Web Security
SQLab 2023
Author: Sean 韋詠祥
About Me

Outline
php://filter
- X-Forwarded-For
- NginX off-by-slash
- XML External Entity Injection
- Template Injection
- Prototype Pollution
What is php://
wrapper
- Accessing various I/O streams
php://stdin
, php://stdout
, php://stderr
php://input
, php://output
php://filter
php://memory
, php://temp
, php://fd
Parameters of php://filter
/resource=index.php
/read=string.rot13
/read=convert.base64-encode
/write=zlib.deflate
Example
php://filter/read=string.rot13/resource=https://sean.cat/
Lab: My Blog

X-Forwarded-For
How to get user's IP address?
StackOverflow?

And ChatGPT

What are those variables
- REMOTE_ADDR
- HTTP X-Forwarded-For
- HTTP Client-IP
Lab: Cloud Drive

CF-Connecting-IP
- Cloudflare CDN
- NginX: set_real_ip_from, real_ip_header
Recap: Path Traversal

NginX Config

Off-by-slash

Lab: Dynamic Pricing

XXE
XML External Entity Injection
XML Syntax
<?xml version="1.0" encoding="UTF-8"?>
<article>
<title>我的第一篇文章!</title>
<summary>這是我人生中的第一篇部落格文章!我感到非常興奮</summary>
</article>
XML Custom Entity
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE post [ <!ENTITY title "我的第一篇文章!" > ]>
<article>
<title>&title;</title>
<summary>這是我人生中的第一篇部落格文章!我感到非常興奮</summary>
</article>
XML External Entity
It could be external links
<!DOCTYPE xxe [
<!ENTITY ext SYSTEM "http://cs.sean.cat/" >
]>
And could be local files
<!DOCTYPE xxe [
<!ENTITY ext SYSTEM "file:///etc/passwd" >
]>
Lab: Import Blog Post

Web Security SQLab 2023 Author: Sean 韋詠祥 Slide: https://hackmd.io/@Sean64/sec-sqlab2023 日期:2023-06-07(三) 課程時間:10:30 - 12:00 10:30 開場 10:35 filter 10:40 Lab: My Blog 10:50 x-fwd 10:55 Lab: Cloud Drive 11:05 off-by-slash 11:10 Lab: Dynamic Pricing 11:20 Lab Demo 11:25 XXE 11:30 Lab: Import Blog Post 11:35 SSTI 11:45 Lab: WIP 11:55 PP 12:00 Lunch
{"metaMigratedAt":"2023-06-18T05:25:52.302Z","metaMigratedFrom":"YAML","title":"Web Security - SQLab 2023","breaks":true,"description":"Sean 韋詠祥 / 2023-06-07 10:30 / php://filter / X-Forwarded-For / NginX off-by-slash / XML External Entity Injection / Template Injection / Prototype Pollution","contributors":"[{\"id\":\"8a6148ae-d280-4bfd-a5d9-250c22d4675c\",\"add\":4515,\"del\":0}]"}