Web Application Security
PHP wrapper question Feb 18 2014 08:28PM
Mark Litchfield (mark securatary com)
Reaching out for some help / ideas.

I have an XXE that works but when processing large files it fails

For example, the below attack will work sending to my instance of Netcat
the base64 encoded string of win.ini. A nice POC, but not exactly what
I am looking. (We are using base64 to ensure any line feeds are removed
or other data that would cause XML processing errors)

<!ENTITY % payload SYSTEM
"php://filter/read=convert.base64-encode/resource=file:///etc/host.conf"
>

It works in this case because the file is less than 2048 bytes, but the
following does not as it is likely this file is greater than 2048. I
have tried compress.zlib etc, but still getting errors. Anyone got an
idea for example making such a request that would enable LIBXML_PARSEHUGE

<!ENTITY % payload SYSTEM
"php://filter/read=convert.base64-encode/resource=file:///etc/passwd">

Any help / advice would be greatly appreciated.

--
All the best

Mark Litchfield
http://www.securatary.com
Twitter - http://twitter.com/securatary

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus