{"id":82,"date":"2018-01-08T19:34:50","date_gmt":"2018-01-08T16:34:50","guid":{"rendered":"http:\/\/talhacelik.com.tr\/?p=82"},"modified":"2020-04-29T20:56:02","modified_gmt":"2020-04-29T17:56:02","slug":"xml-external-entity-xxe-attacks","status":"publish","type":"post","link":"https:\/\/talhacelik.com.tr\/index.php\/2018\/01\/08\/xml-external-entity-xxe-attacks\/","title":{"rendered":"XML External Entity (XXE) and XML Injection (XMLI)"},"content":{"rendered":"

XML Nedir ?<\/strong><\/p>\n

Extensible Markup Language (Geni\u015fletilebilir \u0130\u015faretleme Dili, k\u0131saca XML), hem insanlar hem bilgi i\u015flem sistemleri taraf\u0131ndan kolayca okunabilecek dok\u00fcmanlar olu\u015fturmaya yarayan bir i\u015faretleme dilidir. W3C taraf\u0131ndan tan\u0131mlanm\u0131\u015f bir standartt\u0131r. Bu \u00f6zelli\u011fi ile veri saklaman\u0131n yan\u0131nda farkl\u0131 sistemler aras\u0131nda veri al\u0131\u015fveri\u015fi yapmaya yarayan bir ara format g\u00f6revi de g\u00f6r\u00fcr. SGML’in basitle\u015ftirilmi\u015f bir alt k\u00fcmesidir.[1]<\/span><\/p>\n

XML dokumanlar\u0131 a\u011fa\u00e7 veri yap\u0131s\u0131nda olurlar. Ba\u011f\u0131ms\u0131z imler yap\u0131y\u0131 olu\u015ftururken, i\u00e7erik ya imin \u00f6zelli\u011fi olarak ya da iki im aras\u0131nda g\u00f6sterilir. Yap\u0131yla ilgili ayr\u0131nt\u0131lar DTD (Document Type Definition) ya da XML Schema ad\u0131 verilen harici dok\u00fcmanlar ile tan\u0131mlan\u0131r. \u00d6rnek bir XML d\u00f6k\u00fcman\u0131 :[2]<\/span><\/p>\n

<?xml version=”1.0″ encoding=”UTF-8″?>
\n<note>
\n<to>Kevin<\/to>
\n<from>Worm<\/Ffrom>
\n<heading>Reminder<\/heading>
\n<body>Don’t forget me this weekend!<\/body>
\n<\/note><\/p>\n

