You will hold my sleeve and I will put my hand into the trouser pocket
I encountered a xxe vulnerability in a CTF competition. Since I did not study this vulnerability at the time, there was no clue. In order to make up for the web security defense knowledge and reduce the vulnerability shortcomings, I have read some information about the xse vulnerability, and I will share it after learning.
Before introducing the xxe vulnerability, learn to review the basics of XML. XML is designed to transfer and store data, with a focus on the content of the data, which separates the data from the HTML and is a software- and hardware-independent information transfer tool.
XML document structures include XML declarations, DTD document type definitions (optional), and document elements.
Since the xke vulnerability is related to DTD documents, the concept of DTD is highlighted.
A Document Type Definition (DTD) defines a legal XML document building block that uses a set of legal elements to define the structure of a document. DTDs can be declared inline in an XML document (internal reference) or as an external reference.
Internal statement DTD:
Referencing an external DTD:
There are many important keywords in the DTD document as follows:
- DOCTYPE (declaration of DTD)
- ENTITY (declaration of the entity)
- SYSTEM, PUBLIC (external resource application)
An entity can be understood as a variable, which must be declared in the DTD, and the value of that variable can be referenced elsewhere in the document.
Entities are mainly classified into the following four types by type:
- Built-in entities (Built-in entities)
- Character entities
- General entities
Entities can be divided into internal entities and external entities according to the way of reference, to see how these entities are declared.
For complete entity categories, refer to [DTD - Entities] (https://www.tutorialspoint.com/dtd/dtd_entities.htm)
The parameter entity is declared with the % entity name, and the % entity name is also used for reference; the remaining entities are directly declared with the entity name, and the reference is made with the & entity name.
Parameter entities can only be declared in the DTD, referenced in the DTD; the remaining entities can only be declared in the DTD and can be referenced in the xml document.
Example demo: entity + internal entity except parameter entity
Example demo: parameter entity + external entity
Note: %name (parameter entity) is referenced in the DTD, and &name (the rest of the entity) is referenced in the xml document.
Since the xSe vulnerability mainly exploits the vulnerability caused by the DTD referencing external entities, it is important to look at which types of external entities can be referenced.
External entities are used in DTDs
The grammar refers to an external entity, not an internal entity. What types of external entities can be written in the URL?
The main ones are file, http, https, ftp, etc. Of course, different programs support different things:
The XXE vulnerability is called XML External Entity Injection, which is an external entity injection vulnerability. The XXE vulnerability occurs when the application parses the XML input. It does not prohibit the loading of external entities, resulting in the loading of malicious external files, resulting in file reading, command execution, and intranet ports. Scan, attack intranet sites, initiate dos attacks and other hazards. The point triggered by the xxe vulnerability is often the location where the xml file can be uploaded. The uploaded xml file is not filtered, resulting in the uploading of a malicious xml file.
The first step is to check if the XML will be successfully parsed:
If the page outputs my name is nMask, the xml file can be parsed.
The second step is to detect whether the server supports DTD referencing external entities:
You can determine if the target server has sent a request for test.xml to your server by looking at the logs on your own server.
If support for external entities is supported, there is a high probability that there is a xxe vulnerability.
There are many hazards in xxe vulnerabilities, such as file reading, command execution, intranet port scanning, attacking intranet sites, launching dos attacks, etc. Here, the method of reading arbitrary files is tested.
Since I was testing on Windows, let it read the contents of the test.txt file under the c drive.
If it is linux, you can read sensitive data in directories such as /etc/passwd.
Any of the above file reads can be successful, except that the DTD can refer to external entities, but also depends on the output information, that is, there is echo. So if the program does not echo, how to read the file content? Need to use the blind xxe vulnerability to exploit.
For the traditional XXE, the attacker is required to use the XXE vulnerability to read the server-side files only if the server has an echo or an error. If there is no echo, the Blind XXE vulnerability can be used to construct an out-of-band channel to extract data. .
Create test.php to write the following:
Create index.php to write the following:
Create test.xml and write the following:
When accessing http://localhost/index.php, the vulnerable server reads the text.txt content, sends it to test.php on the attacker’s server, and saves the read data to the local test.txt.
*Note: There are many uses of xxe and defensive postures. I will not introduce them here.
Filter keywords: <!DOCTYPE and <!ENTITY, or SYSTEM and PUBLIC.