WebApp Sec mailing list archives
PHP wrapper question
From: Mark Litchfield <mark () securatary com>
Date: Tue, 18 Feb 2014 12:28:27 -0800
Reaching out for some help / ideas. I have an XXE that works but when processing large files it failsFor example, the below attack will work sending to my instance of Netcat the base64 encoded string of win.ini. A nice POC, but not exactly what I am looking. (We are using base64 to ensure any line feeds are removed or other data that would cause XML processing errors)
<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/host.conf">
It works in this case because the file is less than 2048 bytes, but the following does not as it is likely this file is greater than 2048. I have tried compress.zlib etc, but still getting errors. Anyone got an idea for example making such a request that would enable LIBXML_PARSEHUGE
<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd">
Any help / advice would be greatly appreciated. -- All the best Mark Litchfield http://www.securatary.com Twitter - http://twitter.com/securatary This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE.Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Current thread:
- PHP wrapper question Mark Litchfield (Feb 18)