Home page logo
/

webappsec logo WebApp Sec mailing list archives

PHP wrapper question
From: Mark Litchfield <mark () securatary com>
Date: Tue, 18 Feb 2014 12:28:27 -0800

Reaching out for some help / ideas.

I have an XXE that works but when processing large files it fails

For example, the below attack will work sending to my instance of Netcat the base64 encoded string of win.ini. A nice POC, but not exactly what I am looking. (We are using base64 to ensure any line feeds are removed or other data that would cause XML processing errors)

<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/host.conf">

It works in this case because the file is less than 2048 bytes, but the following does not as it is likely this file is greater than 2048. I have tried compress.zlib etc, but still getting errors. Anyone got an idea for example making such a request that would enable LIBXML_PARSEHUGE

<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd">

Any help / advice would be greatly appreciated.




--
All the best

Mark Litchfield
http://www.securatary.com
Twitter - http://twitter.com/securatary





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------


  By Date           By Thread  

Current thread:
  • PHP wrapper question Mark Litchfield (Feb 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault