget the DTD-based attacks, such as XML external entity injection attacks (XXE ).
In this article, we will provide a comprehensive list of attacks against different types of DTD.
Attacks are classified as follows:
Denial of Service Attack (DDoS)
B
Tags: method Oracle database Use lang query sys serve problem extraIn this article, we will work together to analyze the Oracle database's XXE Injection Vulnerability (cve-2014-6577), which was released by Oracle on January 20 with patches for this vulnerability. For XXE related knowledge, you can check the security pulse station in another article, "Unknown attack
0x00, XXe vulnerabilityXXe vulnerability Full name xML external Entity injection XML External entity Injection Vulnerability, XXE vulnerability occurs when an application parses an XML input without prohibiting the loading of external entities , resulting in malicious external files and code can be loaded, resulting in arbitrary file reads , command execution , intranet port scanning ,
XXe The reason why the vulnerability cannot be reproduced
The main problem is simplexml_load_file this function, in the old version is the default parsing entity, but in the new version, no longer the default parsing entity, you need to specify in the Simplexml_load_file function The third parameter is libxml_noent, Otherwise, the entity will not be parsed.
XXe Entity injection detailed
0x00 background
Reference:Http://wooyun.jozxing.cc/static/bugs/wooyun-2014-059911.htmlHttp://bobao.360.cn/learning/detail/3841.htmlhttp://blog.csdn.net/u011721501/article/details/43775691http://thief.one/2017/06/20/1/The vulnerability is usually too small, and the impression is that it starts with X, presumably in relation to XML.
Reference: http://thief.one/2017/06/20/1/
XXe vulnerability full name XML External entity injection is an XML external entity injection Vu
About blind XXE
For Xxe, I have shared it internally a long time ago. I personally think there is not much fun about the vulnerabilities themselves, mainly because: the diversity of processing URIs in different languages and some features of different XML parser in parsing XML.
Before the popularization of blind Xxe, we assume that you have mastered
Analysis of Oracle Database XXE Injection Vulnerability (CVE-2014-6577)Vulnerability description the XML Parser module of the Oracle database is vulnerable to XML External Entity (XXE) injection.Affected Versions: 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2Required permissions: CREATE SESSION)Due to the security features of the XML parser in Oracle, the external mode is resolved but not parsed.This prevents
Php framework slim has a XXE vulnerability that occurs only in the Framework CMS.
The emergence of the modern cms framework (laraval/symfony/slim) has led to some changes in the current php vulnerabilities, principles, and utilization methods, in this series, we hope to summarize the cms vulnerabilities we have discovered.
Slim is a well-known php light framework with advanced design ideas. It works perfectly with psr7, and has more than 100 million u
Netease mailbox can read files at a location of XXE
Netease mail supports online storage upload and the XXE vulnerability in uploading docx file Preview
Unbind the docx file and modify word/document. xml:
UEsDBBQAAAAIAPm1FEVctz+UVgEAACIFAAATABwAW0NvbnRlbnRfVHlwZXNdLnhtbFVUCQADBYj1UwWI9VN1eAsAAQT1AQAABBQAAAC1lMtuwjAQRfeV+g+Rt4gYuqiqisCij2WLVPoBxp6AVce2PMPr7zshFFUVJVWBTaRk5t5zZ2J5MFpXLltCQht8Ifp5T2TgdTDWzwr
Test the XXE vulnerability in SpringMVCThe SpringMVC framework supports XML-to-Object ing. Internally, it uses two global interfaces Marshaller and Unmarshaller. One implementation is implemented using the Jaxb2Marshaller class, which naturally implements two global interfaces, it is used for Bidirectional parsing of XML and Object. The XML file can be a DOM file, an input/output stream, or a SAX handler.SpringMVC is popular with annotations for rapid
Cisco Prime Infrastructure XXE Denial of Service Vulnerability (CVE-2016-1358)Cisco Prime Infrastructure XXE Denial of Service Vulnerability (CVE-2016-1358)
Release date:Updated on:Affected Systems:
Cisco Prime Infrastructure 3.1 (0.0)Cisco Prime Infrastructure 3.0Cisco Prime Infrastructure 2.2
Description:
CVE (CAN) ID: CVE-2016-1358Cisco Prime Infrastructure is a solution for wireless management thr
The SPRINGMVC framework supports XML to object mapping, internally using two global interfaces Marshaller and Unmarshaller, an implementation that is implemented using the Jaxb2marshaller class, which naturally implements two global interfaces, Used to parse XML and object in a two-way way. And the XML file can be a DOM document, an input output stream, or a sax handler.
SPRINGMVC is popular with annotations for rapid development, in which JAXB annotations can annotate where XML is needed to be
User-defined XML file Blind XXE vulnerability exists in a substation of Sohu Changyou
See http://wooyun.org/bugs/wooyun-2016-0168457Problematic Website:Http://im.changyou.com/live800/services/IVerification? Wsdl
The custom XML file is as follows:
%b; %c;
Save the xml file in vps as http: // ip: port/1.xmlThe structure is as follows:
%remote;]>
We can modify the xml file that is externally loaded to any directory path or a specific file.
effective processing, then by constructing the request Body, we can implement the injection of external entities. For example,when using XML to pass data in aWeb application , there is no restriction on references to external entities, and it is possible to import external entities, resulting in arbitrary file reads. In the test vulnerability, you only need to configure the note driver and viewresolver in the configuration file .Upon normal request:in the request, it is indicated that a applica
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.