Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The code snippet the author shows should prevent XXE in PHP. The usage of external entities is disabled when XML on the first call, but NOT on the second. There are four obstacles:

1. Entities are set to an empty string during initial XML loading.
2. Disallows external entities from being loaded into another.
3. No networking URIs are allowed, such http://.
4. With XML_DOCUMENT_TYPE_NODE this prevents normal entities from being used.

Condition three can be bypassed by using parameter entities. The network issue doesn't actually matter in PHP. This is because it's only used on the initial URI and not in a nested fashion. So, php://filter/resource=http://example.com can be used to bypass this.

Condition one prevents the usage of external entity loading out of the gate. The code will remove all external entity references that it sees. It turns out that the SYSTEM attribute is parsed for the DOCTYPE tag. If the code is within the brackets, it is NOT removed on the first parse. This means the second parse will include XXE. This happens because the DOCTYPE is considered part of the structural definition and shouldn't be touched.

The final bypass is the impact. How do we extract files? Parameter Entities are defined on the same page and used on that page. Parameter entities are expanded in libxml2 in PHP with a different set of rules when LIBXML_DTDLOAD is enabled. Additionally, the loading time is interesting. The parameters are expanded before the usage of anything else.

So, the final payload is as follows:

1. Create a parameter entity that loads a file.
2. Create a new entity that references the file in step 1.
3. The entity is called with a URL that has the entity of step 1 as part of the URL. Because the parameter expansion loads first, this sends the file contents to the server.

They found an exploitable path in SimpleSAMLphp and in another undisclosed product. Overall, this is a great post on vulnerability research and skipping past what looks like a "reasonable" defense.