Kevin\r\nWorm\r\nReminder\r\nDon't forget me this weekend!\r\n<\/pre>\n
<\/div>\n
\u00a0<\/span><\/div>\n
XML\u0130 Zaafiyeti nas\u0131l \u00e7al\u0131\u015f\u0131r?<\/strong><\/span><\/div>\n
\u00a0<\/span><\/div>\n
Bir siteye girdi\u011fimizde ve herhangi bir i\u015flem yapmaya ba\u015flad\u0131\u011f\u0131m\u0131zda client ile server aras\u0131nda pasla\u015fmalar ba\u015flar. XML zaafiyetinin \u00e7al\u0131\u015fma mant\u0131\u011f\u0131 da s\u00f6z edilen pasla\u015fmadan pek farkl\u0131 de\u011fildir, bizim isteklerimiz kar\u015f\u0131 taraftaki sunucuya gider ve giderken clientin yapt\u0131\u011f\u0131 iste\u011fi de beraberinde g\u00f6t\u00fcr\u00fcr ard\u0131ndan sunucu gelen iste\u011fi parse ederek yani kendince yorumlayarak tekrar cliente g\u00f6nderir. \u0130ste tam da bu s\u0131rada client sunucuya istek yaparken g\u00f6nderilen XML verisinin manip\u00fcle edilmesi ile sunucu gelen iste\u011fi parse ederek cliente yollar fakat geri yollanan veriler art\u0131k manip\u00fcle edilmi\u015ftir. Sunucuya g\u00f6nderilen verilerin manip\u00fcle edilmesi i\u00e7in BurpSuite<\/a> arac\u0131 kullan\u0131labilir.<\/span><\/div>\n
\u00a0<\/span><\/div>\n
\u00a0<\/span><\/div>\n
\"\"<\/span><\/div>\n
\u00a0<\/span><\/div>\n
\u00a0<\/span><\/div>\n
XML\u0130 ve XEE zaafiyeti ile neler yap\u0131labilir?<\/strong><\/span><\/p>\n
Hedef siteten gelen response a g\u00f6re sistemin passwd<\/strong> dosyas\u0131 listelenebilir, gerekli \u00f6nlem al\u0131nmam\u0131\u015fsa herhangi bir shell<\/strong> y\u00fcklenebilir veya XSS<\/strong> uygulanabilir. Fakat zaafiyetten faydalanabilmek i\u00e7in XML ile gelen k\u00fct\u00fcphanelerin i\u00e7inde entity k\u00fct\u00fcphanesinin<\/strong> dahil edilmesi ve a\u00e7\u0131k olmas\u0131 gerekmektedir.<\/span><\/p>\n
 <\/p>\n
\"asd\"<\/p>\n
 <\/p>\n
XML verisini manip\u00fcle etmek i\u00e7in BurpSuite arac\u0131n\u0131 localhost’ u dinleyecek \u015fekilde a\u00e7\u0131yoruz. Ard\u0131ndan hedef sitenin ( burada Webgoat<\/a> kullan\u0131lm\u0131\u015ft\u0131r ) XML verisi i\u00e7erebilecek alan\u0131na istek yolluyoruz. Bundan sonras\u0131n\u0131 BurpSuite bizim i\u00e7in helledecektir.<\/p>\n
Yakalanan istekte de g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi Content-Type : TEXT\/ XML\u00a0<\/strong>dir. Yani hedefimiz XML ile bir \u015feyler \u00e7eviriyor.<\/p>\n
Ard\u0131ndan iste\u011fe kendi verimizi XML ekleyip forward ediyoruz ve hedefimize bakt\u0131\u011f\u0131m\u0131zda sunucu de\u011fi\u015ftirilmi\u015f iste\u011fi parse edip bize yollayacakt\u0131r.<\/p>\n
 <\/p>\n
\"\"<\/p>\n
 <\/p>\n
\u00d6rnek XML verisi :<\/p>\n
“><reward>XML \u0130njection is success<\/reward>”<\/p>\n
“><username>write script<\/username>”<\/p>\n
 <\/p>\n
XXE ve XML\u0130 Zafiyetine Kar\u015f\u0131 \u00d6nlem Alma<\/strong><\/p>\n
\u00c7al\u0131\u015fma mant\u0131\u011f\u0131na g\u00f6re clientten gelen veriyi sunucumuz parse ediyordu. Burada enjeksiyona u\u011fram\u0131\u015f verimiz de sorunsuz bir \u015fekilde parse edildi fakat server tarafl\u0131 korumada gelen veriyi belirli \u015fartlar ile parse ederek tekrar clienta yollayabiliriz yani “\u00e7ift t\u0131rnak”\u00a0 ve ‘tek t\u0131rnak’\u00a0 karakterini silebiliriz. Fakat bu \u00f6nlem yeterli de\u011fildir \u00e7\u00fcnk\u00fc client taraf\u0131ndan gelen her veriyi \u015f\u00fcpeli olarak tan\u0131mlay\u0131p yeniden d\u00fczenlemek gerekecekdir. \u00d6rnek olarak\u00a0 .NET ile yaz\u0131lm\u0131\u015f bir XML reader kod par\u00e7as\u0131<\/p>\n
XmlReader<\/span> reader<\/span> =<\/span> XmlReader<\/span>.<\/span>Create<\/span>(<\/span>\"deneme.xml\"<\/span>);<\/span>\r\nXPathDocument<\/span> doc<\/span> =<\/span> new<\/span> XPathDocument<\/span>(<\/span>reader<\/span>);<\/span>\r\nXPathNavigator<\/span> nav<\/span> =<\/span> doc<\/span>.<\/span>CreateNavigator<\/span>();<\/span> \r\nstring<\/span> xml<\/span> =<\/span> nav<\/span>.<\/span>InnerXml<\/span>.<\/span>ToString<\/span>();<\/span><\/pre>\n
Kaynaklar<\/p>\n
[2] https:\/\/www.acunetix.com\/blog\/articles\/xml-external-entity-xxe-vulnerabilities\/<\/a><\/p>\n
[3] https:\/\/www.owasp.org<\/a><\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
XML Nedir ? Extensible Markup Language (Geni\u015fletilebilir \u0130\u015faretleme Dili, k\u0131saca XML), hem insanlar hem bilgi i\u015flem sistemleri taraf\u0131ndan kolayca okunabilecek dok\u00fcmanlar olu\u015fturmaya yarayan bir i\u015faretleme dilidir. W3C taraf\u0131ndan tan\u0131mlanm\u0131\u015f bir standartt\u0131r. Bu \u00f6zelli\u011fi ile veri saklaman\u0131n yan\u0131nda farkl\u0131 sistemler aras\u0131nda veri al\u0131\u015fveri\u015fi yapmaya yarayan bir ara format g\u00f6revi de g\u00f6r\u00fcr. SGML’in basitle\u015ftirilmi\u015f bir alt k\u00fcmesidir.[1] …<\/p>\n","protected":false},"author":1,"featured_media":89,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[19,17,20,10,21,22],"_links":{"self":[{"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/posts\/82"}],"collection":[{"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/comments?post=82"}],"version-history":[{"count":16,"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/posts\/82\/revisions"}],"predecessor-version":[{"id":386,"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/posts\/82\/revisions\/386"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/media\/89"}],"wp:attachment":[{"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/media?parent=82"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/categories?post=82"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/talhacelik.com.tr\/index.php\/wp-json\/wp\/v2\/tags?post=82"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
[1] https:\/\/tr.wikipedia.org\/wiki\/XML<\/a><\/p>\n