This is an example of an external entity.
XXE TO PHP REVERSE SHELL CODE
The most interesting aspect of parsing XML input files is that they can contain code that points to a file on the server itself. This file is used as POST data via CURL: curl -d The server responds with: You have logged in as user Ed The four lines above are expected input to the aforementioned PHP endpoint, and they are stored in an XML file called xml.txt. The above script is served when a request to /xml_injectable.php is made. LoadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD) You will also need the php-xml module installed in order for XML parsing to work (and restart the Apache server after installation). We used the following script to set up a PHP endpoint that parses XML input. This virtual machine, our first playground, is running Ubuntu 14.04.5 and PHP 5 on Apache. We’ve set up a virtual machine with a simple PHP server that utilizes an XML document to validate credentials. The first is a simple PHP server, while the other is a virtual machine running a vulnerable Django web application.īefore going into more detail regarding this attack, it may be helpful to understand how a web application interacts with an XML document in a manner that causes such an attack vector to arise. There are a couple of playgrounds we’ll be using. We will also go through discovering the vulnerability with Burp. We’ll go over setting up a basic PHP server that is vulnerable, exploiting the vulnerability manually, then move onto a handy tool called XXEInjector to help automate the process.
Although this is a relatively esoteric vulnerability compared to other web application attack vectors, like Cross-Site Request Forgery (CSRF), we make the most of this vulnerability when it comes up, since it can lead to extracting sensitive data, and even Remote Code Execution (RCE) in some cases. XXE Injection is a type of attack against an application that parses XML input. During the course of our assessments, we sometimes come across a vulnerability that allows us to carry out XML eXternal Entity (XXE) Injection attacks.
0 kommentar(er)
