PHP wrapper question

[Mark Litchfield <mark () securatary com>]

Reaching out for some help / ideas.

I have an XXE that works but when processing large files it fails

For example, the below attack will work sending to my instance of Netcat 
the base64 encoded string of win.ini.  A nice POC, but not exactly what 
I am looking.  (We are using base64 to ensure any line feeds are removed 
or other data that would cause XML processing errors)

<!ENTITY % payload SYSTEM 
"php://filter/read=convert.base64-encode/resource=file:///etc/host.conf">

It works in this case because the file is less than 2048 bytes, but the 
following does not as it is likely this file is greater than 2048.  I 
have tried compress.zlib etc, but still getting errors.  Anyone got an 
idea for example making such a request that would enable LIBXML_PARSEHUGE

<!ENTITY % payload SYSTEM 
"php://filter/read=convert.base64-encode/resource=file:///etc/passwd">

Any help / advice would be greatly appreciated.




--
All the best

Mark Litchfield
http://www.securatary.com
Twitter - http://twitter.com/securatary





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------