Suche senden
Hochladen
Jp xxe injection_20170627_moon
•
1 gefällt mir
•
400 views
T
ted0201
Folgen
XXE Injectionの資料です。 1. XXE Injection basic 2. billion laughs attack 3. cve-2015-5161
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 31
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Metasploitでペネトレーションテスト
Metasploitでペネトレーションテスト
super_a1ice
[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功
[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功
CODE BLUE
Oracle xeインストール(linux環境)
Oracle xeインストール(linux環境)
izuyuri
About ctf jwmoon
About ctf jwmoon
ted0201
Blind sql injection jwmoon
Blind sql injection jwmoon
ted0201
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
Empfohlen
Metasploitでペネトレーションテスト
Metasploitでペネトレーションテスト
super_a1ice
[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功
[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功
CODE BLUE
Oracle xeインストール(linux環境)
Oracle xeインストール(linux環境)
izuyuri
About ctf jwmoon
About ctf jwmoon
ted0201
Blind sql injection jwmoon
Blind sql injection jwmoon
ted0201
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
Skeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
Introduction to Data Science
Introduction to Data Science
Christy Abraham Joy
Time Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
The six step guide to practical project management
The six step guide to practical project management
MindGenius
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
GetSmarter
ChatGPT webinar slides
ChatGPT webinar slides
Alireza Esmikhani
Weitere ähnliche Inhalte
Empfohlen
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
Skeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
Introduction to Data Science
Introduction to Data Science
Christy Abraham Joy
Time Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
The six step guide to practical project management
The six step guide to practical project management
MindGenius
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
GetSmarter
ChatGPT webinar slides
ChatGPT webinar slides
Alireza Esmikhani
Empfohlen
(20)
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
Skeleton Culture Code
Skeleton Culture Code
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Getting into the tech field. what next
Getting into the tech field. what next
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
How to have difficult conversations
How to have difficult conversations
Introduction to Data Science
Introduction to Data Science
Time Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
The six step guide to practical project management
The six step guide to practical project management
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
ChatGPT webinar slides
ChatGPT webinar slides
Jp xxe injection_20170627_moon
1.
XXE Injection XMLを利用した攻撃と防御方法について 2017/06/27 ムン ジェウン
2.
目次 1. XXE Injection
基礎 2. 応用攻撃 (DOS) 3. Zend(PHP Framework) XXE 脆弱性
3.
1. XXE Injection
4.
XXE Injectionとは? •XML eXternal
Entity Injection •XMLのDTDの外部Entity参照機能を悪 用して重要なファイル閲覧、DOSなど の行為を行う攻撃
5.
XML, データ交換用の言語 <recipe> <title>スプーンの上のピーナッツバター</ title> <ingredientlist> <ingredient>ピーナッツバター</
ingredient> </ ingredientlist> <preparation> スプーンを持ってピーナッツバターの器に入れた後、ピーナッツバターを 一さじだっぷりすくう </ preparation> </ recipe> => XHTML, RSS, XML-RPC, SOAP などに使われる
6.
DTD (Document Type
Definition) XML文書に使用されるコンポーネントを定義 <!DOCTYPE recipe [ <!ELEMENT recipe (title?, ingredientlist?,preparation?)> <!ELEMENT ingredientlist (ingredient+)> <!ELEMENT ingredient (#PCDATA)> <!ELEMENT preparation (#PCDATA)> ]>
7.
Entityとは? • XMLでデータを参照するための方法 • DTDでENTITYというキーワードを使用して定義する。 •
XML本文で参照して使用する。 • &ではじめ、;で終わる。
8.
Entity 使用例 DTD XML本文 &foo; は
“Xml enternal entity” 文字列を参照する
9.
XXE Injectionの原理 • DTDに外部エンティティ定義が可能
(SYSTEMキーワー ド使用) • 外部エンティティは文章の外部に存在する値 • 外部エンティティに重要なファイルを指定する。
10.
XXE Injection 文字列例
11.
POC (Proof Of Concept) Source
Code : https://github.com/JaewoongMoon/php-study/blob/master/xxe/index.php
12.
防御方法 •XMLを解析する際、エンティティ参照を 無効にする。 LIBXML_NOENT : エンティティ参照を可能にする。 LIBXML_DTDLOAD
:外部参照DTDサブセットをロード Or libxml_disable_entity_loader関数を私用する。
13.
事例 • Facebook https://threatpost.com/xxe-bug-patched-in-facebook-careers-third- party-service/110151/ • Google ttp://securityaffairs.co/wordpress/23943/hacking/hacking-google- server-with-xml.html •
Wordpress https://packetstormsecurity.com/files/121492/wpadvancedxml-xxe.txt
14.
関連CVE Database :
261件 http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=xxe
15.
1 4 1 2 1 7 18 42 67 45 57 16 0 10 20 30 40 50 60 70 80 2002
2005 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 年度別の発表件数の推移
16.
2.応用攻撃
17.
Billion Laughs 攻撃 XML
Bomb 笑笑笑笑笑笑笑笑笑笑笑 笑笑笑笑笑笑笑笑笑笑笑 笑笑笑笑笑笑笑笑笑笑笑 ~~~~~
18.
https://en.wikipedia.org/wiki/Billion_laughs X 10 X 10 … 3Byte
x 10^9 = 3GB
19.
But, failed… Detected an
entity reference loop in Entity
20.
代案攻撃 : Quadratic
Blowup • 参照を1段階までにする。 • Entityの内容を長くする。 • 参照回数を多くする。 <?xml version="1.0"?> <!DOCTYPE test[ <!ENTITY a "lololollololollololollololollololollololollol...."> ]> <test><testing>&a;&a;&a;&a;&a;&a;&a;&a;&a;... </testing></test> 10000個ぐらい いれたら?
21.
POC (Proof Of Concept) Source
Code : https://github.com/JaewoongMoon/php-study/blob/master/xxe/lol_test.php
22.
3. Zend Framework XXE
脆弱性
23.
http://www.php-developer.org/most-used-php-framework-the-popular-top-7-list-in-year-2011/
24.
CVE-2015-5161 • Zend Frameworkのバージョン2.4.2以下(最新バージョンは2.5.3) •
Php-fpmを使用している環境 • Php-fpmはPHP FastCGI Process Managerの略で、 動的ページを早く提供するために使用される。
25.
防御しているのに、何で脆弱? • libxml_disable_entity_loaderは、スレッド安全ではない。 => 外部EntitySettingがあるFPM
Processによって 上書きされる可能性がある! => php-fpm環境でlibxml_disable_entity_loaderをつかうのは 安全ではない。
26.
library/Zend/Xml/Security.php ?
27.
heuristicScan Funciton Code 文字列のエンコーディングにバイパス可能
28.
Entity 監査迂回 <?xml version="1.0"
encoding="UTF-8"?> <!DOCTYPE methodCall [ <!ENTITY pocdata SYSTEM "file:///etc/passwd"> ]> <methodCall> <methodName>retrieved: &pocdata;</methodName> </methodCall> $ cat poc-utf8.xml | sed 's/UTF-8/UTF-16/' ¥ | iconv -f UTF-8 -t UTF-16 >poc-utf16.xml poc-utf8.xml
29.
脆弱性修正後コード https://github.com/zendframework/Zen dXml/blob/master/library/ZendXml/Sec urity.php#L332
30.
参考資料 • http://hyunmini.tistory.com/66 • https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection •
https://ko.wikipedia.org/wiki/XML • https://en.wikipedia.org/wiki/Document_type_definition • http://php.net/manual/en/domdocument.loadxml.php • http://php.net/manual/en/libxml.constants.php • http://php.net/manual/en/language.operators.bitwise.php • http://stackoverflow.com/questions/38807506/what-does-libxml-noent-do-and-why-isnt-it- called-libxml-ent • https://www.exploit-db.com/exploits/37765/ • https://framework.zend.com/security/advisory/ZF2015-06 • https://github.com/zendframework/ZendXml/blob/master/library/ZendXml/Security.php#L332
31.
ありがとうございます。
Jetzt herunterladen